# DNSSEC Workshop

##### <span class="mw-headline" id="bkmrk-introduction-1">Introduction</span>

Hands on DNS and DNSSEC Three day course – [Philip Paeps](https://trouble.is/bio/)

##### <span class="mw-headline" id="bkmrk-objectives-1">Objectives</span>

At the end of this course, participants will be familiar with the Domain Name System and Security Extensions to the Domain Name System (DNSSEC). The course is taught "hands-on" in a virtualised FreeBSD environment. Participants will configure authoritative and recursive domain name servers and will learn to analyse and debug common misconfigurations and bugs

##### <span class="mw-headline" id="bkmrk-prerequisites-1">Prerequisites</span>

Participants should be familiar with Unix-style operating systems. The course is taught on FreeBSD but the environment will be familiar to people with a systems administration background on Linux or Solaris. Participants should bring their own laptops. The virtualised lab environment is hosted on a server in Germany. Reliable internet connectivity with reasonable latency is required

##### <span class="mw-headline" id="bkmrk-participants-1">Participants</span>

Systems administrators and network operators responsible for the DNS services in their organisation.

##### <span class="mw-headline" id="bkmrk-workshop-requirement-1">Workshop Requirements</span>

- Some understanding of DNS is required (for example, operational experience managing DNS servers is useful)
- Some knowledge of Linux/UNIX command line
- Good understanding of network basics (IP networking)
- All participants will need to bring a laptop with WiFi access. You cannot use a tablet for this workshop.

##### <span class="mw-headline" id="bkmrk-instructors-1">Instructors</span>

[Philip Paeps](https://trouble.is/bio/)

##### <span class="mw-headline" id="bkmrk-agenda-1">Agenda</span>

<table class="wikitable" id="bkmrk-time-day-1%3A-sunday-2"><tbody><tr><th>Time</th><th>Day 1: Sunday 23 August</th><th>Day 2: Monday 24 August</th><th>Day 3: Tuesday 25</th></tr><tr><td>08:30 – 09:15 (45 minutes)</td><td>Registration and coffee</td><td>Registration and coffee</td><td>Registration and coffee</td></tr><tr><td>09:15 – 11:15 (120 minutes)</td><td>• Introduction to DNS  
• Resource records  
• Delegation  
• Queries, responses and flags  
</td><td>•Configuring authoritative nameservers  
• Setting up DNS zonefiles  
• Delegating authority  
• Debugging common zonefile problems  
</td><td>• Introduction to DNSSEC  
• New resource records and flags in DNSSEC  
• Validating a domain from the root step by step</td></tr><tr><td>11:15 – 11:30 (15 minutes)</td><td>Coffee break</td><td>Coffee break</td><td>Coffee break</td></tr><tr><td>11:30 – 13:00 (90 minutes)</td><td>• DNS packet analysis  
• DNS data flow  
• DNS vulnerabilities</td><td>• Very brief introduction to cryptography  
•Using TSIG to secure queries</td><td>• Key management: ZSKs and KSKs  
• Theory of key rollover and best practices</td></tr><tr><td>13:00 – 14:00 (60 minutes)</td><td>Lunch</td><td>Lunch</td><td>Lunch</td></tr><tr><td>14:00 – 15:30 (90 minutes)</td><td>• Tools: dig, drill, host, nslookup, tcpdump  
• Tools exercises  
• Resolving a domain from the root by hand</td><td>• Configuring secondary nameservers  
• Configuring TSIG to secure zone transfers  
• Debugging common zone transfer issues</td><td>• Manually signing a zone with BIND 9  
• Configuring automatic DNSSEC with BIND 9   
• Brief introduction to OpenDNSSEC</td></tr><tr><td>15:30 – 15:45 (15 minutes)</td><td>Coffee break</td><td>Coffee break</td><td>Coffee break</td></tr><tr><td>15:45 – 16:30 (45 minutes)</td><td>• Introduction to the lab environment  
• Discussion and Q&amp;A  
</td><td>• Configuring unbound as a recursive resolver  
• Discussion and Q&amp;A</td><td>• Configuring unbound with trust anchors   
• Demo with SSHFP and TLSA   
• Discussion and Q&amp;A</td></tr></tbody></table>