DNSSEC in Debian

this would be a short post about DNSSEC, and how I configured for myself.

I wouldn’t go into great detail of what DNSSEC does as that has already been done quite a bit in Wikipedia, but would provide a very basic/simplistic view of what DNS is and some problems of the day. DNS stands for Domain Name Service. Let’s imagine there are only two kinds of people in the world (I know its untrue, but still imagine) and imagine that one is a house-holder/househusband/housewife (whatever) and the other constantly moving backpackers. This is what happens with us, we connect or disconnect to the Internet via a ‘Dynamic IP’ while the sites we visit are on ‘Static IP’s . The IP given either to us or to them is for most of us a 4 double-digit number. For e.g. mine for this session is while debian.org has a static IP address of . Now while machines can remember these double digit four numbers easily, we humans tend to use names. So a DNS server was born. The DNS Server would use the domain name asked by me from a web-browser, go to some dns server (where it finds the actual IP Address) and go to the domain and gets back to me. You can see this whole thing happening in a single ping or traceroute which tells the journey of a data packet. I have skipped lot of details otherwise the post would become far too long.

Anyways, the problems are plenty. There is no way for a browser (as of date) to know if the DNS server is trustworthy and isn’t malicious for users. This is where it comes DNSSEC comes in. DNSSEC stands for DNS Security Enhancement proposal. What it would do is make a pair of keys, a private and a public key and this would be exchanged with the user’s environment during the initial handshake. While it may not remove all the issues regarding safety on net but it would definitely be a better way to live then we do now.

Now how to do it is already given at the Debian wiki . A point to be taken though is that the modifying the /etc/resolv.conf to use loopback interface as a nameserver works both for bind9 as well as unbound.

$ sudo cp /etc/resolv.conf /etc/resolv.conf.original
$ gksudo leafpad /etc/resolv.conf
# Generated by NetworkManager
nameserver (save it)
$ cat /etc/resolv.conf
# Generated by NetworkManager
nameserver (save it)


I have had only two observations to make.

a. Bind9 doesn’t/didn’t work for me with bind9. Whenever shutting down the system it goes into an endless loop for which the only way out is to use the power button to shut off. I also tried the old way of /etc/init.d/bind9 restart but that again use to go into an endless loop trying to get rid of the pid.

So I changed to unbound as a caching DNS resolver which didn’t have this problems.

The other thing is I have network-manager installed. Now DHCP overwrites any state to /etc/resolv.conf. Now I had two options, either make dhcp static or something or do something about /etc/resolv.conf. Now I don’t want to mess around with dhcp and stuff hence just made the file immutable (impossible to change) by giving the following command

$ sudo chattr +i /etc/resolv.conf

This did two things for me. Potentially I would have a little bit of less worry about security, and another my DNS resolution experience (WWW) has become much better. So hitting two birds in one stone and nobody the wiser.

Update 08/09/11 :- Apparently the above is a hack. Another workaround I found which works is the following :-

a. Make a script in /etc/NetworkManager/dispatcher.d/. Call it say abcd.conf (or whatever name you want) and copy these contents :-

# Override /etc/resolv.conf and tell
# NetworkManagerDispatcher to go pluck itself.
# scripts in the /etc/NetworkManager/dispatcher.d/ directory
# are called alphabetically and are passed two parameters:
# $1 is the interface name, and $2 is "up" or "down" as the
# case may be.

# Here, no matter what interface or state, override the
# created resolver config with my config.

cp -f /etc/resolv.conf.mydnbuilttolast /etc/resolv.conf

Well, the name can be whatever you want. Make sure that you make the shell script executable hence put :-

$sudo chmod +x /etc/NetworkManager/dispatcher.d/abcd.sh

Then I put the following in /etc/resolv.conf.mydnbuilttolast


It is the same thing as above but supposedly more elegant. It does introduce though when you are handshaking but then it settles down.

An interesting way to see what is happening is just look at /etc/resolv.conf before connecting (i.e. the default) and then after connecting say 10-15 secs, you see the change happen.

That’s all for now.

One thought on “DNSSEC in Debian

  1. If you run NetworkManager the easiest solution seems to edit /etc/dhcp/dhcpclient.conf and uncomment (remove the #) in the line
    # prepend domain-name-servers;
    This still overwrites your /etc/resolv.conf with a bunch of nameservers, but the first line is always

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.