Questions tagged [dnssec]

Domain Name System Security Extension is a specification for securing certain kinds of information provided by Domain Name System

Domain Name System Security Extension is a specification for securing certain kinds of information provided by Domain Name System.

Its purpose is to allow DNS resolvers (clients) to establish origin and authenticity of DNS records. It works by digitally signing these records using public-key cryptography.

Currently it is described in IETF RFC 2535.

206 questions

votes

2 answers

How to remove a deleted ZSK from BIND?

I set up my (authoritative) BIND nameserver for DNSSEC and installed one ZSK for my currently only zone. In order to test if I can use multiple ZSKs for a single zone, I generated a new key pair and copied that into the same folder like the first…

asked Aug 06 '17 at 17:42

comfreak

1,501
1
21
33

votes

1 answer

What strength should I use for my ISC BIND transfer key?

Currently I'm using 128, is this secure enough? dnssec-keygen -a hmac-md5 -b 128 -n host foobar.com Also I'm not sure if "host" is the correct value for -n arg. I believe that the last argument "foobar.com" is just for the file name - right?

security bind dnssec

asked Nov 16 '09 at 15:20

Nick Bolton

5,126
12
54
62

votes

1 answer

Cannot publish DNSKEY to dlv.isc.org

Trying to get DNSSEC working for zone. Software: BIND 9.4.2-P2, OS Ubuntu 8.04 Tried to sign zone using ZoneSigner and publish that to dlv.isc.org, but it complains about key missing. Key shows when using dig dnskey . Domain is kristaps.lv Exact…

ubuntu domain-name-system dnssec

asked Nov 07 '09 at 21:36

Kristaps

2,985
17
22

votes

3 answers

Speed up DNSSEC keygen

I'm rebuilding some DNS boxes and for the life of me I can't remember what I installed that drastically speeds up the dnssec-keygen process. Would anyone know what this might have been or a way I could find out on the current box? dnssec-keygen -a…

ubuntu dnssec

asked Dec 19 '16 at 15:58

Tsukasa

votes

1 answer

graceful DNSSEC for private TLD

To use a third party service, I can use their DNS name to resolve their domain names. Unfortunately they use some bad practices like using their own made up TLD, which we'll call tld hereafter. In order to be able to resolve their domain names I've…

domain-name-system bind dnssec tld

asked Oct 24 '16 at 20:42

hbogert

votes

1 answer

bind9.10 dnssec inline signing failing

I am pretty sure the ultimate error is this: [\u@r2d2:/home/ex-mailer-domains/domain.com] # dig domain.com +dnssec @8.8.8.8 ; <<>> DiG 9.10.3 <<>> domain.com +dnssec @8.8.8.8 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY,…

networking domain-name-system email bind dnssec

asked Dec 08 '15 at 19:31

NIX

votes

1 answer

Does TSIG and DNSSEC provide encryption of entire DNS packet?

it says TSIG and DNSSEC provide authentication. Does it mean whole DNS traffic would be encrypted so if I do packet capturing I would not be able to parse anything ? Or DNS data is still plain text but it has a signature on it so I would be able to…

security dnssec dns-server

asked Dec 06 '15 at 14:57

Jaeh

votes

1 answer

DNSsec error in Bind9.10 following update of freebsd10.1

My DNSsec began to fail following a ports update. I have reinstalled Bind on both master and slave but the error still persist. 35 ;; WE HAVE MATERIAL, WE NOW DO VALIDATION 36 ;; VERIFYING A RRset for www.ex-mailer.com. with DNSKEY:9381:…

domain-name-system bind freebsd dnssec dmarc

asked Jun 05 '15 at 17:29

nix

votes

1 answer

using DNSSEC lookaside because registrar cannot inject DS records

I love my registrar (whom I will not name); but they are currently only able to sign and post my KSK DS records for .com and .net and those are only sign'able by email to "support@mumble.registrar" (no API). While I don't use any "exotic" TLD's, the…

dnssec domain-registrar

asked Apr 25 '15 at 15:59

ericx

votes

0 answers

issues with dnssec master/slave configuration

I am trying to configure DNSSEC as a master/slave. Following signing the zone and uploading the DS record to my provider, I am able to see what appears to be the proper output from dnssec-verify dnssec-verify -o ex-mailer.com…

domain-name-system bind dnssec

asked Mar 04 '15 at 17:04

mine

votes

1 answer

dnssec-signzone error 'not at top of zone' for a hosted domain

$TTL 86400 $ORIGIN yoda.domain2.com. @ 1D IN SOA yoda.domain2.com. admin.domain.com. ( 2015021601 ; Serial yyyymmddnn 3h ; Refresh After 3 hours 1h …

domain-name-system bind dnssec dns-zone

asked Feb 16 '15 at 22:40

mine

votes

1 answer

DNSSEC chain of trust

My test environment details are as follows :- I have fake-root server "172.16.93.193" DNS resolver "172.16.93.101" DNS server "172.16.96.93" I have already configured my resolver and it working fine "change named.ca to query my…

domain-name-system dnssec

asked Oct 18 '14 at 10:54

Eng .. Abdalmonem

votes

1 answer

Website cannot be accessed with google DNS because of unsigned DNS

I get this error: Inconsistent security for stakeholdergame.com - DS found at parent, but no DNSKEY found at child. On http://dnscheck.pingdom.com/?domain=stakeholdergame.com People can't access my site with google public DNS because of this. How…

domain-name-system nameserver dnssec

asked Jun 10 '14 at 09:23

Sinan Samet

votes

1 answer

BIND9 DNSSEC: should I care about occasional "insecure" log messages

A small number of my forwarded DNS queries cause BIND 9 to log messages such as: 184.in-addr.arpa SOA: got insecure response; parent indicates it should be secure validating @0x7f93140c0870: 100.64-26.75.195.82.in-addr.arpa PTR: no valid signature…

bind dnssec

asked Feb 17 '14 at 05:37

simpleuser

votes

1 answer

DNSSEC key information for Bind 9

Is there a tool which allows me to view the parameters of an existing private/public key used for DNSSEC in Bind 9? I've been unable to determine simple things such as the expiration date, the algorithm, key strength, zone name for key, etc.

bind dnssec

asked Sep 04 '13 at 21:19

David M. Syzdek

Prev 1 2 3

…

13 14 Next