Using DNSSEC with deSEC and IONOS

Hi everybody,

I love deSEC (using traefik), thanks’ for building and maintaining it!

I registered some domains with ionos.de.

They are able and willing to setup the stuff needed for DNSSEC. They ask me to provide the following information.

Domain:
Digest:
Digest Type:
Algorithm:
Public Key:
Key Tag:

I’m not quite sure, what I have to answer.

Through the WebApi I can access DS RECORDS and DNSKEY RECORDS (info button next to the domain). The tips state:

Your provider may require you to input this information as a block or as individual values. To obtain individual values, split the text below at the spaces to obtain the key tag, algorithm, digest type, and digest (in this order).

Your provider may require you to input this information as a block or as individual values. To obtain individual values, split the text below at the spaces to obtain the flags, protocol, algorithm, and public key (in this order).

Followed by three rows each with four columns. I got the point, that the colums are key tag, algorithm, digest type, and digest (in this order) but what is the difference between the rows. The same applies for the DNSKEY RECORDS.

I think it could be easy to get the rigth information and I’m just a little bit lost.

Could you help me to find back? :wink:

Regards,
Sebastian

Hi Sebastian!

As you may have noticed, the digest type column for the 3 DS entries has different values. So these are just different types of digests.
See RFC 8624 Sect. 3.3 for the meaning of the values.

Basically you choose one based on which digest types your domain registrar and the parent domain support. If you have multiple options then depending on your security needs you either choose the shortest one (less DNS traffic) or the longest one (more secure) while taking into account compatibility. (Personally I would tend to choose digest type 2 (SHA-256) if available, as that is probably secure enough and it should be supported everywhere.)

HTH
fiwswe

1 Like

Hi fiwswe,

thanks for the description. Definitely knowledge that was missing.

Based on your explanation and the linked specifications, it seems to be feasible to choose digest type 2 (SHA-256). The algorithm is 13 (ECDSAP256SHA256) in any case.

This results in the following info the provider IONOS is asking for:

Domain: example.org
Digest: 5dada2fd4a27e590253… (last value in second row at DS RECORDS)
Digest Type: 2 (SHA-256)
Algorithm: 13 (ECDSAP256SHA256)
Public Key: r4xEqxwzZgsD7W… (last value at DNSKEY RECORDS)
Key Tag: 12345 (first value in second row at DS RECORDS)

All information can be retrieved at deSEC’s web API by clicking next to the domain name on the info button.

Thanks again and hopefully someone else will find this information useful as well.

I’ll update this thread, if everything works fine an DESEC tests will be successful.

Regards
Sebastian

For the sake of accuracy, I’d like to add that you should not pick one, but as many as your domain registrar supports. The reason is that DNSSEC requires a) your domain using a suitable algorithm, b) DNS clients/resolvers understanding that algorithm. As you don’t know which algorithms your users (or their DNS resolvers) support, it is best to support many algorithms in your domain, and let the DNS client/resolver choose. If you configure just one algorithm, it may happen that you picked one that’s not supported by a certain DNS client, and then they can’t connect.

DNS traffic size is not relevant here, as everything fits into one packet anyway. Second, this traffic does not even go to the end user usually (it’s mostly between deSEC and your users’ Internet access provider who does the DNSSEC validation).

Stay secure,
Peter

1 Like

Sounds reasonable. Thanks for the accuracy :wink:

I’ll ask IONOS which types they support. I’ll give feedback.

Sebastian