DNSSEC Best Practices
Industry best practices for implementing and maintaining DNSSEC
Algorithm Selection
Recommended: Algorithm 13 (ECDSAP256SHA256)
- Modern, efficient algorithm
- Small key sizes (256 bits) with strong security
- Widely supported by modern resolvers
- Better performance than RSA algorithms
Avoid deprecated algorithms (1, 3, 5, 7). Algorithm 8 (RSA/SHA-256) is acceptable but less efficient than ECDSA.
Key Management
- Separate KSK and ZSK: Use different keys for signing keys vs. signing records
- Regular Rotation: Rotate ZSK every 3 months, KSK every 1-2 years
- Secure Storage: Store private keys in secure, encrypted storage or HSM
- Backup Keys: Maintain secure backups of all keys
- Key Lifecycle: Document key generation, rotation, and revocation procedures
NSEC vs NSEC3
Always use NSEC3 for production domains. NSEC3 prevents zone enumeration attacks by cryptographically hashing domain names. NSEC should only be used in test environments.
Signature Management
- Validity Period: Set RRSIG validity to 2-4 weeks (not too short, not too long)
- Automatic Re-signing: Ensure records are re-signed before expiration
- Monitoring: Set up alerts for signature expiration (2 weeks before)
- Overlap Period: Maintain both old and new signatures during key rotation
DS Record Management
- Use SHA-256: Always use digest-type 2 (SHA-256), never SHA-1
- Backup DS Records: Keep copies of all DS records
- Document Changes: Log all DS record additions and removals
- Verify Before Adding: Ensure DS records match DNSKEY records
- Transition Period: Maintain old and new DS records during key rotation
Monitoring and Alerts
Set up comprehensive monitoring:
- DNSSEC validation status (should always be valid)
- RRSIG expiration dates (alert 2 weeks before)
- Key rotation schedules
- DS record changes
- DNSKEY record changes
- Chain of trust verification
Testing and Validation
- Test First: Always test DNSSEC on non-production domains
- Use Validation Tools: Regularly check with our DNSSEC tools
- Multiple Resolvers: Test with different DNS resolvers
- Before/After Changes: Validate before and after any DNSSEC changes
Documentation
Maintain comprehensive documentation:
- DNSSEC configuration details
- Key rotation procedures and schedules
- DS record values and when they were added
- Contact information for registrar and DNS provider
- Emergency procedures for key compromise
- Rollback procedures for failed changes
Security Considerations
Key Compromise
If a key is compromised, immediately generate new keys and follow emergency rotation procedures. Remove compromised keys from DNSKEY records and update DS records.
Private Key Security
Never share private keys. Use hardware security modules (HSM) for production. Implement proper access controls and audit logging for key operations.
Operational Procedures
- Change Windows: Schedule DNSSEC changes during low-traffic periods
- Rollback Plan: Always have a plan to revert changes if something goes wrong
- Communication: Notify stakeholders before major DNSSEC changes
- Gradual Rollout: Test changes on a subset of domains first
Provider-Specific Best Practices
Cloudflare
- DNSSEC is automatically managed - no manual key rotation needed
- Uses NSEC3 and algorithm 13 by default
- Monitor DNSSEC status in dashboard
Route 53
- Enable automatic KMS key rotation
- Use CloudWatch alarms for DNSSEC status
- Review KMS key policies regularly
BIND
- Use dnssec-signzone with appropriate options
- Set up cron jobs for automatic re-signing
- Monitor signature expiration dates
Compliance and Standards
DNSSEC helps meet requirements for:
- PCI DSS: Recommends DNSSEC for DNS security
- NIST: Guidelines recommend DNSSEC implementation
- ISO 27001: DNSSEC supports information security controls
- Government Standards: Many government agencies require DNSSEC
Regular Maintenance
- Review DNSSEC status monthly
- Check signature expiration dates weekly
- Verify chain of trust quarterly
- Update documentation when changes are made
- Review and test emergency procedures annually
Tools and Resources
Use our comprehensive suite of tools:
- DNSSEC Validator - Check overall status
- Chain Verifier - Verify chain integrity
- RRSIG Tool - Check signature expiration
- Timeline - Track key events
- DNSSEC Info - Reference material