DNSSEC is a backwards compatible addition to DNS that have been ”almost done” for a number of years and now (finally) are being deployed for production use. This workshop is a condensed version of the usual ”Advanced DNS” course.

In addition to a complete treatment of DNSSEC it has a special focus on available tools for DNSSEC.

  • threat model, design requirements, alternatives and solution
  • protocol changes
  • new requirements on and importance of communication between parent and child
  • tools to simplify and automate deployment and operations of DNSSEC

Target Audience

The DNSSEC training aims at several audiences in parallel. Systems and network administrators, technical staff at registries and registrars are obvious. But also decision makers, project managers and strategists as well as consultants and security specialists that require a deeper understanding of how DNSSEC works and will change traditional DNS management.


This course requires knowledge corresponding to our DNS Introduction course.


The DNSSEC training is a theoretical training with practical exercises.

NOTE: The DNSSEC training is not delivered with the FoldOut methodology.

Quick repetition of traditional DNS Principles behind the DNS protocol:

  • autonomy, coherence, redundancy

Packet format:

  • The different parts of the DNS message and their usage

Name server implementations

  • BIND (both authoritative and recursive server)
  • NSD (authoritative-only server)
  • Unbound (recursive-only server)
  • Other implementations
  • Differences, pros and cons

Lab Exercise: Compilation and installation of the DNS software Role separation for name servers:

  • inevitable when deploying DNSSEC
  • different implementation alternatives
  • usage together with TSIG
  • pitfalls

TSIG: signing DNS transactions

  • Symmetric encryption
  • Symmetric algorithms: HMAC-SHA1, HMAC-SHA256
  • Securing zone transfers (server-server)
  • Securing queries (client-server)
  •  BIND: TSIG Configuration in named.conf:
    • key, server and masters directives
  • NSD: TSIG Configuration in nsd.conf:
    • key: attributes and the use of the NOKEY keyword
  •  Securing the transport vs securing the data

Lab Exercise: Using TSIG between master and slave

  • Configuration
  • Need for synchronized clocks
  • Debugging


  • framework for DNS protocol extensions
  • usage of the OPT pseudo-RR
  • fields in the DNS packet that are expanded via EDNS(0) and their use

Introduction to DNSSEC

  • Background, threat scenario, the Kaminsky attack, etc
  • Walkthrough of the concepts

DNSSEC: Validation of signed DNS data

  • “Trusted keys” and validation of data
  • What does ”security apex” mean?
  • What should happen when data doesn’t validate?

Lab Exercise: Configuration of a validating resolver DNSSEC: Publication of signed DNS data

  • Asymmetric encryption with public keys
  • Asymmetric algorithms: RSA, DSA
  • KSK and ZSK: different operational uses for keys

DNSSEC: Protocol extensions and new record types

  • RRSIG: digital signature of DNS records
  • DNSKEY: publik key stored and distributed via DNS
  • DS: identification of the ”KSK” in use

DNSSEC low-level tools:

  • dnssec-keygen to create keys
  • dnssec-signzone to sign zones

Lab Exercise: Publishing a DNSSEC signed zone

  • Create the configuration
  • Generate the keys and add them to the zone
  • DNSSEC Zone Signing

DNSSEC Key Rollover: Replacing old keys with new keys

  • Policy management
  • Delegation Signer and parent interaction
  • Parent/child interaction with examples
  • Tools to simplify DNSSEC management

Lab Exercise: The DS record and interacting with your parent

  • Closing the signature chain from the parent
  • Verification of the signature chain
  • Debugging

Resolver issues

  • Suitable API
  • Securing the ”last mile”
  • The requriement for a ”clear path”

Lab Exercise: Key Rollover of ZSK and KSK

  • Logging

DNSSEC Protocol extension: ADE (Authenticated Denial of Existence)

  • Why is ADE so important?
  • NSEC: Filling out the empty space to facilitate ADE
  • NSEC3: When zone contents must not be listed
  • Lab Exercise: NSEC3

DNSSEC high-level tools

  • ZKT
    • Lab: ZKT
  • OpenDNSSEC
    • Lab: OpenDNSSEC
  • Others

International outlook

  • Signing different Top-Level domains
  • Signing the root zone
  • Development and and adjustment of different systems for DNSSEC


Duration: 2 days


Classroom training: € 1730

We offer substantial discounts for group bookings, and we have corporate rates with most of the operators and equipment suppliers in the world.

Get in touch »

Don't miss a thing

Please sign up for our newsletter and you will be first to hear on upcoming events, new training subjects and more...