DNSSEC zone re-sign today

I’ve signed or re-signed all my domains with new more secure RSA/SHA-256 keys today (and adding some domains that weren’t previously signed).  I’m going to leave my old signing keys in for a while so you shouldn’t notice the changeover, and remove them in a few days when the new DS and DNSKEY records have had a chance to propagate to the wider Internet.

(For those of you unfamiliar with the concept of DNSSEC, it is a way of using encryption to verify that DNS lookups on the Internet, which convert names such as www.garyhawkins.me.uk to IP addresses and vice-versa, are genuine and are not being spoofed from an unauthorised server.)

Update: Old keys now gone from the server.

garyhawkins.me.uk now DNSSEC enabled

Today I have managed to get the garyhawkins.me.uk domain DNSSEC enabled.  So what is it and why do you need it?  DNSSEC is a mechanism for digitally signing your DNS servers so that you can reliably prove that the result you get back is the correct result and not a fake one provided by an attacker.

Say, for example, Google signed their google.com zone with appropriate DNSSEC keys (which, actually, they haven’t got round to doing yet!)  Instead of the computer just blindly accepting whatever results have been given to it, the computer will first do a verification check on the results returned by verifying a special digital signature given to every DNS name.  If the digital signature is wrong, then the result is invalid and an error will be returned.  So when you type in “www.google.com” into your web browser, then you can be something very close to 100% sure that you are being sent to the correct web site, and not a fake one.

(This is quite similar to, but not exactly the same as, the way that DKIM works with email – the mail headers are digitally signed and decrypted with a special DKIM key stored in the DNS in an effort to verify that the mail has genuinely come from the sender and/or domain name that it says it has.)

In theory, this means that if an attacker were to redirect all requests for garyhawkins.me.uk to another server, then the attack would fail because the attacker shouldn’t have the private key to sign the response with, because the response wouldn’t decrypt with my public key stored in the DNS.  So therefore, it makes it very difficult for an attacker to return fake results, hopefully meaning that when you access a server on garyhawkins.me.uk, you’re getting the real results!