Server Fault Stack Exchange
Server Fault Stack Exchange

Questions tagged [dnssec]

Domain Name System Security Extension is a specification for securing certain kinds of information provided by Domain Name System

Domain Name System Security Extension is a specification for securing certain kinds of information provided by Domain Name System.

Its purpose is to allow DNS resolvers (clients) to establish origin and authenticity of DNS records. It works by digitally signing these records using public-key cryptography.

Currently it is described in IETF RFC 2535.

206 questions
3
votes
1 answer

Error using dnssec-signzone in chroot'd bind 9.8 when a zone file includes other files

Using bind 9.8.2 on RHEL 6.5, running chroot'd. I have a zone file that includes other files (it's a zone with a large number of servers in different datacenters, and there's one included file per datacenter). The zone files and the included files…
T. Johnson
  • 41
  • 3
3
votes
2 answers

Where does my ds record originate from?

The domain dwc-amsterdam.com was acquired on hosting company A (hostA) which supports DNSSEC. It was then transferred to hosting company B (hostB) which doesnot offer DNSSEC. After detecting certain issues with the domain the culprit seems to be the…
paul
  • 45
  • 1
  • 7
3
votes
2 answers

dnsmasq returns (false) "bogus" result for DNSSEC validation

I'm running a local Debian 8.1 installation with a DNSSEC-validating DNS-Resolver called dnsmasq (version 2.72-3+deb8u1). I set it up to return a SERVFAIL if it isn't able to validate a DNSSEC-enabled domain, i.e. if the domain has a DNSSEC entry it…
comfreak
  • 1,501
  • 1
  • 21
  • 33
3
votes
0 answers

No RRSIGs found

I had a dnssec expiration and since redoing everything, I get the following error No RRSIGs found from verisign debugging These are the exact steps I use to produce the key and signatures. What step did I miss? steps: emailer1 opendkim #…
mine
  • 197
  • 1
  • 4
  • 14
3
votes
1 answer

DNSSEC key rollover guidelines

I've started playing with DNSSEC on my personal domain and I'm using OpenDNSSEC to perform signing and key maintenance; I only have a static zone, so OpenDNSSEC is an easy fit. Just to toy with things, I decided to do a manual key rollover for my…
antiduh
  • 310
  • 1
  • 3
  • 14
3
votes
1 answer

DNSSEC and IPSec DNS Server and DNS Client Configuration

I'm about to deploy DNSSEC for some of my domains and as I was getting ready I did some reading on the subject. I came across some Microsoft Technet articles talking about Name Resolution Policy Table which allows one to configure Windows DNS…
Cromulent
  • 316
  • 1
  • 2
  • 18
3
votes
2 answers

Bind9: Disable DNSSEC validation on per zone basis?

I am trying to make a caching / forwarding only DNS server using Bind9 with DNSSEC validation being enabled by default. Assume you have the following informations from my config file: acl "home-net" { 127.0.0.1; ::1; 192.168.1.0/24; …
Lasse Michael Mølgaard
  • 947
  • 10
  • 27
3
votes
0 answers

DNSSEC for private internal sub zones of an external domain

Consider the following scenario: example.com is hosted on CloudFlare and it's signed by CloudFlare DNSSEC. Everything works as expected for example.com. Inside the company we have some internal privates zones, for Active Directory and a Unix Domain:…
Vinícius Ferrão
  • 5,520
  • 11
  • 55
  • 95
2
votes
1 answer

How do I remove a DS record from my parent zone using Amazon Route 53?

My website is currently inaccessible due to the presence of a DS record in the parent zone, when I am using nameservers that don't support DNSSEC. See this question for more context. I am using Amazon Route 53 as my registrar, and I can't see a way…
Mark Fisher
  • 177
  • 6
2
votes
1 answer

Why is the DNSSEC Key Tag always 2371?

I was adding DNSSEC to a few of my domains recently, and I noticed that on every single one, the DNSSEC Key Tag was always 2371. What is the point in asking for it if it never changes? (or does it change? When?), and why is it specifically 2371?
retnikt
  • 131
  • 1
  • 5
2
votes
0 answers

Bind is not resigning DNSSEC zone after zone update and service restart

I'm facing an issue with BIND 9.9.11p1. My configuration is: zone "example1.com" { type master; file "zones/example1.com"; allow-query { any; }; allow-transfer { 1.2.3.4; }; also-notify { 1.2.3.4; }; key-directory "keys/example1.com"; …
Clément Moulin - SimpleRezo
  • 239
  • 1
  • 9
2
votes
1 answer

Fix broken DNSSEC

I have transferred a .com domain from Namecheap to EuroDNS. Since that day I have the problem that the domain does not resolve from all DNS servers, e.g.: $ host -a flibsy.com 8.8.8.8 Trying "flibsy.com" Using domain server: Name: 8.8.8.8 Address:…
yglodt
  • 245
  • 3
  • 8
2
votes
1 answer

DNS "views" and controlling zone transfers with TSIG

Running Bind 9.8.2. I have successfully setup TSIG keys for "views" using a DNS master/server pair. Zone transfers are working as expected between the 2 servers for each view. Before we go live into production with this I need some clarification on…
user53029
  • 629
  • 3
  • 14
  • 36
2
votes
0 answers

dig not giving AD-bit when dnssec is configured

I am working on this Deterlab exercise and I run into some problems when adding DNSSEC to Bind. The server runs BIND 9.7.0-P1. The configurations I have done is the following: Signed zone for google.com: zonesigner -genkeys google.com Added…
user2824707
  • 21
  • 2
2
votes
2 answers

Outsourcing Recursive DNS in a Windows Domain Environment

We've been considering utilizing a third-party recursive DNS provider like OpenDNS (or anyone) to provide a layer of antiphishing and DNSSEC validation (without having to implement those features internally). To allow internal (Windows domain) DNS…
Beems
  • 294
  • 3
  • 11
1 2 3
13 14