Questions tagged [dnssec]

Domain Name System Security Extension is a specification for securing certain kinds of information provided by Domain Name System

Domain Name System Security Extension is a specification for securing certain kinds of information provided by Domain Name System.

Its purpose is to allow DNS resolvers (clients) to establish origin and authenticity of DNS records. It works by digitally signing these records using public-key cryptography.

Currently it is described in IETF RFC 2535.

202 questions
29
votes
3 answers

What kinds of security vulnerabilities does providing DNSSEC expose?

I was planning to sign my DNS zone with DNSSEC. My zone, the registrar and my DNS server (BIND9) all support DNSSEC. The only one who doesn't support DNSSEC is my secondary nameserver provider (namely buddyns.com). On their website, they state this…
12
votes
2 answers

How is my DNSSEC enabled domain still serving a tiny number of NXDOMAIN response codes?

I enabled DNSSEC on my primary domain about a week ago. It's not a major website or anything -- just my personal domain name that I use for email and the like (TLD: com; DNSSEC algorithm 13; authoritative DNS provider: Cloudflare). Over the last 24…
Collin
  • 141
  • 9
11
votes
2 answers

bind9 does not resolve dnssec correctly

I have a problem with my dns server setup. My bind server is mainly a cache-server but does also serve some internal domains. It listens only on my private network and serves only requests from there. Today I wanted to enable the bind to validate…
user364476
11
votes
1 answer

Can I reasonably use SHA-256 in a DNSSEC deployment?

I know that RFC 5702 documents the use of SHA-2 in DNSSEC, and that RFC 6944 defines RSA/SHA-256 as "recommended to implement." What I'm not aware of is just how widely-implemented SHA-256 is in validating resolvers. Is it practical to sign Internet…
Calrion
  • 570
  • 2
  • 10
8
votes
2 answers

Do I need to renew the keys which I deposited at my domain provider?

I have set up some domains with dnssec. I generated the keys and signed the zones with zonesigner from dnssec-tools. I know that I must resign the zones within 30 days. But what's up with the keys which I deposited at my domain provider? Do I need…
user1091344
  • 279
  • 3
  • 9
7
votes
1 answer

How to remove DNSSEC support from a domain?

A organization has DNSSEC support for their domains. They have a BIND9 as authoritative name server running which also manages the keys. However it was decided to remove DNSSEC. Is it sufficient to remove the key material in /var/lib/bind/pri and…
qbi
  • 173
  • 1
  • 5
7
votes
3 answers

How to update a zone with auto-dnssec: maintain

I am running an authoritative BIND 9.9.5-9+deb8u8-Debian on Debian Jessie. I have a working zone for robin.info that works properly (various tests report success, such as the one on pingdom.com's DNS check tool) I am trying to secure it with dnssec.…
Calimo
  • 400
  • 1
  • 4
  • 15
7
votes
5 answers

No IPv6 & DNSSEC support on cc-TLD? (practical implications)

I'm needing to register some domains that have country code domain extensions, but noticed that those TLDs do not officially support (A) IPv6 or (B) DNSSEC... What limitations or pitfalls should I expect to run into because of this? (A) No IPv6…
Old McStopher
  • 209
  • 1
  • 8
7
votes
2 answers

What are acceptable key lengths for DNSSEC KSK/ZSK?

I've been tasked to look into implementing DNSSEC on our name servers. While the technical side of this (generate keys, sign zones, prepare rollovers) are relatively straightforward, I've run into a logistical problem. From the documentation I've…
Shadur
  • 1,297
  • 1
  • 10
  • 20
7
votes
3 answers

DNSSEC - Ad Flag not activated

I have some doubts regarding DNSSEC. I have one server acting as an Authoritative Name Server and another one as a Cache/Resolver. I'm using Bind 9.7.1-P2 and these are my configuration files: Named.conf (Authoritative Server) // Opciones de…
Arancha
6
votes
5 answers

DNSCurve vs DNSSEC

Can someone informed, please give a lengthy reply about the differences and advantages/disadvantages of both approaches? I am not a DNS expert, not a programmer. I have a decent basic understanding of DNS, and enough knowledge to understand how…
Bill Gray
  • 1,295
  • 1
  • 11
  • 18
6
votes
1 answer

Basic DNSSEC configuration under BIND 9.7?

Could anybody provide a step-by-step procedure to set up DNSSEC under BIND 9.7? I think the version is relevant because it is supposed to make life easier. In fact, there is a document published by ISC called DNSSEC for Humans, which I used as a…
sadpluto
  • 183
  • 1
  • 4
6
votes
1 answer

DNSSEC NSEC3 opt-out

Can someone please explain, in simple language, the meaning of opt-out flag in the NSEC3 RR. I did read RFC 5155 and understand nothing.
Sandman4
  • 4,045
  • 2
  • 20
  • 27
6
votes
1 answer

Debian DNSSEC - howto secure a domain?

I have a beginner question about DNSSEC. I have much experience with TLS and cryptography-stuff and would like to try out this new technology. I have googled very much about this but I haven't found useful information for me. I think one confusion…
Daniel Marschall
  • 785
  • 4
  • 8
  • 19
6
votes
1 answer

nsupdate, getting BADKEY error

I'm trying to update a name using nsupdate executed from within the name server itself but I receive the error message ; TSIG error with server: tsig indicates error. I created a key with dnssec-keygen -a hmac-md5 -b 512 -n HOST -r /dev/urandom…
stracktracer
  • 125
  • 1
  • 1
  • 8
1
2 3
13 14