This is the full list of all DNS/DNSSEC related articles on my blog, starting from the basics (BIND installation) to more details such as key rollover and NSEC3.

Basic DNS and DNSSEC Validation

• Basic BIND Installation
• BIND DNSSEC Validation
• DNSSEC Validation with Unbound on a Raspberry
• Pi-hole Installation Guide
• DNS Capture: UDP, IP-Fragmentation, TCP, EDNS, ECS, Cookie
• Single DNS Query – Hundreds of Packets

DNSSEC Signing

• DNSSEC Signing w/ BIND
• Signing a Subdomain
• DNSSEC with NSEC3
• ZSK Key Rollover
• KSK Key Rollover
• KSK Emergency Rollover
• Signed DNS Zone with too long-living TTLs
• BIND Inline-Signing Serial Numbers Cruncher

DNSSEC Extensions

• How to use DANE/TLSA
• SSHFP: Authenticate SSH Fingerprints via DNSSEC
  • SSHFP behind CNAME
  • SSHFP: FQDN vs. Domain Search/DNS-Suffix
  • Generating SSHFP Records Remotely
• CAA: DNS Certification Authority Authorization
• PGP Key Distribution via DNSSEC: OPENPGPKEY

Test & Troubleshooting

• Dive into delv: DNSSEC Validation
• Compare & Troubleshoot DNS Servers: dnseval
• Detect DNS Spoofing: dnstraceroute
• DNS Test Names & Resource Records
• DNS Capture – The Records Edition
• How to walk DNSSEC Zones: dnsrecon
• All-in-One DNS Tool: Domain Analyzer
• Benchmarking DNS: namebench & dnseval

Future Work

• Idea: On-the-Fly TLSA Record Spoofing
• Idea: SSHFP Validator

External Links

• a local, augmented root-zone with DNSSEC
• Cloudflare: DNS Encryption Explained
• [Talk] Carsten Strotmann: DoH or Don’t

Featured image: “Security – Dictionary” by American Advisors Group is licensed under CC BY-SA 2.0.