Server Fault Stack Exchange
Server Fault Stack Exchange

Questions tagged [dnssec]

Domain Name System Security Extension is a specification for securing certain kinds of information provided by Domain Name System

Domain Name System Security Extension is a specification for securing certain kinds of information provided by Domain Name System.

Its purpose is to allow DNS resolvers (clients) to establish origin and authenticity of DNS records. It works by digitally signing these records using public-key cryptography.

Currently it is described in IETF RFC 2535.

202 questions
6
votes
1 answer

SSHFP not working

I have two machines running OpenBSD v6.9. Let's be original and call them client and server. I generated the SSHFP records on the server with : ssh-keygen -r host.domain.tld In the DNS zone, I added the SSHFP record with this line : host IN …
fzefezgregarg
  • 61
  • 1
6
votes
3 answers

What are the effects of the L root server now publishing DURZ?

I'm curious what the actual effects of the L root server publishing DURZ today will be. On the nanog mailing list, someone said it's important to evaluate the systemic effects of root name servers publishing signed zones, even when not using DNSSEC.…
brent
  • 3,481
  • 3
  • 25
  • 37
5
votes
1 answer

Multiple DS records

I was wondering how validating resolvers deal with multiple DS records. Let's say we have a zone with one KSK and one ZSK, but after some key rollover shenanigans there are two DS records in the parent zone, one pointing to the current KSK and one…
user997904
  • 161
  • 3
5
votes
2 answers

bind9 configure forward zone for local domain without DNSSEC for this zone only

I have a working DNS server for local domain mydomain.local. I am trying to configure bind9 to work in default configuration, except for this zone, for which I want to forward queries to local DNS server. Here's config I have (ubuntu…
galets
  • 806
  • 3
  • 7
  • 18
5
votes
0 answers

Understanding (and partially disabling?) DNSSEC for an internal domain

I am setting up a new DNS infrastructure for our internal HPC cluster environment. This involves providing a migration path from our existing DNS authorities and domains. For sake of example, let's say that we have an institutional domain of…
anderbubble
  • 226
  • 3
  • 7
5
votes
2 answers

Is it possible to create DANE TLSA records when the DNS server doesn't support it?

I'd like to set up DANE for the domain which handles my email. My domain is registered at OVH, and I'm using their anycast DNS servers. They do support DNSSEC, but not TLSA records. Is there a fallback record type I can use? (like I can use TXT if…
GDR
  • 269
  • 4
  • 11
5
votes
2 answers

DNSSEC MITM attacks

What makes DNSSEC immune to a MITM attack? Why can't I sign a key for example.com and get this to a resolving nameserver or client before they can get it from the real source?
Bill Gray
  • 1,295
  • 1
  • 11
  • 18
5
votes
1 answer

Adding DS record to parent in DNS

I am trying to set up DNSSEC for my domains. Everything seems to work but I get the following error: DNSKEY found at child, but no DS was found at parent. Check for DS records in parent zone We found that none of your DNSKEY records are published…
Saif Bechan
  • 10,892
  • 10
  • 40
  • 63
5
votes
1 answer

Querying and verifying dnssec

I hear http://www.isoc.org/ has Domain Name System Security Extensions on its DNS records. How do I see and verify the DNS using the tool dig?
hendry
  • 667
  • 2
  • 10
  • 23
5
votes
3 answers

windows 2003 DNS server and DNS SEC

i have almost out-of-the-box windows 2003 server which is also domain name server for some users. should i be worried of 5th of may's deployment of dnssec on root name servers ? i have already run: dnscmd /Config /EnableEDnsProbes 1 thanks a…
pQd
  • 29,561
  • 5
  • 64
  • 106
5
votes
1 answer

opendkim-testkey: key not secure

I set up Opendkim milter to work with postfix on my machine. Now email is signed & verified correctly i.e. email source code shows DKIM-Signature header. TXT record on the authorative dns is set up like this: ┌───┐ │ # │ root > server > ~ └─┬─┘ …
71GA
  • 313
  • 3
  • 8
4
votes
1 answer

Is DLV on dnssec deprecated?

I'm trying to set up a recursive DNS that also have its own zone using bind. Now I want to upgrade it to use dnssec but as far as I understood I have to use DLV if I don't own a domain name. However the few guides that I could find say that you…
itasahobby
  • 74
  • 10
4
votes
1 answer

What are the downsides of enabling DNSSEC for your website? (Hosted at a shared web host.)

I own a domain name via Google domains and my website is hosted as a shared account with Dream Host. I see that both provide DNSSEC vs old DNS. I was thinking to enable it. But before I do so, I was wondering what are the downsides of enabling…
c00000fd
  • 505
  • 3
  • 6
  • 11
4
votes
0 answers

Keeping DNSSEC KSKs offline with BIND9

I am looking to move the private part of the KSK for my domains off my main nameserver. I've tried this with a test domain and get errors like this: dns_dnssec_keylistfromrdataset: error reading…
Tugzrida
  • 143
  • 5
4
votes
2 answers

DNSSEC - How does it protect from an MITM attack?

I have been reading for several hours about DNSSEC and I'm still failing to understand how it protects from MITM attacks. I have also read every question here on serverfault related to DNSSEC. Please have a look at this DNSSEC packet capture :…
pHeoz
  • 163
  • 7
1
2
3
13 14