Server Fault Stack Exchange
Server Fault Stack Exchange

Questions tagged [dnssec]

Domain Name System Security Extension is a specification for securing certain kinds of information provided by Domain Name System

Domain Name System Security Extension is a specification for securing certain kinds of information provided by Domain Name System.

Its purpose is to allow DNS resolvers (clients) to establish origin and authenticity of DNS records. It works by digitally signing these records using public-key cryptography.

Currently it is described in IETF RFC 2535.

202 questions
4
votes
2 answers

DNSSEC broken in Windows 2016's DNS server?

I'm currently in the process of migrating a DNS server from Windows 2012 R2 to Windows 2016. However, I have run into an issue with DNSSEC. So far I have just moved one domain, an unused test domain, from the Win2012 server to the Win2016 server,…
KristoferA
  • 41
  • 3
  • 10
4
votes
3 answers

BIND server has tons of "no valid RRSIG" errors

I have a forward-only BIND9 server running on the LAN and it logs hundreds of errors per day like: Aug 29 18:38:29 nuc named[850]: error (no valid RRSIG) resolving 'ubuntu.com/DS/IN': 75.75.75.75#53 Aug 29 18:38:31 nuc named[850]: validating…
jmw
  • 43
  • 1
  • 1
  • 3
4
votes
1 answer

Managing multiple equal zones with DNSSEC

I run an authoritative name server (BIND), and I have a few dozens domain with identical zone files, i.e. they all use /etc/bind/db.default3. I’m considering deploying DNSSEC on my server, but so far all documentation I found on it would require me…
Joachim Breitner
  • 3,469
  • 3
  • 17
  • 20
4
votes
1 answer

Use DNSSEC for secure connections

From my understanding DNSSEC allows me to create a public key and sign my DNS records. There appears to be multiple ways to have a certificate record (such as DANE see…
user274
4
votes
1 answer

Do I need DNSSEC?

After reading about DNSSEC realization in Windows Server 2008 R2 it seems to me that it adds extra complexity without being fully secure anyway (I do understand that more security is always means more complexity in most of the cases). 1st DNS client…
Mikhail
  • 1,287
  • 3
  • 18
  • 35
4
votes
1 answer

Can't resolve website using Google's public dns

I can't seem to be able access my site: yippie.nl, using Google's public DNS 8.8.8.8. Other DNS's work fine. Could this be due to DNSKEY? Cause Route53 doesn't provide it. http://dnscheck.pingdom.com/?domain=yippie.nl shows: Inconsistent security…
Maurice Kroon
  • 165
  • 1
  • 5
4
votes
3 answers

bind is not validating dnssec

Strange. My bind is not validating dnssec even though I configured it to. Version according to named -V is BIND 9.8.2rc1-RedHat-9.8.2-0.10.rc1.el6_3.2 which has a built-in DLV key. Under options in named.conf dnssec-enable yes; dnssec-validation…
Crash Override
  • 571
  • 1
  • 8
  • 20
4
votes
1 answer

What TLDs should I use for my NS records for redundancy? (DNSSEC support required)

Question As a general practice, is it a good idea to use multiple TLDs for the name servers? How should I choose between which TLD would be a good candidate for being the root server for my NS name? More Info I am switching over 800 DNS zones to an…
makerofthings7
  • 8,821
  • 28
  • 115
  • 196
4
votes
1 answer

Inline signing with bind 9.9 and NSEC3

Since version 9.9, Bind supports inline signing, but I don't find any information on how to make it working with NSEC3. I cannot add NSEC3PARAM RR with nsupdate : I think it's normal because of inline signing, but I cannot parameter this for inline…
profy
  • 1,126
  • 9
  • 19
4
votes
1 answer

How to migrate BIND configuration to dnssec-policy from auto-dnssec maintain without disruption?

BIND 9.16 introduced a new dnssec-policy feature as a further more automated DNSSEC key management and signing facility over the long established auto-dnssec maintain functionality. The documentation does not appear to cover migrating from the old…
Håkan Lindqvist
  • 33,741
  • 5
  • 65
  • 90
3
votes
1 answer

Why is the DNSSEC Key Tag always 2371?

I was adding DNSSEC to a few of my domains recently, and I noticed that on every single one, the DNSSEC Key Tag was always 2371. What is the point in asking for it if it never changes? (or does it change? When?), and why is it specifically 2371?
retnikt
  • 133
  • 5
3
votes
3 answers

BIND unable to resolve one domain but works on others

On an SMTP server running bind 9.11 for DNS, DNS resolution is failing for one domain causing an email to that domain to fail. There are no problems resolving other domains. However, it can resolve on other DNS servers such as google's or if I run…
Jeremy
  • 88
  • 1
  • 8
3
votes
2 answers

Proper way to reload master zone on bind9 doing inline-signing

I have a master BIND9 (v9.10.3) properly serving several signed zones (verified with dnsviz, etc.) I have not been able to find in any documentation a proper way to reload and resign a static zone file. (my zones are not dynamic). To get updated…
brett
  • 31
  • 1
  • 4
3
votes
2 answers

What are possible security issues with TLD not being secured with DNSSEC, even if subdomain is?

We are working on a stablished network with a BIND9 server running (as well as many other services). I'm learning and trying to reorganize the old configuration files to comply with the present day (Many dead machines, unused names, reverse mapping…
Mathias San Miguel
  • 33
  • 2
3
votes
1 answer

DANE Trust Anchor - Self-signed or not

We run a private CA and employ both DNSSEC and DANE. Recently we decided to reissue our CA root and issuer keys as these were generated at 1024 bits when our PKI was set up in 2008. Our original TLSA RR pointed to the issuing CA as the trust…
James B. Byrne
  • 317
  • 4
  • 14
1 2
3
13 14