Server Fault Stack Exchange
Server Fault Stack Exchange

Questions tagged [dnssec]

Domain Name System Security Extension is a specification for securing certain kinds of information provided by Domain Name System

Domain Name System Security Extension is a specification for securing certain kinds of information provided by Domain Name System.

Its purpose is to allow DNS resolvers (clients) to establish origin and authenticity of DNS records. It works by digitally signing these records using public-key cryptography.

Currently it is described in IETF RFC 2535.

202 questions
0
votes
2 answers

DNSSEC - Dynamic Update

I'm testing key rollover with Dynamic Update. I'm using Bind 9.7.1-P2. When I change the key dates with the script dnssec-settime, named doesn´t update automatically the zone file unless I reload the service. Is this the normal…
Arancha
0
votes
1 answer

How long it takes to start Bind?

I'm testing DNSSEC and I need to obtain the time in miliseconds it takes to start Bind now that I have signed zones. I don't know if this would be the right way to do it: time svcadm enable svc:/network/dns/server:default Regards, Arancha
Arancha
0
votes
5 answers

DNSSEC - What doesn't it cover?

I'm currently revising for an exam to do with DNS/DNSSEC. While I know DNSSEC provides various security enhancements for DNS, I would like to dive a bit deeper(for my own thirst for knowledge!) and would like to know what is still problematic…
KP65
  • 117
  • 3
0
votes
0 answers

Securing DNS: Is combining Unbound with DNSMASQ and DNSCrypt Proxy necessary or beneficial on a Debian 11 system?

I've recently taking an intrest in DNS security and have opted to use the "dnsrypt-proxy", "dnsmasq" and "unbound" packages on my Debian 11 system chained together in the following order to encrypt my DNS traffic and improve the integrity of the…
Lil Cyanide
  • 1
  • 1
0
votes
0 answers

What are the chances of my .COM domain's DS RRSIG containing a 5-letter English word?

This is kind of a silly question, but I just discovered this and now I'm curious about it. If I run dig DS example.com @resolver.example +dnssec +multi, the result is this: example.com. 21600 IN RRSIG DS 8 2 86400 ( 20220902055959…
Collin
  • 141
  • 9
0
votes
0 answers

DS requests sent to Cloudflare for internal TLD

I created a Bind9 configuration to provide DNS entries for an internal TLD. Bind9 uses Cloudflare as forwarder: options { directory "/var/cache/bind"; dnssec-validation auto; validate-except { "mytld"; }; forwarders…
janeden
  • 237
  • 2
  • 6
0
votes
0 answers

Hardware requirments for tld registrar. Non icann dnssec and dane supported

I am trying to figure out requirments for a tld registrar. I have the names. Customers have the access. Just missing the skillset and hardware. Icann is not accepting these names at the moment,however icann is not a requirement. The domains do work…
Littlefoot
  • 1
  • 1
0
votes
0 answers

Is it possible to have different internal and public DNS with DNSSEC?

I'm attempting to achieve the following: A public nameserver for my domain which points example.com to a public IP address. A private nameserver for the same domain running within a LAN which instead points clients to a private IP address on the…
Ellis
  • 471
  • 1
  • 5
  • 9
0
votes
2 answers

How Do I Fix My DNSSEC? I never got DNSSEC working and have probably worsened the problems

My attempt to DNSSEC has not been successful. To help understand DNSSEC I have read many online articles, man pages for rndc, dnssec-*, viewed dnsviz.net and dnssec-analyzer.verisignlabs.com/. Most of the information explains DNSSEC in great detail…
Anthon
  • 1
  • 2
0
votes
1 answer

BIND 9.16 dnssec-policy default is not automatically renewing keys

Three months ago I upgraded my DNS servers to BIND 9.16 (currently running 9.16.25) to take advantage of the new dnssec-policy default option which would allow me to easily run DNSSEC for my domains. Documentation indicated that key management…
Christopher Hinkle
  • 36
  • 5
0
votes
1 answer

I need an explaination as to what is happening when I change the zone file of a DNSSEC enabled domain

I recently moved our hidden DNS master service to a new host, DNS38. The original master service is still running but is not being polled at the present time. The old master, and all the authoritative slaves, are running bind-9.11. The new master…
James B. Byrne
  • 317
  • 4
  • 14
0
votes
1 answer

When setting up DNSSEC on Bind, which DNSKEY records belong in the zone file?

Should the zone file only contain the KSK's DNSKEY record, or should it contain the ZSK's DNSKEY record as well?
ADS103
  • 116
  • 1
  • 6
0
votes
0 answers

Reverting a DNS zone-file from manually-signed to "un-signed"

I have inherited a DNS server running BIND that is the master for one zone, it is DNSSEC-signed. For various reasons, I've decided to re-install this server as a new instance and enable inline-signing. My primary issue is that this zone-file has…
Eclectic Hlessi
  • 1
0
votes
1 answer

Why does an authoritative name server not DNSSEC-validate its own results?

If I query a name server a record it is authoritative for it seems the answer does not get DNSSEC validated: $ dig cloudflare.com @ns3.cloudflare.com ; <<>> DiG 9.16.22-Debian <<>> cloudflare.com @ns3.cloudflare.com ;; global options: +cmd ;; Got…
Adrian Zaugg
  • 366
  • 2
  • 11
0
votes
0 answers

Unbound recursive server not setting AD flag

I am running Unbound 1.9.0 as a recursive caching DNS server for a small branch office. It recurses over TLS towards cloudflare only and it has a typetransparent local-zone (example.com) overriding some of the public records from the public…
ppparadox
  • 131
  • 1
  • 1
  • 5
1 2 3
13 14