Name servers are often misconfigured in ways that expose them and the applications or services that depend on them to a variety of attacks: denial of service, spoofing, traffic amplification and so on. The tutorial explains how to restrict and control access to name servers. It also discusses the application of the principle of least privilege to DNS administration. Techniques for authenticating DNS transactions -- queries, zone transfers and dynamic updates -- are described. The DNS Security protocol extensions, DNSSEC are explained: the new resource records, how to sign a zone, what DNSSEC does and doesn't do, an overview of deployment and on-going development issues.

Topics included:

• Setting up an internal root server
• Securing the name server
• Setting up a chroot()'ed environment
• Using BIND9's access control lists
• Preventing unwanted access
• Transaction Signatures
• Using TSIG & SIG(0)
• Secure DNS (DNSSEC)
• RRSIG, NSEC, DS & DNSKEY Resource Records
• How to sign zones with dnssec-keygen and dnssec-signzone
• Deployment considerations
• Last mile issues

Who should attend?
DNS administrators who wish to extend their understanding of how to configure and manage name servers running BIND9. Attendees should have some experience of running a BIND8 or BIND9 name server and be familiar with DNS jargon for resource records, as well as the syntax of zone files and named.conf. This tutorial will answer the question, "I've set up master (primary) and slave (secondary) name servers. What else can I do with the name server?"