Questions tagged [dnssec]

Domain Name System Security Extension is a specification for securing certain kinds of information provided by Domain Name System

Domain Name System Security Extension is a specification for securing certain kinds of information provided by Domain Name System.

Its purpose is to allow DNS resolvers (clients) to establish origin and authenticity of DNS records. It works by digitally signing these records using public-key cryptography.

Currently it is described in IETF RFC 2535.

206 questions

vote

3 answers

Secondary Nameserver DNSSEC

I have this hidden master DNS nameserver notifying and updating the two public slave DNS servers: my own VPS running Debian/Bind9 DNS 3rd-party secondary nameserver provider (afraid.org) I finally got DNSSEC working with the hidden master and my…

asked Aug 25 '18 at 23:14

John Greene

vote

1 answer

dnsmasq: Block manipulated dns responses pointing at captive portal site

After setting up a raspberry pi based router (behind two other routers) using debian stretch, iptables, dnsmasq and hostapd, I have come to learn a seemingly endless amount of interesting options that are by far not available in the proprietary…

domain-name-system router dnsmasq dnssec captive-portal

asked Mar 28 '18 at 14:12

dexin

vote

2 answers

How to block domains using Bind / Named for local protection?

I am trying to sinkhole/blackhole a list of domains using bind. I think my issue is using "Include" in the WRONG place on the conf. Can someone confirm the blacklist line of code is in the right place? include "/etc/rndc.key"; controls { inet…

domain-name-system dnssec dnsmasq

asked Feb 09 '18 at 09:19

JsEveryDay

vote

2 answers

DNSSEC Zone Signing Key (ZSK)

I've been tasked to look into implementing DNSSEC on our name servers. While the technical side of this (generate keys, sign zones, prepare rollovers) are relatively straightforward, I've run into a logistical problem. I am looking to run different…

domain-name-system dnssec

asked Jan 02 '18 at 02:32

BATTLEfRAME

vote

1 answer

NSEC3 resource records with RSASHA256 or only NSEC3*?

Is it possible to use NSEC3 resource records with RSASHA256 keys or does NSEC3 require using NSEC3RSASHA1 or NSEC3DSA keys?

dnssec

asked Jun 23 '17 at 09:18

user178826

vote

2 answers

Setting up a BIND server to provide additional records

I've got a nice small VPS from OVH and two domain names (let's call them first.com and second.com). As OVH does not support DNSSEC and CAA records I was informed that I can set up my own DNS server to provide those records for first.com by directing…

bind ubuntu-16.04 dnssec ovh

asked May 01 '17 at 17:00

Avamander

vote

1 answer

How should I request that a TLD implement DNSSEC?

I want to put pressure on the .social TLD so they can implement DNSSec, however the company I purchased the domain name is simply a reseller (NameCheap). I don't think that opening a ticket with them is as effective as contacting the TLD owner…

dnssec tld

asked Dec 07 '16 at 20:47

makerofthings7

8,911
34
121
197

vote

0 answers

PowerDNS different DNSSEC signatures on slaves

I'm running PowerDNS 4.0.0a2 on Ubuntu 16.04 on a master and four slaves. All machines are using mysql backend on mariadb. All slaves are set up with mysql replication against the master which synchronizes data fine. Creating DNSSEC on a zone is…

dns-zone dnssec powerdns

asked Nov 30 '16 at 12:36

SteffenNielsen

vote

2 answers

Remove DS Records from Parent Zone

We transferred a .se domain to GoDaddy from a small Swedish registrar. It turns out the original domain has DNSSEC setup and the DS records were never removed from the parent zone when it was transferred (and no DNSKEY records were setup on…

domain-name-system godaddy dns-zone dnssec domain-registrar

asked Jan 22 '16 at 10:52

deshg

vote

1 answer

Which upstream servers is unbound using?

In order to have local DNSSEC validation, I set up a Raspberry Pi (having a static IP) with Raspian Jessie and unbound to offer a DNS server to my LAN. After I looked up some tutorials and howtos, I came up with this configuration that seems to…

domain-name-system dnssec unbound

asked Dec 13 '15 at 15:05

comfreak

1,501
1
21
33

vote

1 answer

dnssec remove keys from zone

is there a way to remove all dnssec related stuff from a zone on a running bind server? I configured bind like like here described. If i use rndc signing -clear all domain.tld nothng happens to the zone. If i delete the dnssec signed zone via rndc…

bind dnssec rndc

asked Dec 08 '15 at 16:55

eXe

vote

0 answers

opendnssec and DelegationSignerSubmitCommand

I have a zone myzone.fr on my DNS running BIND and opendnssec. The new DS need to be send to the registry as shown in the log of ods-enforcerd: ods-enforcerd: WARNING: New KSK has reached the ready state; please submit the DS for myzone.fr and use…

domain-name-system dnssec

asked Nov 19 '15 at 13:58

G.D.

vote

0 answers

DKIM-verification fails because of "insecure key"

I have my Debian (7.9 "wheezy") E-Mail-server (Postfix 2.9.6-2) setup to sign and verify DKIM signatures in e-mail messages using OpenDKIM (version 2.6.8-4). When I send myself an e-mail from my GMail account, I get the following result in the…

postfix dkim dnssec

asked Oct 14 '15 at 15:41

comfreak

1,501
1
21
33

vote

1 answer

DNSSEC without registrar

The real title: How to use DS records without registrar help I'm trying to stay loyal to my registrar, I have over 100 domains with them. Their "Advanced DNS" is pretty lacking(just A, TXT, CNAME and MX records), so unless I'm just setting up a…

dnssec domain-registrar

asked Sep 03 '15 at 18:38

TimJ

vote

0 answers

BIND DNS to DNSSEC Converting Forwarder

I have an internal only DNS server running on BIND 9.8.4 on Debian, this recurses and caches all queries other than internal domain (ourdomain.lan) to OpenDNS. What I am hoping to do is to have all internal queries secure or not "converted" to…

debian bind internal-dns dnssec opendns

asked Aug 30 '15 at 10:04

o.comp

Prev 1 2 3

…

13 14 Next