Server Fault Stack Exchange
Server Fault Stack Exchange

Questions tagged [dnssec]

Domain Name System Security Extension is a specification for securing certain kinds of information provided by Domain Name System

Domain Name System Security Extension is a specification for securing certain kinds of information provided by Domain Name System.

Its purpose is to allow DNS resolvers (clients) to establish origin and authenticity of DNS records. It works by digitally signing these records using public-key cryptography.

Currently it is described in IETF RFC 2535.

206 questions
1
vote
1 answer

My resolver doesnt cache the DS RR sent with NS RR

I noticed a strange behaviour on my security-aware resolver. When resolving a secured domain name, the resolver receives DS RRset along with NS RRset. But when it processes to the validation of the data, it asks for for DS RRset again. It seems it…
Dan928
  • 13
  • 2
1
vote
1 answer

verisign error -> Query to DNSKEY timed out or failed

I am trying to find the origin of an error I cannot get rid of on the verisign dnssec debugger Verisign debugger Dig queries the server just fine dig ex-mailer.com ANY @108.61.190.64 All of my logs are clean and error free in debugger mode Log…
mine
  • 197
  • 1
  • 4
  • 14
1
vote
0 answers

How Do I get unbound to only use DNSSEC?

I have a pfsense box, that I am in the process of configuring for the first time I would like to use DNSSEC. I used this site to check my DNSSEC status. When I go to this site I am told that my "DNSSEC is configured in "permissive mode" I would…
wlraider70
  • 133
  • 7
1
vote
1 answer

DNSSEC key-file not found

This is actually a follow-up on my previous question (my problem was solved) it can be found here: DNSSEC sign-zone results in fatal failure However, I still want to use dnssec-signzone when creating my signed zone file. After I corrected the syntax…
Joakim Hellström
  • 77
  • 1
  • 11
1
vote
3 answers

Google Cloud DNS and DNSSEC?

Since Google Cloud DNS does not currently support the record types for DNSSEC, is there any way to begin implementation of DNSSEC using TXT records? If I were using Google Cloud DNS, which I am, and they currently only support record types which…
Joe Burnett
  • 19
  • 2
1
vote
1 answer

Effects of publishing DNSSEC DS records without signing public zone?

We at example.com are being pressured to implement DNSSEC by a sub-division of our organisation: security.example.com. Our current name servers ns1.example.com and ns2.example.com are unsigned, non-dnssec servers. We would like to use…
Daniel Widrick
  • 3,488
  • 2
  • 13
  • 27
1
vote
1 answer

Using DNSSEC with GoDaddy

This is my setup Domain: nginx-repo[.]com (Registered at GoDaddy) Nameserver: A DigitalOcean VM running BIND on Debian 7 I created a zone for the above mentioned domain on my VM then used dnssec-keygen and dnssec-signzone to setup and sign the…
A.Jesin
  • 424
  • 1
  • 4
  • 14
1
vote
1 answer

DNS architecture sanity check

I'm designing DNS service for a network and had a few architecture questions. The O'Reilly/ Cricket Liu DNS book and the NIST DNS security guide don't address these questions except in a very general way. Here is the proposed network, which has…
user8162
  • 270
  • 2
  • 9
1
vote
1 answer

Submit DS record to parent zone in DNS

I have setup DNSSEC for my domain shabdiznet.com and checked it at http://dnssec-debugger.verisignlabs.com/shabdiznet.com the only problem is No DS records found for shabdiznet.com in the com zone as you may see . also i found same old question…
Omid Kosari
  • 630
  • 1
  • 8
  • 16
1
vote
1 answer

What could this extra 50ms latency be on my unbound DNS resolving server (Fedora)?

I have a discrepancy in query latency. It's not a problem, it's just strange enough to worry me. Client machine (Fedora 18) runs unbound-1.4.19-1.fc18.x86_64. Server machine (Debian 7 testing) runs unbound 1.4.17-2. Both are connected to the same…
sourcejedi
  • 1,100
  • 10
  • 20
1
vote
0 answers

OARC's DNSSEC validating resolvers validate all my records but A records

I have DNS set up with powerdns. It serves my DNS pretty well, and it AXFRs to other slaves. The slaves haven't yet updated to the most recent records, but that doesn't affect the validation, it would appear. Any record I can think of (AAAA, MX,…
user123315
1
vote
1 answer

DNSSEC NSEC3 salt length

Is there any recommendation for salt length in the NSEC3 records ? Does longer salt means better security, and do longer salt affect performance of (authoritative) servers ? DNSSEC operational practices don't mention salt length. While looking at…
Sandman4
  • 4,077
  • 2
  • 21
  • 27
1
vote
1 answer

Pushing DNSSEC updates with offline keys

In a non-professional capacity, I look after the DNS of some 18 domains: mostly personal/vanity domains for immediate family. The whole shebang is outsourced to an inexpensive managed hosting provider who have a web interface through which I manage…
eggyal
  • 402
  • 5
  • 16
1
vote
1 answer

My nameservers do not provide DNSSEC information with their answers- problem?

Some of our users have reported having issues accessing our website ("no response"). Suspecting a DNS issue we have performed some online tests that return only this warning: Your nameservers do not provide DNSSEC information with their answers ; no…
gg781
  • 13
  • 2
1
vote
1 answer

What DNSSec implementations are available, and have they been checked for padding Cryptographic Oracle vulnerabilities?

A cryptographic Oracle is where one can deduce the private key when a error condition is created. Considering the recent ASP.NET padding Oracle exploit, can anyone tell me if the DNSSec implementations have been protected from similar "Cryptographic…
makerofthings7
  • 8,911
  • 34
  • 121
  • 197
1 2 3
13 14