DNSSEC implementation with Infoblox, PowerDNS, BIND and Unbound

Hands-on articles help you do it yourself

Over the last few years, we've published quite a number of 'hands-on' articles about DNSSEC signing on authoritative DNS servers and validation on (caching) resolvers. They're all available from our DNSSEC information centre.

The most commonly cited deterrent to DNSSEC implementation is that it's complicated. Although over time the software has significantly lightened the burden on system administrators, it remains essential to have a good grasp of both the underlying principles and the (new) configuration options. Because our hands-on articles combine background information about the DNSSEC technology with practical advice about implementing DNSSEC with various software packages, we thought it would be helpful to remind you about this valuable resource collection.

Overview

The two tables below list the available articles that deal with, respectively, signing and validation with the most popular DNS software packages. We'll update the various guides from time to time when new versions of the software come out. Following the tables is a list of the various software packages, stating the key features of each. If you are still considering which DNS(SEC) solution to use, you will hopefully find the summary useful.

DNSSEC signing on authoritative servers

Software Version Notes
Infoblox NIOS 8.2.2 OVA image running on VMware ESXi version 6.5.0
BIND named 9.11/9.12 Update for version 9.15/9.16
PowerDNS Authoritative Server 4.1.13

DNSSEC validation on caching resolvers

Software Version Notes
Unbound and DNSSEC-Trigger 1.6.6 Fixes following recent security audit included in version 1.9.5/1.9.6
Infoblox NIOS 8.2.2 OVA image running on VMware ESXi version 6.5.0
PowerDNS Recursor 4.18
BIND named 9.11

DNSSEC signing on authoritative servers

  • Infoblox appliance These ready-to-use systems are popular mainly with large commercial organisations. Signing a zone involves merely clicking a button. However, both times that we looked at this appliance (most recently in summer 2018), we were obliged to conclude that the software was seriously behind the times.

  • BIND named BIND named is the facto standard on Linux and other Unix-type systems, and therefore the most widely used DNS server. From version 9.11, key management can also be fully automated. As a result, it's no longer necessary to use custom scripts and cron jobs, or to go over to OpenDNSSEC. Following initial configuration, key pair generation, zone file signing, key rollover and key management can all be handled automatically by the software.

  • PowerDNS Authoritative Server PowerDNS is a Dutch (open-source) product whose popularity owes much to its support for DNSSEC. When support was introduced, the signing of domains on other authoritative servers was quite cumbersome. By contrast, PowerDNS adopted a flick-the-switch approach from the start. Other distinctive features include scalability and speed. Almost all major internet service providers that wanted to bulk-sign their domains did so using the Authoritative Server. Although the software's architecture is elegant, the extensive nature of the package can mean that it takes a while to become familiar with it.

DNSSEC validation on caching resolvers

  • Unbound and DNSSEC-Trigger The Unbound validating resolver is another Dutch (open-source) package. If all you need is a validating resolver, Unbound is probably a better option than BIND named, and certainly much better than the stub resolvers supplied with Linux or Windows. The software is compact and fast, and Unbound is now the standard resolver on various Linux distributions, and on FreeBSD and OpenBSD. In combination with DNSSEC-Trigger, Unbound also serves as a very straightforward solution for end-to-end validation for mobile users.

  • Infoblox appliance If you have a recent version of NIOS running, configuring DNSSEC validation on an Infoblox appliance should be very straightforward. All you need to do is check the default settings. However, we regard this option as useful only to organisations that are already using Infoblox. The reason being that both times that we looked at this appliance, we were obliged to conclude that the software was seriously behind the times, certainly where DNSSEC was concerned.

  • PowerDNS Recursor PowerDNS is a Dutch (open-source) product whose popularity owes much to its support for DNSSEC. The Recursor supports DNSSEC validation from version 4.0. Its main difference from the Unbound resolver is that the settings in the configuration file are restricted to familiar server-related matters, whereas the configuration of Unbound involves a long list of options regarding both server-related and DNSSEC/protocol-specific matters. If you want to do more with PowerDNS Recursor, you can load separate start-up/run-time scripts for the built-in Lua engine.

  • BIND named BIND named can function as an (authoritative) name server and/or as a (caching) resolver. Because the software has developed in step with DNSSEC, the validation functionality it provides depends very much on which version you have, just as the signing functionality does. If all you need is a validating resolver, Unbound is probably a better option.

This news bulletin refers to an evaluation of six widely used validating resolvers by Tore Anderson. Unbound and the Knot Resolver emerged as highly recommended. Anderson reported that the latest versions of PowerDNS Recursor and Bind named worked well too, but had no advantages over Unbound or the Knot Resolver.

Comments

  • Tuesday 26 March 2019

    .nl domain name

    Our terms and conditions are changing

    nl-thumbnail_19

    Nieuwe versie van kracht per 1 mei 2019

    Read more
  • Monday 15 April 2019

    Internet security

    Boost your security awareness!

    iStock-876819100-laptop-inloggen-met-mobiel-thumbnail

    Check the practical tips to make you and your staff more aware of on-line security issues

    Read more
  • Tuesday 30 October 2018

    Internet security

    Unique study sheds light on DDoS attacks

    Thumb-button-DDoS-attack

    Greater insight can promote cooperation in the chain

    Read more

Sorry

Your browser is too old to optimally experience this website. Upgrade your browser to improve your experience.