Server Fault Stack Exchange
Server Fault Stack Exchange

Questions tagged [dnssec]

Domain Name System Security Extension is a specification for securing certain kinds of information provided by Domain Name System

Domain Name System Security Extension is a specification for securing certain kinds of information provided by Domain Name System.

Its purpose is to allow DNS resolvers (clients) to establish origin and authenticity of DNS records. It works by digitally signing these records using public-key cryptography.

Currently it is described in IETF RFC 2535.

202 questions
0
votes
0 answers

How do I prevent Bind from retiring non-expiring DNSSEC keys when using DNSSEC Policy?

To control when signatures expire, I've switched to using dnssec-policy to generate DNSSEC records for my zones. This has solved the issue of getting RRSIG records to expire when they should but introduced a new problem of its own. bind9 is now…
Tenders McChiken
  • 93
  • 6
0
votes
1 answer

DNSSEC Migration with only KSKs migrated

Short version: If a DNSSec-signed sone suddenly replace both ZSK (and all records related to the old ZSK), and at the same time keep the KSKs (which are referenced to by upstream server). Will it cause any trouble? And will it cause trouble after…
Zerqent
  • 336
  • 2
  • 8
0
votes
1 answer

How to force BIND 9.16 to resign my zones after editing zone file

I'm using BIND 9.16 new dnssec-policy feature on my zones, following the guide to enable DNSSEC. Everything worked like a charm. Now, I need to add another record to one of my zones, but after editing the zone file on /var/lib/bind/db.mydomain.com…
André Casteliano
  • 101
0
votes
2 answers

What happens if a resolver encounters a DNSSEC algorithm it does not support?

Does it refuse to return the requested record, or does it return the record, treating the domain as unsecured?
Tenders McChiken
  • 93
  • 6
0
votes
0 answers

DNSSEC in Spain

I tried to set up DNSSEC for a .es domain. The nameservers are on Cloudflare and GoDaddy is the registrar. I wasn't able and then a 'GoDaddy Guide' (chat support) told me that DNSSEC would generally not be available for .es domains, see…
jamacoe
  • 173
  • 1
  • 7
0
votes
0 answers

Which DS record will a validator choose when there are multiple valid DS records?

If there are multiple DS records with each using a different but RFC-compliant algorithm and digest type, is there any way to predict how real world validators will select one? I've tried to, for example, to review what the default behavior BIND…
Paul
  • 2,755
  • 6
  • 24
  • 35
0
votes
1 answer

Transfer DNSSEC signed zones on GCP

I'm transferring zones between different Google Cloud Platform accounts which have been signed using DNSSEC. I've put the new zone into DNSSEC transfer state but when I try to load the DNSKEY into the new zone I am get an 'invalid value' error. The…
buckaroo1177125
  • 145
  • 1
  • 1
  • 7
0
votes
1 answer

DNSSEC automatic signing isn't automatic

I'm having trouble with getting DNSSEC automatic signing to actually be automatic. It fails to sign automatically (well, it does sign automatically, but apparently signs the wrong thing, see below). In addition, cryptic errors are occasionally…
Linas
  • 101
  • 3
0
votes
1 answer

Does DANE allow for trustable self-signed certificates?

DANE has 4 modes of operation indexed 0-3 with mode 3 i.e. Domain issued certificate allowing for self-signed certificates. Can this mode be used in a trustable manner? and if so does that mean that traditional Certificate Authorities and their…
MShakeG
  • 111
  • 5
0
votes
0 answers

does manually resigning a changed zone file with the same keys break the DNSSEC support from the upstream parent zone?

I send the ds set of example.company.com to my company.com provider. I also manage a couple of subdomains which are subject to change eventually: subdomain1.example.company.com and subdomain2.example.company.com. I add the DS set of these subdomains…
Mnemosyne
  • 127
  • 5
0
votes
1 answer

On AWS during DS record creation I get an error, DS record with DNS name ex.com not permitted in zone ex.com. Why might this be?

Environment: AWS, DNSSEC When I attempt to create a DS record to establish a chain of trust I get an error that I don't understand. My full error. Error occurred Bad request. (InvalidChangeBatch 400: RRSet of type DS with DNS name example.com. is…
myNewAccount
  • 519
  • 1
  • 5
  • 14
0
votes
1 answer

What are good default settings for DNSSEC?

I use Google Domains and just opened an account with A2 Hosting. I'd like to keep using DNSSEC. A2 Hosting requires me to "Please open a support ticket and provide the following information: DS Record Digest Digest Type Algorithm Public Key Key…
sean.mcgrath
  • 3
  • 1
0
votes
0 answers

Different DNS records on offline local network with valid DNSSEC

This is pretty much DNS spoofing on local network including DNSSEC, but I believe it should be somehow possible since I'm the legitimate owner of the domain. I'm planning to provide a service during 1-2 day events. The service will be available to…
M. Volf
  • 109
  • 2
0
votes
0 answers

My co.za domain name won't propagate

I bought a co.za domain name at Godaddy and changed the A record to point to Justhost. However the domain will not propagate. I checked https://dnschecker.org https://dnschecker.org. It's been over 72 hours and nothing. What must I do? Neither…
Justine
  • 1
0
votes
1 answer

DNSSEC - DNS/domain providers that enable DANE DNS records

Our company registered domain "example.eu" with Gandi which has a "one click solution" to enable the DNSSEC for our domain's zone. So we enabled it, waited until dnsviz inspection tool showed us that our parent zone (.eu) got the hashed public KSK…
71GA
  • 313
  • 3
  • 8
1 2 3
13
14