About DNSSEC

DNSSEC (DNS Security Extensions) provides mechanisms for authenticating the source of DNS data and ensuring its integrity. It protects DNS data from certain attacks, such as man-in the middle attacks and cache poisoning. A man-in-the middle attack occurs when an attacker intercepts responses to queries and inserts false records. Cache poisoning can occur when a client accepts maliciously created data. DNSSEC helps you avoid such attacks on your networks.

Enabling Recursion and Validation for Zones

The following are the tasks to enable recursion and validate recursively derived data:

1. DNSSEC is enabled by default on the BloxOne DDI cloud portal. 

2. Enable validation and configure the trust anchor of each zone. For more information, see 11010198.

3. Enable recursion on BloxOne DDI. For more information, see Enabling Recursive Queries.

4. Configure global forwarders and custom root name servers, if needed. For more information, see Using Forwarders.

Enabling DNSSEC

DNSSEC is enabled by default on the BloxOne DDI cloud portal.

To disable DNSSEC, complete the following:

1. From the Cloud Services Portal, click Manage -> DNS, and click Global DNS Configuration.
2. In the Global DNS Configuration page, click DNSSEC. 
3. Clear the Enable DNSSEC check box.
4. Click Save & Close to save.

Enabling DNSSEC Validation

To configure trust anchors and enable Infoblox BloxOne DDI name servers to validate responses, complete the following:

1. From the Cloud Services Portal, click Manage -> DNS, and click Global DNS Configuration.
2. In the Global DNS Configuration page, click DNSSEC. 

3. Select the Enable DNSSEC check box and complete the following:

   • Enable Validation: If you allow the application to respond to recursive queries, you can select this check box to enable the application to validate responses to recursive queries for domains that you specify.

   • Accept expired signature: Click this check box to enable the application to accept responses with signatures that have expired. Though enabling this feature might be necessary to work temporarily with zones that have not had their signatures updated in a timely fashion, note that it could also increase the vulnerability of your network to replay attacks.

   • TRUST ANCHORS: Configure the DNSKEY record that holds the KSK as a trust anchor for each zone for which the application returns validated data. Click Add and complete the following:

   • • ZONE: Enter the FQDN of the domain for which the application validates responses to recursive queries.
     • SECURE ENTRY POINT (SEP): This check box is enabled by default to indicate that you are configuring a KSK.
     • ALGORITHM TYPE: Select the algorithm of the DNSKEY record:
       • RSAMD5
       • Diffie-Hellman (This is not supported by BIND and Infoblox BloxOne DDI.)
       • DSA
       • RSASHA1
       • DSA-NSEC3-SHA1
       • RSASHA1-NSEC3-SHA1
       • RSASHA-256
       • RSASHA-512
       • ECDSAP256SHA256
       • ECDSAP384SHA384
   • • PUBLIC KEY: Paste the key into this text box. You can use either of the following commands to retrieve the key:
   • • • dig . dnskey +multiline: This command retrieves root zone keys and is the only public key you require for a full chain of trust validation.

       • dig [@server_address] <zone> dnskey +multiline +dnssec: This command retrieves public keys from the zone you specify on the server and can be used if the parent zone is not signed. Note that the aforementioned command provides you with a key you need to cross validate against other servers to ensure you have an identical key. As an alternative, you can use http://data.iana.org/root-anchors/ to retrieve signed public keys. You can find the trust anchors in formats like XML and CSR. For more information, refer to https://data.iana.org/root-anchors/old/2015-04-03/draft-icann-dnssec-trust-anchor.txt.

4. Click Save & Close to save.