Server Fault Stack Exchange
Server Fault Stack Exchange

Questions tagged [dnssec]

Domain Name System Security Extension is a specification for securing certain kinds of information provided by Domain Name System

Domain Name System Security Extension is a specification for securing certain kinds of information provided by Domain Name System.

Its purpose is to allow DNS resolvers (clients) to establish origin and authenticity of DNS records. It works by digitally signing these records using public-key cryptography.

Currently it is described in IETF RFC 2535.

202 questions
3
votes
1 answer

failed loading zone from 'myzone.local.zone': no ttl

I run the following command for dnssec on debian 8. But I get error: # dnssec-signzone -A -3 $(head -c 1000 /dev/random | sha1sum | cut -b 1-16) -N INCREMENT -o myzone.local -t myzone.local.zone dnssec-signzone: warning:…
MLSC
  • 203
  • 3
  • 9
3
votes
1 answer

Error using dnssec-signzone in chroot'd bind 9.8 when a zone file includes other files

Using bind 9.8.2 on RHEL 6.5, running chroot'd. I have a zone file that includes other files (it's a zone with a large number of servers in different datacenters, and there's one included file per datacenter). The zone files and the included files…
T. Johnson
  • 41
  • 3
3
votes
2 answers

dnsmasq returns (false) "bogus" result for DNSSEC validation

I'm running a local Debian 8.1 installation with a DNSSEC-validating DNS-Resolver called dnsmasq (version 2.72-3+deb8u1). I set it up to return a SERVFAIL if it isn't able to validate a DNSSEC-enabled domain, i.e. if the domain has a DNSSEC entry it…
comfreak
  • 1,451
  • 1
  • 21
  • 32
3
votes
0 answers

No RRSIGs found

I had a dnssec expiration and since redoing everything, I get the following error No RRSIGs found from verisign debugging These are the exact steps I use to produce the key and signatures. What step did I miss? steps: emailer1 opendkim #…
mine
  • 197
  • 1
  • 4
  • 14
3
votes
1 answer

DNSSEC key rollover guidelines

I've started playing with DNSSEC on my personal domain and I'm using OpenDNSSEC to perform signing and key maintenance; I only have a static zone, so OpenDNSSEC is an easy fit. Just to toy with things, I decided to do a manual key rollover for my…
antiduh
  • 310
  • 3
  • 14
3
votes
1 answer

DNSSEC and IPSec DNS Server and DNS Client Configuration

I'm about to deploy DNSSEC for some of my domains and as I was getting ready I did some reading on the subject. I came across some Microsoft Technet articles talking about Name Resolution Policy Table which allows one to configure Windows DNS…
Cromulent
  • 306
  • 1
  • 2
  • 17
3
votes
0 answers

DNSSEC for private internal sub zones of an external domain

Consider the following scenario: example.com is hosted on CloudFlare and it's signed by CloudFlare DNSSEC. Everything works as expected for example.com. Inside the company we have some internal privates zones, for Active Directory and a Unix Domain:…
Vinícius Ferrão
  • 5,400
  • 10
  • 52
  • 91
2
votes
1 answer

How do I remove a DS record from my parent zone using Amazon Route 53?

My website is currently inaccessible due to the presence of a DS record in the parent zone, when I am using nameservers that don't support DNSSEC. See this question for more context. I am using Amazon Route 53 as my registrar, and I can't see a way…
Mark Fisher
  • 177
  • 6
2
votes
0 answers

Bind is not resigning DNSSEC zone after zone update and service restart

I'm facing an issue with BIND 9.9.11p1. My configuration is: zone "example1.com" { type master; file "zones/example1.com"; allow-query { any; }; allow-transfer { 1.2.3.4; }; also-notify { 1.2.3.4; }; key-directory "keys/example1.com"; …
Clément Moulin - SimpleRezo
  • 129
  • 9
2
votes
1 answer

Fix broken DNSSEC

I have transferred a .com domain from Namecheap to EuroDNS. Since that day I have the problem that the domain does not resolve from all DNS servers, e.g.: $ host -a flibsy.com 8.8.8.8 Trying "flibsy.com" Using domain server: Name: 8.8.8.8 Address:…
yglodt
  • 245
  • 3
  • 8
2
votes
1 answer

DNS "views" and controlling zone transfers with TSIG

Running Bind 9.8.2. I have successfully setup TSIG keys for "views" using a DNS master/server pair. Zone transfers are working as expected between the 2 servers for each view. Before we go live into production with this I need some clarification on…
user53029
  • 619
  • 2
  • 14
  • 34
2
votes
0 answers

dig not giving AD-bit when dnssec is configured

I am working on this Deterlab exercise and I run into some problems when adding DNSSEC to Bind. The server runs BIND 9.7.0-P1. The configurations I have done is the following: Signed zone for google.com: zonesigner -genkeys google.com Added…
user2824707
  • 21
  • 2
2
votes
2 answers

Outsourcing Recursive DNS in a Windows Domain Environment

We've been considering utilizing a third-party recursive DNS provider like OpenDNS (or anyone) to provide a layer of antiphishing and DNSSEC validation (without having to implement those features internally). To allow internal (Windows domain) DNS…
Beems
  • 294
  • 3
  • 10
2
votes
1 answer

Using DNSSEC with private TLD

I'm playing with DNSSEC for my domain, my DNS server is dual homed (with suitable limits on what can be queried on the public interface) and covers both my public domain, but also a private top level domain (.loc) that I use on my LAN. I'm…
hardillb
  • 1,275
  • 1
  • 9
  • 19
2
votes
1 answer

dnssec-keygen key default validation / expiration time

What is the default expire time/period for a key, generated by dnssec-keygen: If i execute: dnssec-keygen -a RSASHA256 -b 2048 -f KSK mydomain.com I get 2 files: (Kmydomain.com.+008+21346.key) ; This is a key-signing key, keyid 21346, for…
eXe
  • 235
  • 3
  • 13
1 2 3
13 14