Questions tagged [dnssec]

Domain Name System Security Extension is a specification for securing certain kinds of information provided by Domain Name System

Domain Name System Security Extension is a specification for securing certain kinds of information provided by Domain Name System.

Its purpose is to allow DNS resolvers (clients) to establish origin and authenticity of DNS records. It works by digitally signing these records using public-key cryptography.

Currently it is described in IETF RFC 2535.

202 questions

votes

3 answers

What kinds of security vulnerabilities does providing DNSSEC expose?

I was planning to sign my DNS zone with DNSSEC. My zone, the registrar and my DNS server (BIND9) all support DNSSEC. The only one who doesn't support DNSSEC is my secondary nameserver provider (namely buddyns.com). On their website, they state this…

asked Jul 23 '15 at 21:37

Johann Bauer

votes

2 answers

How is my DNSSEC enabled domain still serving a tiny number of NXDOMAIN response codes?

I enabled DNSSEC on my primary domain about a week ago. It's not a major website or anything -- just my personal domain name that I use for email and the like (TLD: com; DNSSEC algorithm 13; authoritative DNS provider: Cloudflare). Over the last 24…

domain-name-system dig dnssec

asked Jul 14 '22 at 17:04

Collin

votes

2 answers

bind9 does not resolve dnssec correctly

I have a problem with my dns server setup. My bind server is mainly a cache-server but does also serve some internal domains. It listens only on my private network and serves only requests from there. Today I wanted to enable the bind to validate…

domain-name-system bind cache dnssec

asked Jul 08 '16 at 19:30

user364476

votes

1 answer

Can I reasonably use SHA-256 in a DNSSEC deployment?

I know that RFC 5702 documents the use of SHA-2 in DNSSEC, and that RFC 6944 defines RSA/SHA-256 as "recommended to implement." What I'm not aware of is just how widely-implemented SHA-256 is in validating resolvers. Is it practical to sign Internet…

security dnssec

asked Mar 26 '14 at 07:38

Calrion

votes

2 answers

Do I need to renew the keys which I deposited at my domain provider?

I have set up some domains with dnssec. I generated the keys and signed the zones with zonesigner from dnssec-tools. I know that I must resign the zones within 30 days. But what's up with the keys which I deposited at my domain provider? Do I need…

domain-name-system domain nameserver dnssec

asked May 02 '12 at 22:35

user1091344

votes

1 answer

How to remove DNSSEC support from a domain?

A organization has DNSSEC support for their domains. They have a BIND9 as authoritative name server running which also manages the keys. However it was decided to remove DNSSEC. Is it sufficient to remove the key material in /var/lib/bind/pri and…

debian bind dnssec

asked May 05 '17 at 11:25

qbi

votes

3 answers

How to update a zone with auto-dnssec: maintain

I am running an authoritative BIND 9.9.5-9+deb8u8-Debian on Debian Jessie. I have a working zone for robin.info that works properly (various tests report success, such as the one on pingdom.com's DNS check tool) I am trying to secure it with dnssec.…

bind dnssec

asked Dec 11 '16 at 13:40

Calimo

votes

5 answers

No IPv6 & DNSSEC support on cc-TLD? (practical implications)

I'm needing to register some domains that have country code domain extensions, but noticed that those TLDs do not officially support (A) IPv6 or (B) DNSSEC... What limitations or pitfalls should I expect to run into because of this? (A) No IPv6…

domain-name-system ipv6 ipv4 dnssec tld

asked Jan 26 '16 at 09:27

Old McStopher

votes

2 answers

What are acceptable key lengths for DNSSEC KSK/ZSK?

I've been tasked to look into implementing DNSSEC on our name servers. While the technical side of this (generate keys, sign zones, prepare rollovers) are relatively straightforward, I've run into a logistical problem. From the documentation I've…

domain-name-system bind dnssec

asked Aug 08 '12 at 09:03

Shadur

1,297
1
10
20

votes

3 answers

DNSSEC - Ad Flag not activated

I have some doubts regarding DNSSEC. I have one server acting as an Authoritative Name Server and another one as a Cache/Resolver. I'm using Bind 9.7.1-P2 and these are my configuration files: Named.conf (Authoritative Server) // Opciones de…

bind dnssec flags

asked Sep 09 '10 at 09:17

Arancha

votes

5 answers

DNSCurve vs DNSSEC

Can someone informed, please give a lengthy reply about the differences and advantages/disadvantages of both approaches? I am not a DNS expert, not a programmer. I have a decent basic understanding of DNS, and enough knowledge to understand how…

domain-name-system dnssec

asked Jul 14 '09 at 22:58

Bill Gray

1,295
1
11
18

votes

1 answer

Basic DNSSEC configuration under BIND 9.7?

Could anybody provide a step-by-step procedure to set up DNSSEC under BIND 9.7? I think the version is relevant because it is supposed to make life easier. In fact, there is a document published by ISC called DNSSEC for Humans, which I used as a…

bind dnssec

asked Jul 06 '12 at 20:56

sadpluto

votes

1 answer

DNSSEC NSEC3 opt-out

Can someone please explain, in simple language, the meaning of opt-out flag in the NSEC3 RR. I did read RFC 5155 and understand nothing.

dnssec

asked May 10 '12 at 18:43

Sandman4

4,045
2
20
27

votes

1 answer

Debian DNSSEC - howto secure a domain?

I have a beginner question about DNSSEC. I have much experience with TLS and cryptography-stuff and would like to try out this new technology. I have googled very much about this but I haven't found useful information for me. I think one confusion…

debian dnssec

asked Feb 26 '12 at 09:36

Daniel Marschall

votes

1 answer

nsupdate, getting BADKEY error

I'm trying to update a name using nsupdate executed from within the name server itself but I receive the error message ; TSIG error with server: tsig indicates error. I created a key with dnssec-keygen -a hmac-md5 -b 512 -n HOST -r /dev/urandom…

domain-name-system bind dnssec

asked Jan 06 '12 at 11:41

stracktracer

2 3

…

13 14 Next