Want to understand DNSSEC and how it can help secure the Internet? The folks at SIDN, the registry behind the .NL country code top-level domain (ccTLD), have put together a truly excellent 1-hour video e-learning session available in either English or Dutch at:
The course touches on the basics of DNS then explains the role of DNSSEC, how it works and the steps that need to be done. It also has some solid points about things you need to think about and also business impacts of DNSSEC. Perhaps most usefully, the course includes a number of animations that really illustrate how DNSSEC works, as well as a few examples of what DNS zone files really look like with DNSSEC involved.
The video’s target audience is really for domain name registrars who would enable DNSSEC for their customers (domain name registrants). However, SIDN created the video in such a way that it’s quite a useful introduction to DNSSEC for anyone interested in the topic.
I found the elearning user interface quite nice in that you could skip around between sections, return to past sections, stop/start the sections and skip ahead as well. The “Notes” tab also includes the text of what was said in each section, which I could see being quite valuable particularly for those for whom English or Dutch is not a native language. It was also nice to have the video introductions from Bert Hubert interspersed with the slides and animations.
My one issue with the user interface was that when a section was done you have to press the “Next” button to move on to the next section. Given that there are 74 sections, I soon found myself wishing there was an “auto-advance” that would just keep on playing the video. A minor quibble, perhaps. Otherwise I was quite pleased.
On a technical level, my only issue was that the course oversimplified one aspect of the DNSSEC infrastructure. It states that a copy of the public key for your zone (the DNSKEY record) is stored in the parent zone as the DS record.
In fact, the DS record is a digest of the DNSKEY, as defined in section 5 of RFC 4034 and shown as an example in section 5.4.
I realize that the video couldn’t go into every detail and had to simplify some aspects in order to keep it within the presentation timeframe. I also realize that the idea is quite similar. However, if someone left this video thinking that the DS record in the parent zone was simply the DNSKEY record from the child zone, they would be extremely surprised when the do a “dig” on the records for a DNSSEC-signed domain and see that they are quite different.
Regardless, I still see this as an outstanding introduction to DNSSEC and commend the folks at SIDN for creating this elearning video. If you want a quick way to understand DNSSEC, definitely do check it out!