2

I am new to DNS. I am trying to set up public authoratative dns servers for a dot net domain using Knot dns.

Generally the documentation is pretty clear, but when it comes to DNSSEC it is confusing.

So assume the domain is example.net.

There are two nameservers - bob.example.net alice.example.net

bob is the master and alice is the slave. They both work in the test environment, in that they correctly answer queries and changes in bob replicate onto alice.

I now want to set up DNSSEC, with knot's auto signing, and I have some questions not answered by the documentation and all the howtos on line refer to setting up a private authoratative network for an internal domain.

Question 1: Do you just configure the DNSSEC setup on the master (ie bob), which seems to be what the knot documentation says

  • If so how does alice become aware of the keys?
  • Will it just propage automatically or do I have to copy the setup over manually?

Question 2: Automatic key management. The documentation talks about about propagating the CDS and CDNSKEY records to 'the parent' and gives an example configuration. But in the example it gives a non-routeable address (192.168.12.1), so the question is:

  • what is the correct parent for a dot net domain - is it at my registrar or is there a particular address for specific top level domains (.net)?
  • Is there a relevant RFC?

Thanks

Falstone
  • 179
  • 6
  • You can forget about CDS/CDNSKEY they are not needed for a basic DNSSEC setup. But if you need references they are in RFC 7344. They are defined for automated roll over of keys from child signaling to parent, but in practice today they are seldom (almost not at all) used anyway. – Patrick Mevzek Nov 13 '20 at 18:40
  • You may want to describe which documentation you are following, and what troubles you. Did you use https://www.knot-dns.cz/docs/3.0/html/configuration.html#dnssec-automatic-zsk-management ? (and the following for KSK management) See further for "on-slave signing" which is not needed nornally: the primary server does the signing which means creating all RRSIGs records and those are transfered through AXFR/IXFR to secondaries exactly as any other records. – Patrick Mevzek Nov 13 '20 at 18:43
  • "what is the correct parent for a dot net domain - is it at my registrar or is there a particular address for specific top level domains (.net)?" The parent in that sense is where the delegation happens, hence at the registry of the relevant TLD. If you have an `example.net` domain, once you configured DNSSEC conpletely on it (and tested using Zonemaster/DNSVIz with the DS records that was created) then you go to the registrar of the domain to give the DS records that the registrar will give to the registry so that the registry publishes it in its own authoritative nameservers on the TLD. – Patrick Mevzek Nov 13 '20 at 18:45
  • Hi Patrick, Thank you that is much clearer. Yes, I was using knot-dns.cz/2.97/etc as that is the version with my os. Would you put your comments in an answer so that i can accept it as the solution. – Falstone Nov 13 '20 at 19:00

0 Answers0