Server Fault Stack Exchange
Server Fault Stack Exchange

Questions tagged [dnssec]

Domain Name System Security Extension is a specification for securing certain kinds of information provided by Domain Name System

Domain Name System Security Extension is a specification for securing certain kinds of information provided by Domain Name System.

Its purpose is to allow DNS resolvers (clients) to establish origin and authenticity of DNS records. It works by digitally signing these records using public-key cryptography.

Currently it is described in IETF RFC 2535.

206 questions
0
votes
1 answer

I need an explaination as to what is happening when I change the zone file of a DNSSEC enabled domain

I recently moved our hidden DNS master service to a new host, DNS38. The original master service is still running but is not being polled at the present time. The old master, and all the authoritative slaves, are running bind-9.11. The new master…
James B. Byrne
  • 337
  • 1
  • 4
  • 14
0
votes
1 answer

When setting up DNSSEC on Bind, which DNSKEY records belong in the zone file?

Should the zone file only contain the KSK's DNSKEY record, or should it contain the ZSK's DNSKEY record as well?
ADS103
  • 116
  • 1
  • 7
0
votes
1 answer

Why does an authoritative name server not DNSSEC-validate its own results?

If I query a name server a record it is authoritative for it seems the answer does not get DNSSEC validated: $ dig cloudflare.com @ns3.cloudflare.com ; <<>> DiG 9.16.22-Debian <<>> cloudflare.com @ns3.cloudflare.com ;; global options: +cmd ;; Got…
Adrian Zaugg
  • 366
  • 3
  • 11
0
votes
0 answers

How do I prevent Bind from retiring non-expiring DNSSEC keys when using DNSSEC Policy?

To control when signatures expire, I've switched to using dnssec-policy to generate DNSSEC records for my zones. This has solved the issue of getting RRSIG records to expire when they should but introduced a new problem of its own. bind9 is now…
Tenders McChiken
  • 101
  • 9
0
votes
1 answer

DNSSEC Migration with only KSKs migrated

Short version: If a DNSSec-signed sone suddenly replace both ZSK (and all records related to the old ZSK), and at the same time keep the KSKs (which are referenced to by upstream server). Will it cause any trouble? And will it cause trouble after…
Zerqent
  • 336
  • 2
  • 8
0
votes
1 answer

How to force BIND 9.16 to resign my zones after editing zone file

I'm using BIND 9.16 new dnssec-policy feature on my zones, following the guide to enable DNSSEC. Everything worked like a charm. Now, I need to add another record to one of my zones, but after editing the zone file on /var/lib/bind/db.mydomain.com…
André Casteliano
  • 101
0
votes
2 answers

What happens if a resolver encounters a DNSSEC algorithm it does not support?

Does it refuse to return the requested record, or does it return the record, treating the domain as unsecured?
Tenders McChiken
  • 101
  • 9
0
votes
0 answers

DNSSEC in Spain

I tried to set up DNSSEC for a .es domain. The nameservers are on Cloudflare and GoDaddy is the registrar. I wasn't able and then a 'GoDaddy Guide' (chat support) told me that DNSSEC would generally not be available for .es domains, see…
jamacoe
  • 193
  • 2
  • 7
0
votes
0 answers

Which DS record will a validator choose when there are multiple valid DS records?

If there are multiple DS records with each using a different but RFC-compliant algorithm and digest type, is there any way to predict how real world validators will select one? I've tried to, for example, to review what the default behavior BIND…
Paul
  • 3,037
  • 6
  • 27
  • 40
0
votes
1 answer

Transfer DNSSEC signed zones on GCP

I'm transferring zones between different Google Cloud Platform accounts which have been signed using DNSSEC. I've put the new zone into DNSSEC transfer state but when I try to load the DNSKEY into the new zone I am get an 'invalid value' error. The…
buckaroo1177125
  • 145
  • 1
  • 1
  • 8
0
votes
2 answers

DNSSEC automatic signing isn't automatic

I'm having trouble with getting DNSSEC automatic signing to actually be automatic. It fails to sign automatically (well, it does sign automatically, but apparently signs the wrong thing, see below). In addition, cryptic errors are occasionally…
Linas
  • 101
  • 3
0
votes
1 answer

Does DANE allow for trustable self-signed certificates?

DANE has 4 modes of operation indexed 0-3 with mode 3 i.e. Domain issued certificate allowing for self-signed certificates. Can this mode be used in a trustable manner? and if so does that mean that traditional Certificate Authorities and their…
MShakeG
  • 111
  • 5
0
votes
0 answers

does manually resigning a changed zone file with the same keys break the DNSSEC support from the upstream parent zone?

I send the ds set of example.company.com to my company.com provider. I also manage a couple of subdomains which are subject to change eventually: subdomain1.example.company.com and subdomain2.example.company.com. I add the DS set of these subdomains…
Mnemosyne
  • 131
  • 1
  • 7
0
votes
1 answer

On AWS during DS record creation I get an error, DS record with DNS name ex.com not permitted in zone ex.com. Why might this be?

Environment: AWS, DNSSEC When I attempt to create a DS record to establish a chain of trust I get an error that I don't understand. My full error. Error occurred Bad request. (InvalidChangeBatch 400: RRSet of type DS with DNS name example.com. is…
myNewAccount
  • 569
  • 1
  • 6
  • 19
0
votes
1 answer

What are good default settings for DNSSEC?

I use Google Domains and just opened an account with A2 Hosting. I'd like to keep using DNSSEC. A2 Hosting requires me to "Please open a support ticket and provide the following information: DS Record Digest Digest Type Algorithm Public Key Key…
sean.mcgrath
  • 3
  • 2
1 2 3
13
14