Server Fault Stack Exchange
Server Fault Stack Exchange

Questions tagged [dnssec]

Domain Name System Security Extension is a specification for securing certain kinds of information provided by Domain Name System

Domain Name System Security Extension is a specification for securing certain kinds of information provided by Domain Name System.

Its purpose is to allow DNS resolvers (clients) to establish origin and authenticity of DNS records. It works by digitally signing these records using public-key cryptography.

Currently it is described in IETF RFC 2535.

206 questions
29
votes
3 answers

What kinds of security vulnerabilities does providing DNSSEC expose?

I was planning to sign my DNS zone with DNSSEC. My zone, the registrar and my DNS server (BIND9) all support DNSSEC. The only one who doesn't support DNSSEC is my secondary nameserver provider (namely buddyns.com). On their website, they state this…
Johann Bauer
  • 402
  • 4
  • 9
13
votes
2 answers

How is my DNSSEC enabled domain still serving a tiny number of NXDOMAIN response codes?

I enabled DNSSEC on my primary domain about a week ago. It's not a major website or anything -- just my personal domain name that I use for email and the like (TLD: com; DNSSEC algorithm 13; authoritative DNS provider: Cloudflare). Over the last 24…
Collin
  • 165
  • 9
11
votes
2 answers

bind9 does not resolve dnssec correctly

I have a problem with my dns server setup. My bind server is mainly a cache-server but does also serve some internal domains. It listens only on my private network and serves only requests from there. Today I wanted to enable the bind to validate…
user364476
11
votes
1 answer

Can I reasonably use SHA-256 in a DNSSEC deployment?

I know that RFC 5702 documents the use of SHA-2 in DNSSEC, and that RFC 6944 defines RSA/SHA-256 as "recommended to implement." What I'm not aware of is just how widely-implemented SHA-256 is in validating resolvers. Is it practical to sign Internet…
Calrion
  • 570
  • 2
  • 11
8
votes
1 answer

How to remove DNSSEC support from a domain?

A organization has DNSSEC support for their domains. They have a BIND9 as authoritative name server running which also manages the keys. However it was decided to remove DNSSEC. Is it sufficient to remove the key material in /var/lib/bind/pri and…
qbi
  • 183
  • 1
  • 1
  • 5
8
votes
2 answers

Do I need to renew the keys which I deposited at my domain provider?

I have set up some domains with dnssec. I generated the keys and signed the zones with zonesigner from dnssec-tools. I know that I must resign the zones within 30 days. But what's up with the keys which I deposited at my domain provider? Do I need…
user1091344
  • 279
  • 4
  • 9
8
votes
1 answer

SSHFP not working

I have two machines running OpenBSD v6.9. Let's be original and call them client and server. I generated the SSHFP records on the server with : ssh-keygen -r host.domain.tld In the DNS zone, I added the SSHFP record with this line : host IN …
fzefezgregarg
  • 81
  • 2
8
votes
1 answer

opendkim-testkey: key not secure

I set up Opendkim milter to work with postfix on my machine. Now email is signed & verified correctly i.e. email source code shows DKIM-Signature header. TXT record on the authorative dns is set up like this: ┌───┐ │ # │ root > server > ~ └─┬─┘ …
71GA
  • 363
  • 1
  • 3
  • 10
7
votes
3 answers

How to update a zone with auto-dnssec: maintain

I am running an authoritative BIND 9.9.5-9+deb8u8-Debian on Debian Jessie. I have a working zone for robin.info that works properly (various tests report success, such as the one on pingdom.com's DNS check tool) I am trying to secure it with dnssec.…
Calimo
  • 410
  • 2
  • 6
  • 15
7
votes
1 answer

Multiple DS records

I was wondering how validating resolvers deal with multiple DS records. Let's say we have a zone with one KSK and one ZSK, but after some key rollover shenanigans there are two DS records in the parent zone, one pointing to the current KSK and one…
user997904
  • 181
  • 3
7
votes
5 answers

No IPv6 & DNSSEC support on cc-TLD? (practical implications)

I'm needing to register some domains that have country code domain extensions, but noticed that those TLDs do not officially support (A) IPv6 or (B) DNSSEC... What limitations or pitfalls should I expect to run into because of this? (A) No IPv6…
Old McStopher
  • 209
  • 1
  • 8
7
votes
2 answers

What are acceptable key lengths for DNSSEC KSK/ZSK?

I've been tasked to look into implementing DNSSEC on our name servers. While the technical side of this (generate keys, sign zones, prepare rollovers) are relatively straightforward, I've run into a logistical problem. From the documentation I've…
Shadur
  • 1,337
  • 1
  • 11
  • 20
7
votes
3 answers

DNSSEC - Ad Flag not activated

I have some doubts regarding DNSSEC. I have one server acting as an Authoritative Name Server and another one as a Cache/Resolver. I'm using Bind 9.7.1-P2 and these are my configuration files: Named.conf (Authoritative Server) // Opciones de…
Arancha
6
votes
3 answers

BIND server has tons of "no valid RRSIG" errors

I have a forward-only BIND9 server running on the LAN and it logs hundreds of errors per day like: Aug 29 18:38:29 nuc named[850]: error (no valid RRSIG) resolving 'ubuntu.com/DS/IN': 75.75.75.75#53 Aug 29 18:38:31 nuc named[850]: validating…
jmw
  • 63
  • 1
  • 1
  • 3
6
votes
5 answers

DNSCurve vs DNSSEC

Can someone informed, please give a lengthy reply about the differences and advantages/disadvantages of both approaches? I am not a DNS expert, not a programmer. I have a decent basic understanding of DNS, and enough knowledge to understand how…
Bill Gray
  • 1,345
  • 1
  • 11
  • 18
1
2 3
13 14