Anyone who activates DNSSEC (Domain Name System Security Extensions) in a DNS zone actively protects it against attempts to misuse the Domain Name System (DNS). Patrick Koetter, Leader of the Email and Anti-Abuse Competence Groups at eco Association explains how to achieve this in an interview and in a two-day German-language DNSSEC hands-on workshop in September 2023.
Patrick, why is a DNSSEC hands-on workshop necessary and who are you addressing with it?
Traditional DNS, as it is primarily used today, follows the approach “Who knows nothing must believe everything”. This means that the answers that DNS resolvers receive from DNS servers are correct at best. Only those who use DNSSEC have the possibility to check and verify unnoticed and fully automatically whether the answers are coming from the designated, “authoritative” DNS servers and whether the answers have not been altered during transmission.
This is important because almost every action of our computers on the Internet begins with a computer requesting a DNS service, which determines the IP address associated with the desired service. If a computer uses forged information, it may connect to the wrong service and unknowingly disclose login credentials. With this sensitive information, an attacker can gain unauthorized access to the intended service, potentially reading and sending emails, as well as downloading files. Our workshop primarily targets technicians who aim to activate DNSSEC in the DNS zones of their organization’s domain(s).
What know-how will you impart?
In the workshop, we show the participants how to activate DNSSEC in an exemplary DNS zone. We show them how they can recognise, using onboard tools, if necessary, whether a DNS zone has activated DNSSEC, what they should pay attention to when activating a DNS zone in a DNS server and which DNS resolvers they can and should use to ensure their DNS queries are DNSSEC-verified from now on. By the end of the workshop, they will have acquired the knowledge to protect their organisation reliably from DNS abuse and its potential consequences.
What will this look like in practice on site?
The workshop is divided into alternating theoretical and practical sections. In theory, we will gradually gain an understanding of the DNS resolver (also known as the client) and the server side. In the subsequent practical parts, participants will practise what they have just learned. If problems arise, we are there to assist and, if necessary, present the issues to the entire group. This approach allows us to practice troubleshooting as a team.
During the workshop, we will provide all participants with two (virtual) servers, which they will equip with software, configure and set up a DNSSEC-signed zone in the exercises according to the specified steps.
Patrick, thank you very much for the interview!