Server Fault Stack Exchange
Server Fault Stack Exchange

Questions tagged [dnssec]

Domain Name System Security Extension is a specification for securing certain kinds of information provided by Domain Name System

Domain Name System Security Extension is a specification for securing certain kinds of information provided by Domain Name System.

Its purpose is to allow DNS resolvers (clients) to establish origin and authenticity of DNS records. It works by digitally signing these records using public-key cryptography.

Currently it is described in IETF RFC 2535.

206 questions
2
votes
1 answer

DNSSEC - First Signature

I'm testing DNSSEC with Bind 9.7.2-P2. I have a question regarding the first signature created over a zone that already exists. I'm using dynamic DNS. I create the first two keys: one KSK and one ZSK. According to…
Arancha
  • 21
  • 2
2
votes
2 answers

DNSSEC + Bind : dnskey invalidated by tld

I'm trying to enable DNSSEC on my authoritative dns Bind machine. So far I've done the following Tutorial : Generate the KSK and ZSK Keys : dnssec-keygen -a RSASHA1 -b 1024 -n ZONE zonename dnssec-keygen -a RSASHA1 -b 4096 -n ZONE -f KSK…
Kami
  • 1,424
  • 13
  • 25
2
votes
1 answer

Migrating signed zones between BIND servers

I'm having some troubles migrating a signed DNS zone to a new server. I've copied over the zone files (unsigned, signed, and journal), signing keys, and DS sets. Once in place, BIND is happy to serve the zone but it cannot be signed. This is the…
miken32
  • 942
  • 1
  • 13
  • 35
2
votes
1 answer

Remove RRSIG record from GoDaddy subdomain

I added 4 NS entries for a subdomain for a SalesForce email campaign. SalesForce has since complained they see an "RRSIG entry for the subdomain" and they "do not support (add to NS) RRSIG records", and as such I need to remove it. I did not add the…
Steve
  • 143
  • 4
2
votes
2 answers

Configuring BIND9 (ver 9.16) to allow TXT DNS updates from Letsncrypt

Solution to the below problem: Use $ddns-confgen or $tsig-keygen, the former provides you with the syntax to paste into your named.conf file Problem: I am trying to configure a BIND9 (ver9.161-Ubuntu) to allow me to create TXT records which…
Ian B
  • 29
  • 2
2
votes
2 answers

Is DNSSEC useful?

DNSSEC validate and authenticate zone data with the purposeto make sure that whatever DNS results, those are genuine. Even if a DNS resolver validates that an authoritative nameserver has send the right data untampered, how do we prevent the DNS…
Noob
  • 363
  • 3
  • 7
  • 17
2
votes
1 answer

DNSSec do you need to renew anything?

I have followed this tutorial to configure DNSsec: https://www.digitalocean.com/community/tutorials/how-to-setup-dnssec-on-an-authoritative-bind-dns-server-2 If you don't modify your zone, do you ever need to redo anything like in case of…
nft
  • 21
  • 1
2
votes
1 answer

Webex not using DNSSEC

our government issued a statement that all video/voice online enabling software needs to use DNSSEC for all address translations and all used DNS servers need to support DNSSEC. I tried few DNSSEC checkers and analyzers…
Josef Novák
  • 31
  • 5
2
votes
0 answers

Setup Knot DNS DNSSEC with automatic key management

I am new to DNS. I am trying to set up public authoratative dns servers for a dot net domain using Knot dns. Generally the documentation is pretty clear, but when it comes to DNSSEC it is confusing. So assume the domain is example.net. There are…
Falstone
  • 179
  • 6
2
votes
1 answer

Issues running multiple BIND DNS servers behind a single Public IP

I am implementing a solution to load balance DNS queries across multiple bind recursive DNS servers to increase QPS limit Each centos VM has a namespace gi set up with the loopback of the ns set to asingle DNS Public IP Each DNS server advertises…
Dunner1991
  • 31
  • 5
1
vote
0 answers

bind9 fails with dnssec-validation on one server but not an identical one on a different network

I'm trying to set up a recursive DNS server on a cloud-based VPS. If I set dnssec-validation no it works fine, but if I set dnssec-validation auto I get status: SERVFAIL from dig. However when I set up another DNS server on a different cloud…
ras
  • 23
  • 1
  • 6
1
vote
0 answers

bind-9.11 auto-maintain inline update

We have a stealth master which has several zone secured with DNSSEC. We recently upgraded to 9.11 and enabled auto-maintain and inline-update for DNSSEC. The initial zone resign and load went smoothly. However, when I now update the master zone…
James B. Byrne
  • 337
  • 1
  • 4
  • 14
1
vote
0 answers

Windows DNS Server with DNSSEC validation break specific domain

I recently enabled DNSSEC validation on our internal DNS Server in our Active Directory environment. Everything was working fine until a couple of days later I noticed that I couldn't reach a certain domain and only this domain. At first I thought…
PatricF
  • 163
  • 1
  • 2
  • 7
1
vote
0 answers

DENIC NAST - Generating Compliant DNSSEC Key

I am having a major problem generating a compliant DNSSEC key pair for use with a .de domain name. DENIC have a testbed - Nameserver Predelegation Check Web Interface at https://www.denic.de/en/service/tools/nast/ and the idea is that a customer…
user506088
1
vote
1 answer

How To Regenerate and Revoke Lost DNSSEC Keys?

Fedora 27, x64 I need to revoke a DNSSEC key in order to replace it and already know how to generate new keys, etc.; however I had to delete my old keys because they were causing my domains to be marked as being rogue as a result of old keys with…
user506088
1 2 3
13 14