DNSSEC and amplification attacks
I am running an NSD nameserver to manage my domains.
Was running it on CentOS 5 linode for several years, recently upgraded it to CentOS 7.
In the past, I was not terribly worried about the nameserver being used for amplification DDoS attacks, NSD is authoritative only and does not support recursive lookups, and I was not using DNSSEC. So it was not a very good nameserver to use in an amplification attack.
However I am more and more convinced that DNSSEC is the future, with how cheap and easy it is to get signed SSL certificates with domain verification - I suspect there will be an increase in man in the middle attacks resulting from either insecure DNS servers or cache poisoning that allows the attacker to receive e-mail at admin@domain and get a signed certificate.
DNSSEC protects against that, even if an attacker gets control of the DNS server that's not enough, they need access to the private key that signs the zone files and the passphrase associated with it.
In fact I suspect a self signed SSL certificate with its public key fingerprint in a DNSSEC secured DNS server is more secure than a CA signed certificate for a domain not protected by DNSSEC.
So I want to start playing with DNSSEC and learning more about it as I suspect it will be a necessary job skill in a few years.
But I need to know if there is anything specific I need to do on my DNS server to help prevent against it being used in an amplification attack if it answers DNSSEC queries, and so far, my google skills have not been coming up with anything.
Is there anything I need to be doing on the server to thwart its use in such an attack?
Thank you for your time.