DNSSEC in AWS Route 53 and Google Domains

Protect against DNS spoofing and improve email security

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

⚙️ Check out my series on Automating Cybersecurity Metrics. The Code.

🔒 Related Stories: Google Security | AWS Security | DNS Security

💻 Free Content on Jobs in Cybersecurity | ✉️ Sign up for the Email List

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

DNSSEC is a way to add additional protection to your email address to prevent spoofing. Here are the steps to add DNSSEC to your domain if you are using Google Domains or AWS.

Setting up DNSSEC on a Google Domain

First, here’s how you do it in Google domains if you also use Gmail:

1. Login at https://domains.google.
2. Click on the domain to which you want to add DNSSEC.
3. Click on DNS on the left.
4. Scroll down and enable DNSSEC.

Now the one thing about DNSSEC here with Google Domains is that it’s easy, but they are also doing all the key management for you. You may or may not want more control over that. In any case, I appreciate how easy that is for non-technical users, given the complexity of DNSSEC.

Setting up DNSSEC on an AWS Domain in Route 53

OK now let’s see how to do that in AWS. I’ll start with the top level documentation and work my way down. The steps in the documentation and the information is quite extensive and jumps around a bit so I’m going to pull it all into a single list of instructions.

Unfortunately the documentation glosses over some steps such as what types of alerts you should set up for DNS explicitly. I’m going to as well for now, but may revisit these topics later.

Prepare for signing

1. AWS recommends setting up a CloudWatch alert for DNS before you start.

2. Lower the TTL on the domain to 3600 seconds.

3. Set the SOA TTL to 300 seconds.

4. Use GetChange to ensure all the changes have propagated.

Create a customer managed KMS key

1. Create a KMS key for this purpose with the following properties:

us-east-1
asymmetric
ECC_NIST_P256

AWS says you need to monitor key rotation yourself.
I am not sure what the impact of enabling rotation on this key will be. 
KMS is supposed to auto-rotate keys for you but need to test.

2. Add a key policy that allows Route 53 to access the key:

Just a note here that I showed you how to create a generic KMS key template here:

This might be an instance where I would break the DRY rule I wrote about:

Email is so crucial to everything we do that we’ll want to make sure these email and DNS related templates don’t get inadvertently modified and redeployed. I’d likely create a separate template for this purpose.

Enable DNSSEC signing and create a KSK

1. Create a signing key, passing in the ARN of the customer managed KMS key.

aws --region us-east-1 route53 create-key-signing-key \
   --hosted-zone-id $hostedzone_id \
   --key-management-service-arn $cmk_arn --name $ksk_name \
   --status ACTIVE \
   --caller-reference $unique_string

2. Enable DNS signing

aws --region us-east-1 route53 enable-hosted-zone-dnssec \
   --hosted-zone-id $hostedzone_id

3. Verify the change

If you used AWS CLI, you can use the operation Id from the output of the EnableHostedZoneDNSSEC() call to run get-change or GetChange to make sure that all Route 53 DNS Servers are signing responses (status = INSYNC).

4. Wait for the TTL to expire (in other words for DNS servers to pick up the change which can take some time to propagate through the Internet.

5. Monitor for issues. AWS lists potential issues in the documentation.

Establish chain of trust

1. Navigate to your hosted zone in Route 53.
2. Click the DNSSEC Signing tab.
3. Under establish a Chain of Trust choose one of the following choose your domain registrar option (Route 53 or an external registrar)
4. Update your DNS records with the specified records for your scenario (the records are provided in the console).

I’ll likely automate try to automate as much of this as I can in the future but just sorting out the steps in the documentation here which jumps around to many different pages. Perhaps there should be an easy button for “just enable DNSSEC already” in AWS Route 53 for those who don’t need as much control over their keys and settings.

In the next post on this topic I’ll show you how to do this manually in AWS.

Follow for updates.

Teri Radichel | © 2nd Sight Lab 2023

About Teri Radichel:
~~~~~~~~~~~~~~~~~~~~
⭐️ Author: Cybersecurity Books
⭐️ Presentations: Presentations by Teri Radichel
⭐️ Recognition: SANS Award, AWS Security Hero, IANS Faculty
⭐️ Certifications: SANS ~ GSE 240
⭐️ Education: BA Business, Master of Software Engineering, Master of Infosec
⭐️ Company: Penetration Tests, Assessments, Phone Consulting ~ 2nd Sight Lab

Need Help With Cybersecurity, Cloud, or Application Security?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
🔒 Request a penetration test or security assessment
🔒 Schedule a consulting call
🔒 Cybersecurity Speaker for Presentation

Follow for more stories like this:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 
❤️ Sign Up my Medium Email List
❤️ Twitter: @teriradichel
❤️ LinkedIn: https://www.linkedin.com/in/teriradichel
❤️ Mastodon: @teriradichel@infosec.exchange
❤️ Facebook: 2nd Sight Lab
❤️ YouTube: @2ndsightlab