Server Fault Stack Exchange
Server Fault Stack Exchange

Questions tagged [dnssec]

Domain Name System Security Extension is a specification for securing certain kinds of information provided by Domain Name System

Domain Name System Security Extension is a specification for securing certain kinds of information provided by Domain Name System.

Its purpose is to allow DNS resolvers (clients) to establish origin and authenticity of DNS records. It works by digitally signing these records using public-key cryptography.

Currently it is described in IETF RFC 2535.

206 questions
0
votes
0 answers

Only a single subdomain cannot connect to the server why?

I have a lot of subdomains on azrhymes.com, eg. de.azrhymes.com, es.azrhymes.com, etc. (~20 subdomains) and all of them work (including some very new ones) except ru.azrhymes.com that responds 'we could not connect to server'. What could've gone…
Barney Szabolcs
  • 171
  • 1
  • 7
0
votes
1 answer

DNSSEC enable and lookaside

I came across a Bind setup where there is only one DNSSEC value set like this: dnssec-validation yes; and the keys in named.conf.options are declared like this: include "/etc/bind.keys" However, the rest of it of: dnssec-enable…
guest
  • 1
  • 1
  • 1
0
votes
2 answers

Why does a dnssec signed zone fail to reload

FreeBSD-12 BIND-9.11 After some effort I have changed the error. Now I see this: 07-Jun-2019 18:01:25.299 zone parschecks/IN/public (unsigned): loaded serial 2019070701 (DNSSEC signed) 07-Jun-2019 18:01:25.299 dns_master_load: file format mismatch…
James B. Byrne
  • 337
  • 1
  • 4
  • 14
0
votes
1 answer

DNSSEC Bind-9.11 auto-manage and inline-update

I am trying to understand how Bind manages DNSSEC zone key signatures without external intervention. Specifically what process (named?) detects that a zone signature is about to expire and what are the methods of detection and resigning. Does…
James B. Byrne
  • 337
  • 1
  • 4
  • 14
0
votes
1 answer

On FreeBSD what tool is used to dislay the DNSSEC signature expiry date for a zone?

We use FreeBSD-12 and Bind-9.11.6. We have DNSSEC enabled for some of our domains. I wish to verify the signature expiry date for these zones. I cannot seem to locate any information on exactly how this is done. Can someone provide me with this…
James B. Byrne
  • 337
  • 1
  • 4
  • 14
0
votes
1 answer

Exclude a single record from DNSSEC - is it possible?

In a domain running DNSSEC, is it possible to exclude a single record from DNSSEC? For example, would it be possible to have mail.example.com running DNSSEC, but www.example.com not running DNSSEC? The reason for asking is we have a webhosting…
Sam Critchley
  • 171
  • 1
  • 3
0
votes
0 answers

adding nsec record for cname flattening

consider this zone: example.org. SOA (...) a.example.org. CNAME b b.example.org. CNAME c c.example.org. A 1.2.3.4 a query for "a.example.org. A" with DNSSEC and CNAME flattening enabled returns the following result: ;; ANSWER…
arash kordi
  • 101
  • 1
0
votes
1 answer

Google DNS SERVFAIL for PTR Lookup, ISP Not Helping

I am in dire need of help! Some of our hosted Exchange users recently are getting NDRs when sending to some domains. I believe error is 554 NO PTR IP FOUND. I swore we had our ISP put in a PTR and indeed it was there. However, my other colleague…
isolated_1
  • 11
  • 2
0
votes
1 answer

DNSSEC resolution when NS records are not accompanied by A records

Been trying to find the right place to ask this. hopefully this is the place! There are a few subtleties behind DNS and DNSSEC in particular that I am trying to understand. DNSSEC uses a chain of trust to go from the trusted root DNS servers down to…
user308485
  • 275
  • 2
  • 7
0
votes
0 answers

DNSSEC lookups takes incredibly long time (Windows Server)

I would like to ask for help. I have Windows Server 2016 with the DNS server installed. That server is a DC too. The server works like a recursive DNS server for the network and has DNSSEC validation enabled. This server has public IPv4 and public…
devlin
  • 145
  • 2
  • 3
  • 14
0
votes
0 answers

Is it possible to serve a TLSA record from an authoritative server?

RFC 6698 states that a TLSA record should be ignored unless it can be verified with DNSSEC. For clients using a built-in stub resolver, that means checking the AD bit on the response (and trusting that the administrator has pointed the resolver at a…
LHMathies
  • 113
  • 4
0
votes
1 answer

Cannot setup DNSSEC, broken chain of trust

I am trying to set DNSSEC on a domain I own and I ran into an issue. When checking the configuration with the following site, I get an error: http://dnscheck.pingdom.com/troubleshooting.php?domain=dontgetlemon.eu Broken chain of trust for…
Comforse
  • 117
  • 8
0
votes
3 answers

Can't access certain subdomain website? DNS NSEC3 issue?

Edited on 2017-10-25. Original question was misleading. We have a website running on the subdomain http://admin.gigantisch.nl/. Ever since the gigantisch.nl domain changed IP addresses, we have been having trouble accessing the admin subdomain on…
Protector one
  • 126
  • 1
  • 7
0
votes
1 answer

Bind DNSSEC inline-signing loadkeys fail because zone in multiple views

I'm trying to implement DNSSEC with the bind>=9.9 option inline-sgning. I've previously successfully manually signed the same zone by generating a .signed file with dnssec-signzone. But I don't want to manually sign the zone each time so I want to…
MoaMoaK
  • 43
  • 1
  • 8
0
votes
1 answer

Setup Unbound DNS for both caching/local usage and website ns

I want to use Unbound as caching and as my ns1.domain.com nameserver with DNSSEC. I came across Unbind which looks quite easy to setup and use. unbound-control local_data "mywebsite.com A 11.22.3.44" I created a NS entry at my registry for my domain…
Jeremy Dicaire
  • 165
  • 1
  • 5
  • 15
1 2 3
13 14