Server Fault Stack Exchange
Server Fault Stack Exchange

Questions tagged [dnssec]

Domain Name System Security Extension is a specification for securing certain kinds of information provided by Domain Name System

Domain Name System Security Extension is a specification for securing certain kinds of information provided by Domain Name System.

Its purpose is to allow DNS resolvers (clients) to establish origin and authenticity of DNS records. It works by digitally signing these records using public-key cryptography.

Currently it is described in IETF RFC 2535.

206 questions
0
votes
1 answer

Should DNSSEC validation be done in the recursive DNS server or in client software?

As the title says. The design of DNSSEC and its implementation in Bind (and things like Unbound) quite clearly allow for either use. They can optionally do DNSSEC validation, returning SERVFAIL if the validation fails. Or alternatively they can be…
thomasrutter
  • 2,527
  • 1
  • 25
  • 34
0
votes
1 answer

Could a DNSSEC at level n manipulate a zone at level n+2?

With some people wondering how DNSSEC could affect global censorship, I'd like to know if DNSSEC could protect a zone from being partially modified by a grandparent zone. (The point of this question is not to suggest that ICANN or it's members are…
jroith
  • 103
  • 1
0
votes
1 answer

DNSSEC - Recommended parameters

Does anybody know which could be the recommended values for RRSIG validity period and resign interval? Regards
Arancha
0
votes
2 answers

DNSSEC - Dynamic Update

I'm testing key rollover with Dynamic Update. I'm using Bind 9.7.1-P2. When I change the key dates with the script dnssec-settime, named doesn´t update automatically the zone file unless I reload the service. Is this the normal…
Arancha
0
votes
1 answer

How long it takes to start Bind?

I'm testing DNSSEC and I need to obtain the time in miliseconds it takes to start Bind now that I have signed zones. I don't know if this would be the right way to do it: time svcadm enable svc:/network/dns/server:default Regards, Arancha
Arancha
0
votes
5 answers

DNSSEC - What doesn't it cover?

I'm currently revising for an exam to do with DNS/DNSSEC. While I know DNSSEC provides various security enhancements for DNS, I would like to dive a bit deeper(for my own thirst for knowledge!) and would like to know what is still problematic…
KP65
  • 117
  • 3
0
votes
1 answer

Certbot error - DNSSEC: DNSKEY Missing

I moved my domain to Route53 and am now getting problems with Certbot renewal. Certbot has been running great for 4 years, but is now failing to renew. When running sudo certbot renew --apache i get this error: Type: None Detail: DNS…
Malako
  • 101
  • 3
0
votes
1 answer

Why can't I activate DNSSEC for Domains with a gg ccTLD, despite the fact that there are many domains, which have a valid signature?

This is my first question and hope that I'm in the right community. I bought a gg Domain a while ago and wanted, later needed, DNSSEC. After the purchase I encountered the problem, that I can not activate DNSSEC on basically any registrar / their…
W48B1T
  • 1
0
votes
1 answer

BIND DNS - DNSSEC on Internal Private Domain

Question regarding DNSSEC. I have a internal private TLD eg. corp. Underneath that are multiple subdomains eg. region-a.corp, region-b.corp etc. And possibly underneath the regions, there are further subdomains eg. edge.region-a.corp Regardless of…
LFC1892
  • 1
0
votes
1 answer

opendkim-testkey: key not secure (file permissions are good and TrustAnchorFile config setting is set)

If I run sudo opendkim-testkey -d mydomain.com -s selector -vvv, I get opendkim-testkey: using default configfile /etc/opendkim.conf opendkim-testkey: checking key 'selector._domainkey.mydomain.com' opendkim-testkey: key not secure opendkim-testkey:…
Robert K S
  • 3
  • 2
0
votes
0 answers

How do I know the key sizes of my Bind DNSSEC keys?

I set up DNSSEC on my private domain many years ago and unfortunately forgot all about it. Bind now tells me it's about to deprecate auto-dnssec in favour of dnssec-policy and I need to migrate my configuration. I can see my keys are using RSASHA256…
Morgan Wesström
  • 1
0
votes
1 answer

How do i enable DNSSEC on NameSilo (using DS records form YDNS)

(First of all i am new to domains in general and DNSSEC). I have tried to enable DNSSEC on NamesSilo for my domain. I only have the ds records in plane text and don't know wich value has to be inserted where They look like this: 33333 77 1…
zip6como
  • 3
  • 2
0
votes
1 answer

Securing DNS: Is combining Unbound with DNSMASQ and DNSCrypt Proxy necessary or beneficial on a Debian 11 system?

I've recently taking an intrest in DNS security and have opted to use the "dnsrypt-proxy", "dnsmasq" and "unbound" packages on my Debian 11 system chained together in the following order to encrypt my DNS traffic and improve the integrity of the…
Lil Cyanide
  • 1
  • 1
0
votes
0 answers

Is it possible to have different internal and public DNS with DNSSEC?

I'm attempting to achieve the following: A public nameserver for my domain which points example.com to a public IP address. A private nameserver for the same domain running within a LAN which instead points clients to a private IP address on the…
Ellis
  • 481
  • 1
  • 5
  • 9
0
votes
1 answer

BIND 9.16 dnssec-policy default is not automatically renewing keys

Three months ago I upgraded my DNS servers to BIND 9.16 (currently running 9.16.25) to take advantage of the new dnssec-policy default option which would allow me to easily run DNSSEC for my domains. Documentation indicated that key management…
Christopher Hinkle
  • 36
  • 6
1 2 3
13 14