Revisit DNSSEC configuration now that AWS Route53 supports it.

[adunkman]

Our Email architecture documentation reads:

DNSSEC is not supported by Amazon Route53 or the DKIM signing domains used for Amazon SES Easy DKIM.

This is no longer true:

Amazon Web Services announced the launch of Domain Name System Security Extensions (DNSSEC) for Amazon Route 53. You can now enable DNSSEC signing for all existing and new public hosted zones, and enable DNSSEC validation for Amazon Route 53 Resolver. Amazon Route 53 DNSSEC provides data origin authentication and data integrity verification for DNS and can help customers meet compliance mandates, such as FedRAMP.

Background

From the email documentation:

DNSSEC proves a DNS name server is authorized to provide answers for a domain by using a chain of signed records from a domain up to the top-level domain (like .gov). SPF, DKIM, and DMARC relies on DNS lookups, so DNSSEC enhances trust in these security mechanisms. 

[adunkman]

If we had DNSSEC enabled, we could protect against issues such as #775 (only one set of records would be signed and authorized).

[adunkman]

Search.gov has had a rough experience with DNSSEC, but it sounds like it would be significantly easier today now that Route53 supports DNSSEC, and the Tax Court is using Route53 for all domains + subdomains in question.

For us to get the benefits of DNSSEC, it would require enabling at all the relevant hosted zones — the ustaxcort.gov level as well as in development (ef-cms.ustaxcourt.gov) and then in production (dawson.ustaxcourt.gov).

[mmarcotte]

Would require collaboration with Court OIS team to get the ustaxcourt.gov and .gov.

Will document what we learned to ready this for when we have more bandwidth.

[adunkman]

Enabling DNSSEC (guide on how to do so on Route53) is done in two steps:

1. Enable signing in Route53 for the hosted zone.
2. Add a DS record to the parent hosted zone (up through .gov).

For the US Tax Court, that would mean our steps will be:

1. Enable DNSSEC for ustaxcourt.gov.
2. Log in to the .gov domain manager and register the signing key from Route53.
3. Enable DNSSEC for ef-cms.ustaxcourt.gov.
4. Add the DS record to ustaxcourt.gov for the subdomain.
5. Enable DNSSEC for dawson.ustaxcourt.gov.
6. Add the DS record to ustaxcourt.gov for the subdomain.

I’ve also spoken with devs over at login.gov, and they’re keeping their eyes out for others to go first. I think we’re a bit ahead of the curve on this issue, and it would be beneficial to do this when others have "lessons learned" ready to share and we have the capacity to coordinate across the org on it.

Punting it back into the backlog!

[adunkman]

Here’s an example implementation for Route53, in case it’s useful in the future: https://github.com/GSA/datagov-ssb/pull/99