Server Fault Stack Exchange
Server Fault Stack Exchange

Questions tagged [dnssec]

Domain Name System Security Extension is a specification for securing certain kinds of information provided by Domain Name System

Domain Name System Security Extension is a specification for securing certain kinds of information provided by Domain Name System.

Its purpose is to allow DNS resolvers (clients) to establish origin and authenticity of DNS records. It works by digitally signing these records using public-key cryptography.

Currently it is described in IETF RFC 2535.

202 questions
2
votes
2 answers

Where does my ds record originate from?

The domain dwc-amsterdam.com was acquired on hosting company A (hostA) which supports DNSSEC. It was then transferred to hosting company B (hostB) which doesnot offer DNSSEC. After detecting certain issues with the domain the culprit seems to be the…
paul
  • 35
  • 1
  • 7
2
votes
0 answers

Recommendations for DNSSEC key metadata

In order to implement auto-dnssec maintain in the 9.7+ versions of BIND, one adds dates to the keys as metadata. After a lot of reading, I've come up with the following and hope that someone can confirm or correct it: $TTL 8h KSK lifespan == 1y ZSK…
ericx
  • 404
  • 4
  • 10
2
votes
2 answers

Does DNSSec NSEC3 require support from the Registrar, DNS Server or both?

I'm interested in getting NSEC3 support for my domain getvalid.com, so that I can prevent name traversal. DYN doesn't seem to support NSEC3, and it's clear that BIND and the DNS server require the ability to support NSEC3... but I'm unsure if the…
makerofthings7
  • 8,821
  • 28
  • 115
  • 196
2
votes
2 answers

What are some of the hacks that DNSsec is intended to prevent

I know that the overall purpose of DNSsec is to prevent spoofing your DNS record. But what are some of the actual processes/routines that are used that DNSsec actively prevents?
nix
  • 145
  • 4
2
votes
2 answers

Is it required to keep DNSSEC zone fresh?

I've found the following guide on how to setup DNSSEC with NSD DNS server and ldns utilities: https://www.digitalocean.com/community/tutorials/how-to-set-up-dnssec-on-an-nsd-nameserver-on-ubuntu-14-04 Basically it provides the following…
gnidorah
  • 23
  • 2
2
votes
1 answer

DNSSEC sign-zone results in fatal failure

I have a working DNS in a VM-env for testing and learning purposes. It's a complete server from root-domain and a couple of subdomains. I've added dnssec-enable yes; into named.conf, and also created the ZSV- and KSK-keys and appended them to one…
Joakim Hellström
  • 77
  • 1
  • 11
2
votes
1 answer

How to DNSSEC Sign Bind9 Reverse Zone

I'm using bind9 and dnssec-keygen/dnssec-signzone. I've had no problem signing my forward zones however I cannot seem to find any documentation on signing reverse zones. What is the process for this?
justinzane
  • 181
  • 2
  • 13
2
votes
2 answers

DNSSEC auto signing and file handling

I would like to know how files are handled in a auto-dnssec environment. My current setup (non-DNSSEC) places the zones files in /var/named/data. These files are then read by the bind server. If I enable auto signing, will the zones files change? Or…
Karel
  • 629
  • 9
  • 16
2
votes
2 answers

dnssec zonesigner ignoring out-of-zone data

I am trying to configure DNSSec with BIND9 on CentOS 6.4 running DirectAdmin control panel. I am using this tutorial to make it work: https://www.dnssec-tools.org/wiki/index.php/Zonesigner But I can't get it work... When I run this command:…
Jordi Kroon
  • 77
  • 12
2
votes
1 answer

DNSSEC - How many DS records are ordinary?

I thought that I need two DS records to deposit at my domain registrar. But one big dns provider just gave me one DS record. Verisign DNSSEC debugger says, everything is correct. But I am confused, because dnssec-keygen (DNSSEC key generation tool)…
user1091344
  • 279
  • 3
  • 9
2
votes
1 answer

How can I disable DNSSC for Google Apps (GMail) MX records on my authoritative domains?

I'm running a BIND Master / Slave setup with DNSSEC, but some of my domains use Google Apps for e-mail services. Google doesn't support DNSSEC and BIND doesn't like it at all. Log output: Sep 6 17:12:51 srv549 named[5376]: error (broken trust…
meinemitternacht
  • 23
  • 3
2
votes
1 answer

Failing back from DNSSec to regular DNS

A disaster recovery plan has been proposed in a client's company that would fail back from DNSSec to regular DNS in the event of 1) A major site outage requiring the change of many DNS records 2) An issue with DNSSec that justifies a failback 3) An…
makerofthings7
  • 8,821
  • 28
  • 115
  • 196
2
votes
1 answer

enable DNSSEC on workstation

our office servers offer DNSSEC. I've tested this with dig. how can i use DNSSEC with my RHEL6 workstation? (there is no bind on it...) is it possible to add trusted keys to the workstation (i.e. in /etc/resolv.conf )?
JMW
  • 1,451
  • 4
  • 19
  • 27
2
votes
1 answer

enable large DNS queries on Microsoft 2008 R2 DNS server

When I run the Network analyzer at http://netalyzr.icsi.berkeley.edu/ it reports: The resolver at could not process the following tested types: Medium (~1300B) TXT records Large (~3000B) TXT records It does not validate DNSSEC. It does not…
Pete
  • 21
  • 2
2
votes
1 answer

DNSSEC - First Signature

I'm testing DNSSEC with Bind 9.7.2-P2. I have a question regarding the first signature created over a zone that already exists. I'm using dynamic DNS. I create the first two keys: one KSK and one ZSK. According to…
Arancha
  • 21
  • 2
1 2 3
13 14