Questions tagged [dnssec]

Domain Name System Security Extension is a specification for securing certain kinds of information provided by Domain Name System

Domain Name System Security Extension is a specification for securing certain kinds of information provided by Domain Name System.

Its purpose is to allow DNS resolvers (clients) to establish origin and authenticity of DNS records. It works by digitally signing these records using public-key cryptography.

Currently it is described in IETF RFC 2535.

206 questions

vote

1 answer

DNSSEC - DNSKEY RRSIG not updated

Does anybody know why the DNSKEY RRsigs are not re-signed with dynamic update?? Regards

keys dnssec

asked Oct 27 '10 at 09:24

Arancha

vote

1 answer

DNSSEC - Jitter default value

does anybody know which is the default value for jitter when signing a zone?? Regards

domain-name-system dnssec

asked Oct 27 '10 at 08:55

Arancha

vote

1 answer

BIND auto-dnssec is signing records with ZSK and KSK

I'm doing a rollover of my KSK and ZSK (concurrent with a server transfer) and BIND (version 9.16.23) has started causing problems for me. I have the following keys in my directory: ; Kexample.ca.+007+10274.key ; This is a zone-signing key, keyid…

bind dnssec

asked Oct 17 '22 at 17:48

miken32

vote

2 answers

How Do I Fix My DNSSEC? I never got DNSSEC working and have probably worsened the problems

My attempt to DNSSEC has not been successful. To help understand DNSSEC I have read many online articles, man pages for rndc, dnssec-*, viewed dnsviz.net and dnssec-analyzer.verisignlabs.com/. Most of the information explains DNSSEC in great detail…

dnssec

asked Mar 17 '22 at 15:19

Anthon

vote

1 answer

How do I extend the expiration date of every DNSSEC signature in bind9?

I have a dnssec-secured domain that needs to remain valid for 8 weeks when all masters become unreachable. To my understanding, setting sig-validity-interval to 64 7 in the zone's configuration file should generate SSIGs that last 64 days and that…

domain-name-system bind dnssec

asked Oct 10 '21 at 15:14

Tenders McChiken

vote

0 answers

Do clients need to validate DNSSEC signatures?

I'm tasked to configure our domain to use DNSSEC. We currently use AWS Route 53 as both our registrar and DNS hosting provider. According to the AWS documentation, Route 53 supports DNSSEC at both of these services. As far as I understand, the whole…

dnssec

asked May 11 '21 at 15:09

Juan Vega

vote

0 answers

dig does not show the content of DS, DNSKEY or any DNSSEC related record, SERVFAIL

I want to see the content of records using dig but any RR related to DNSSEC comes up empty. This happens on two laptops of mine. I'm running Ubuntu 18.04. Is there any setting I can fix to stop getting SERVFAILs? Records like DS and RRSIGs are…

domain-name-system dig dnssec

asked Feb 24 '21 at 12:33

Mnemosyne

vote

1 answer

DNSSEC - Google Cloud and Cloudflare - Which DS Record do I give to the Registrar?

I have managed to really confuse myself here with enabling DNSSEC for the first time ever. I am using Google Cloud compute engine running a WordPress website for hosting. My domain registrar has its name servers set to Cloudflare which then routes…

dnssec

asked Dec 16 '20 at 02:39

Dilation

vote

1 answer

Use of private and public DNS with DNSSEC

My company, 'example.com', has a public host www.example.com. The (legacy Windows managed) internal network has several internal hosts internalhost1.example.com, internalhost2.example.com and so on. The internal network has an internal private…

domain-name-system internal-dns dnssec

asked Nov 27 '20 at 15:58

anneb

vote

1 answer

Removing DNSSEC - Can it be done, and how can I?

A little while ago, I deployed DNSSEC because in doing so I reduced the number of security configuration checks I needed to implement on my local domain's DNS. These are Windows Server 2012R2 machines This seems to have worked fine, except it…

domain-name-system windows-server-2012-r2 internal-dns dns-hosting dnssec

asked Nov 19 '20 at 19:47

The ITea Guy

vote

0 answers

Bind loading signed zone with outdated serial

I'm running BIND 9.16.3-Ubuntu (ISC PPA) on a primary DNS server with a split view setup of an internal and an external view. All zones are signed with inline signing and auto-dnssec maintain. Some weeks ago I did my first ever ZSK and KSK rollover…

bind dnssec keys

asked Jun 13 '20 at 19:13

nebulon42

vote

1 answer

DNSSEC I am not able to validate DNSKEY answer

Here is the answer I got for .com.my. DNSKEY: com.my. 3600 IN DNSKEY 257 3 8…

dns-zone dnssec

asked May 30 '20 at 11:37

vinz

votes

1 answer

What does this bind error mean?

Background I'm trying to setup a recursive DNSSec Server, with the dnssec-lookaside option. Following this guide. Error Message root@dnssec:/home/jose# systemctl status bind9 ● bind9.service - BIND Domain Name Server Loaded: loaded…

linux bind dnssec

asked Jan 19 '20 at 19:02

itasahobby

votes

1 answer

BIND and DNSSEC setup debugging

I am trying to get DNSSEC up and running, but I'm having some difficulties getting it working. I am running BIND 9.14.2 (on Windows of all things). BIND is working fine and there's have a number of zones in production on these servers. I just cant…

bind dns-zone dnssec

asked Dec 19 '19 at 15:26

TomRA

votes

1 answer

How to trust another Nameserver/Zone specificly?

For making sure a resolver is also able to resolve when not connected to the internet (which is usually not the case), I have configured a forward zone: zone "example.com" { type forward; forward only; forwarders { 1.2.3.4; 5.6.7.8;…

domain-name-system bind dnssec trust-relationship

asked Nov 14 '19 at 09:39

michi.0x5d

Prev 1 2 3

…

13 14 Next