Server Fault Stack Exchange
Server Fault Stack Exchange

Questions tagged [dnssec]

Domain Name System Security Extension is a specification for securing certain kinds of information provided by Domain Name System

Domain Name System Security Extension is a specification for securing certain kinds of information provided by Domain Name System.

Its purpose is to allow DNS resolvers (clients) to establish origin and authenticity of DNS records. It works by digitally signing these records using public-key cryptography.

Currently it is described in IETF RFC 2535.

206 questions
6
votes
1 answer

Basic DNSSEC configuration under BIND 9.7?

Could anybody provide a step-by-step procedure to set up DNSSEC under BIND 9.7? I think the version is relevant because it is supposed to make life easier. In fact, there is a document published by ISC called DNSSEC for Humans, which I used as a…
sadpluto
  • 183
  • 1
  • 4
6
votes
1 answer

DNSSEC NSEC3 opt-out

Can someone please explain, in simple language, the meaning of opt-out flag in the NSEC3 RR. I did read RFC 5155 and understand nothing.
Sandman4
  • 4,077
  • 2
  • 21
  • 27
6
votes
1 answer

Debian DNSSEC - howto secure a domain?

I have a beginner question about DNSSEC. I have much experience with TLS and cryptography-stuff and would like to try out this new technology. I have googled very much about this but I haven't found useful information for me. I think one confusion…
Daniel Marschall
  • 803
  • 4
  • 9
  • 20
6
votes
1 answer

nsupdate, getting BADKEY error

I'm trying to update a name using nsupdate executed from within the name server itself but I receive the error message ; TSIG error with server: tsig indicates error. I created a key with dnssec-keygen -a hmac-md5 -b 512 -n HOST -r /dev/urandom…
stracktracer
  • 125
  • 1
  • 1
  • 8
6
votes
1 answer

Querying and verifying dnssec

I hear http://www.isoc.org/ has Domain Name System Security Extensions on its DNS records. How do I see and verify the DNS using the tool dig?
hendry
  • 677
  • 2
  • 10
  • 23
6
votes
3 answers

What are the effects of the L root server now publishing DURZ?

I'm curious what the actual effects of the L root server publishing DURZ today will be. On the nanog mailing list, someone said it's important to evaluate the systemic effects of root name servers publishing signed zones, even when not using DNSSEC.…
brent
  • 3,521
  • 3
  • 26
  • 37
6
votes
1 answer

How to migrate BIND configuration to dnssec-policy from auto-dnssec maintain without disruption?

BIND 9.16 introduced a new dnssec-policy feature as a further more automated DNSSEC key management and signing facility over the long established auto-dnssec maintain functionality. The documentation does not appear to cover migrating from the old…
Håkan Lindqvist
  • 35,011
  • 5
  • 69
  • 94
5
votes
2 answers

bind9 configure forward zone for local domain without DNSSEC for this zone only

I have a working DNS server for local domain mydomain.local. I am trying to configure bind9 to work in default configuration, except for this zone, for which I want to forward queries to local DNS server. Here's config I have (ubuntu…
galets
  • 806
  • 3
  • 7
  • 18
5
votes
0 answers

Understanding (and partially disabling?) DNSSEC for an internal domain

I am setting up a new DNS infrastructure for our internal HPC cluster environment. This involves providing a migration path from our existing DNS authorities and domains. For sake of example, let's say that we have an institutional domain of…
anderbubble
  • 226
  • 3
  • 7
5
votes
2 answers

Is it possible to create DANE TLSA records when the DNS server doesn't support it?

I'd like to set up DANE for the domain which handles my email. My domain is registered at OVH, and I'm using their anycast DNS servers. They do support DNSSEC, but not TLSA records. Is there a fallback record type I can use? (like I can use TXT if…
GDR
  • 329
  • 4
  • 14
5
votes
2 answers

DNSSEC MITM attacks

What makes DNSSEC immune to a MITM attack? Why can't I sign a key for example.com and get this to a resolving nameserver or client before they can get it from the real source?
Bill Gray
  • 1,345
  • 1
  • 11
  • 18
5
votes
1 answer

Adding DS record to parent in DNS

I am trying to set up DNSSEC for my domains. Everything seems to work but I get the following error: DNSKEY found at child, but no DS was found at parent. Check for DS records in parent zone We found that none of your DNSKEY records are published…
Saif Bechan
  • 10,960
  • 10
  • 42
  • 63
5
votes
3 answers

windows 2003 DNS server and DNS SEC

i have almost out-of-the-box windows 2003 server which is also domain name server for some users. should i be worried of 5th of may's deployment of dnssec on root name servers ? i have already run: dnscmd /Config /EnableEDnsProbes 1 thanks a…
pQd
  • 29,981
  • 6
  • 66
  • 109
4
votes
1 answer

Is DLV on dnssec deprecated?

I'm trying to set up a recursive DNS that also have its own zone using bind. Now I want to upgrade it to use dnssec but as far as I understood I have to use DLV if I don't own a domain name. However the few guides that I could find say that you…
itasahobby
  • 194
  • 10
4
votes
1 answer

What are the downsides of enabling DNSSEC for your website? (Hosted at a shared web host.)

I own a domain name via Google domains and my website is hosted as a shared account with Dream Host. I see that both provide DNSSEC vs old DNS. I was thinking to enable it. But before I do so, I was wondering what are the downsides of enabling…
c00000fd
  • 505
  • 3
  • 6
  • 11
1
2
3
13 14