Skip to main content
Skip table of contents

3609 - DNSSEC signing with NSEC in NIOS

Scenario

You are a DNS administrator at a coffee company. The internal name space includes an authoritative zone coffee.corp on the server NS1 (10.100.0.111) and a delegated zone zone kona.coffee.corp on server NS2 (10.100.0.222).
The branch office does not have DNSSEC setup. They have decided to sign their zone kona.coffee.corp with NSEC instead of the recommended NSEC3.
Please assist them to perform the configuration on the child zone kona.coffee.corp as well as whatever configuration is necessary on the parent zone coffee.corp. Then show how this choice allows for zone enumeration (without zone transfer).

Estimate Completion Time

  • 30 to 45 minutes

Credentials

Description

Username

Password

URL or IP

Grid Manager UI

admin

infoblox

https://10.100.0.100/

Course References

  • 1204: DNSSEC Fundamentals

  • 3011: DNS Troubleshooting Methodology

  • 2204: Describing DNSSEC

  • 2026: Configuring Authoritative DNSSEC in NIOS

  • 3023: DNSSEC Proof of non-existance

Lab Initiation

Access jump-desktop

Once the lab is deployed, you can access the virtual machines required to complete this lab activity. To initiate the lab, click on the jump-desktop tile and login to the Linux UI:

Username: training

Password: infoblox

Initiate lab

To initiate the lab, double-click the Launch Lab icon on the Desktop.

Launch Lab

Launch Lab

Choose the lab number from the list and click OK.

After clicking OK, you will see a pop-up message with a brief description of the lab task. If the description looks correct, click Yes to continue lab initiation.

Lab initiation will take a couple of minutes to finish.

Once complete, you will see another pop-up message with the login credentials and the URL for the Grid Manager’s User Interface. Note that the credentials may differ from those from prior labs.

Screenshot 2024-05-06 at 3.16.57 PM.png

Tasks

Task 1: Sign with NSEC

  • In this task we will sign the zone kona.coffee.corp with NSEC as the proof of non-existence

    1. Login to NS2(10.100.0.222):

      1. navigate to Data Management → DNS

      2. in the Toolbar, Select Grid DNS Properties → DNSSEC

      3. change the Resource Record Type for Nonexistance Proof to NSEC

      4. Navigate to the unsigned authoritative zone kona.coffee.corp

      5. in the Toolbar, click DNSSEC → Sign Zones

Task 2: Upload the DS record to the parent zone

  • Performing a key rollover requires uploading new DS records to the parent zone. We will perform that in this task.

    1. Export the trust anchor from the delegated child zone.

      1. Login to NS2, navigate to Data Management → DNS → Zones, click on kona.coffee.corp. In the Toolbar, select DNSSEC → Export Trust Anchors

      2. Export Trust Anchors dialog appears, select DS records and click Export.

      3. Save the exported trust anchor to local file. It doesn't matter what you save the file name as. For our example, the file name is ds_records.txt.

      4. Open the file in editor and leave the editor open. We will need this information for the next step.
         

    2. Import the exported trust anchor into the parent zone. 

      1. Login to NS1 (10.100.0.111), navigate to Data Management → DNS → Zones, click on coffee.corp. In the Toolbar, select DNSSEC → Import Keyset

      2. The Import Keyset dialog appears. Copy and paste the DS record text from text editor (ds_records.txt in our example) and click Import

    3. Execute lockups for domains in kona.coffee.corp to verify the AD flag is present and validation is successful.

      dig @10.100.0.100 sweet.kona.coffee.corp. A
      dig @10.100.0.100 blend.kona.coffee.corp. A

Task 3: NSEC Zone Enumeration

  • In this task, we play the role of a curious client who utilizes NSEC to enumerate the zone kona.coffee.corp to learn every name in the zone.

    1. Use your knowledge of NSEC and DNS to create queries to enumerate the zone kona.coffee.corp.

      You can start with looking up the name a.kona.coffee.corp and go from there.



Solutions

Task 1 solution: Sign with NSEC & Task 2: Upload the DS record to the parent zone

  • Detailed Analysis:

    • Follow the instructions to sign the zone kona.coffee.corp on NS2 (10.100.0.222) with NSEC, and import the new DS records into coffee.corp on NS1 (10.100.0.111). After all steps have been completed, we should be able to look up names in the kona.coffee.corp domain and see the AD flag, as shown below:

Task 3 solution: NSEC Zone Enumeration

  • Detailed Analysis:

    • In this task, we utilize NSEC information to perform zone enumeration on kona.coffee.corp. The following figure, shows example of query and responses to perform the zone enumeration. We begin by querying for the name a.kona.coffee.corp, the NSEC response tells us the next name is blend.kona.coffee.corp; we then query for the name blenda.kona.coffee.corp, and the NSEC response tells us the next name is drink.kona.coffee.corp; we issue another query for drinka.kona.coffee.corp, and so on and so forth until we have enumerated every possible name in the authoritative zone.


JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close