Questions tagged [dnssec]
Domain Name System Security Extension is a specification for securing certain kinds of information provided by Domain Name System
210
questions
29
votes
3
answers
9k
views
What kinds of security vulnerabilities does providing DNSSEC expose?
I was planning to sign my DNS zone with DNSSEC. My zone, the registrar and my DNS server (BIND9) all support DNSSEC. The only one who doesn't support DNSSEC is my secondary nameserver provider (namely ...
13
votes
2
answers
2k
views
How is my DNSSEC enabled domain still serving a tiny number of NXDOMAIN response codes?
I enabled DNSSEC on my primary domain about a week ago. It's not a major website or anything -- just my personal domain name that I use for email and the like (TLD: com; DNSSEC algorithm 13; ...
11
votes
2
answers
31k
views
bind9 does not resolve dnssec correctly
I have a problem with my dns server setup. My bind server is mainly a cache-server but does also serve some internal domains. It listens only on my private network and serves only requests from there.
...
11
votes
1
answer
845
views
Can I reasonably use SHA-256 in a DNSSEC deployment?
I know that RFC 5702 documents the use of SHA-2 in DNSSEC, and that RFC 6944 defines RSA/SHA-256 as "recommended to implement." What I'm not aware of is just how widely-implemented SHA-256 ...
9
votes
1
answer
2k
views
SSHFP not working
I have two machines running OpenBSD v6.9.
Let's be original and call them client and server.
I generated the SSHFP records on the server with :
ssh-keygen -r host.domain.tld
In the DNS zone, I added ...
8
votes
1
answer
11k
views
How to remove DNSSEC support from a domain?
A organization has DNSSEC support for their domains. They have a BIND9 as authoritative name server running which also manages the keys. However it was decided to remove DNSSEC. Is it sufficient to ...
8
votes
2
answers
3k
views
Do I need to renew the keys which I deposited at my domain provider?
I have set up some domains with dnssec. I generated the keys and signed the zones with zonesigner from dnssec-tools. I know that I must resign the zones within 30 days. But what's up with the keys ...
8
votes
1
answer
9k
views
opendkim-testkey: key not secure
I set up Opendkim milter to work with postfix on my machine. Now email is signed & verified correctly i.e. email source code shows DKIM-Signature header.
TXT record on the authorative dns is set ...
7
votes
5
answers
856
views
No IPv6 & DNSSEC support on cc-TLD? (practical implications)
I'm needing to register some domains that have country code domain extensions, but noticed that those TLDs do not officially support (A) IPv6 or (B) DNSSEC... What limitations or pitfalls should I ...
7
votes
3
answers
34k
views
BIND server has tons of "no valid RRSIG" errors
I have a forward-only BIND9 server running on the LAN and it logs hundreds of errors per day like:
Aug 29 18:38:29 nuc named[850]: error (no valid RRSIG) resolving 'ubuntu.com/DS/IN': 75.75.75.75#53
...
7
votes
3
answers
7k
views
DNSSEC - Ad Flag not activated
I have some doubts regarding DNSSEC. I have one server acting as an Authoritative Name Server and another one as a Cache/Resolver. I'm using Bind 9.7.1-P2 and these are my configuration files:
Named....
7
votes
1
answer
2k
views
Multiple DS records
I was wondering how validating resolvers deal with multiple DS records. Let's say we have a zone with one KSK and one ZSK, but after some key rollover shenanigans there are two DS records in the ...
7
votes
2
answers
3k
views
What are acceptable key lengths for DNSSEC KSK/ZSK?
I've been tasked to look into implementing DNSSEC on our name servers. While the technical side of this (generate keys, sign zones, prepare rollovers) are relatively straightforward, I've run into a ...
7
votes
3
answers
10k
views
How to update a zone with auto-dnssec: maintain
I am running an authoritative BIND 9.9.5-9+deb8u8-Debian on Debian Jessie.
I have a working zone for robin.info that works properly (various tests report success, such as the one on pingdom.com's DNS ...
6
votes
3
answers
1k
views
What are the effects of the L root server now publishing DURZ?
I'm curious what the actual effects of the L root server publishing DURZ today will be. On the nanog mailing list, someone said it's important to evaluate the systemic effects of root name servers ...
6
votes
1
answer
15k
views
Querying and verifying dnssec
I hear http://www.isoc.org/ has Domain Name System Security Extensions on its DNS records.
How do I see and verify the DNS using the tool dig?
6
votes
5
answers
4k
views
DNSCurve vs DNSSEC
Can someone informed, please give a lengthy reply about the differences and advantages/disadvantages of both approaches?
I am not a DNS expert, not a programmer. I have a decent basic understanding ...
6
votes
1
answer
6k
views
Basic DNSSEC configuration under BIND 9.7?
Could anybody provide a step-by-step procedure to set up DNSSEC under BIND 9.7? I think the version is relevant because it is supposed to make life easier. In fact, there is a document published by ...
6
votes
1
answer
4k
views
DNSSEC NSEC3 opt-out
Can someone please explain, in simple language, the meaning of opt-out flag in the NSEC3 RR. I did read RFC 5155 and understand nothing.
6
votes
1
answer
2k
views
Debian DNSSEC - howto secure a domain?
I have a beginner question about DNSSEC. I have much experience with TLS and cryptography-stuff and would like to try out this new technology. I have googled very much about this but I haven't found ...
6
votes
1
answer
15k
views
nsupdate, getting BADKEY error
I'm trying to update a name using nsupdate executed from within the name server itself but I receive the error message
; TSIG error with server: tsig indicates error.
I created a key with dnssec-...
6
votes
1
answer
2k
views
How to migrate BIND configuration to dnssec-policy from auto-dnssec maintain without disruption?
BIND 9.16 introduced a new dnssec-policy feature as a further more automated DNSSEC key management and signing facility over the long established auto-dnssec maintain functionality.
The documentation ...
5
votes
2
answers
1k
views
DNSSEC MITM attacks
What makes DNSSEC immune to a MITM attack?
Why can't I sign a key for example.com and get this to a resolving nameserver or client before they can get it from the real source?
5
votes
2
answers
2k
views
Is it possible to create DANE TLSA records when the DNS server doesn't support it?
I'd like to set up DANE for the domain which handles my email. My domain is registered at OVH, and I'm using their anycast DNS servers. They do support DNSSEC, but not TLSA records.
Is there a ...
5
votes
1
answer
16k
views
Adding DS record to parent in DNS
I am trying to set up DNSSEC for my domains. Everything seems to work but I get the following error:
DNSKEY found at child, but no DS was found at parent.
Check for DS records in parent zone
We found ...
5
votes
2
answers
19k
views
bind9 configure forward zone for local domain without DNSSEC for this zone only
I have a working DNS server for local domain mydomain.local. I am trying to configure bind9 to work in default configuration, except for this zone, for which I want to forward queries to local DNS ...
5
votes
3
answers
1k
views
windows 2003 DNS server and DNS SEC
i have almost out-of-the-box windows 2003 server which is also domain name server for some users. should i be worried of 5th of may's deployment of dnssec on root name servers ?
i have already run:
...
5
votes
0
answers
3k
views
Understanding (and partially disabling?) DNSSEC for an internal domain
I am setting up a new DNS infrastructure for our internal HPC cluster environment. This involves providing a migration path from our existing DNS authorities and domains.
For sake of example, let's ...
4
votes
1
answer
626
views
Is DLV on dnssec deprecated?
I'm trying to set up a recursive DNS that also have its own zone using bind.
Now I want to upgrade it to use dnssec but as far as I understood I have to use DLV if I don't own a domain name.
...
4
votes
1
answer
929
views
Use DNSSEC for secure connections
From my understanding DNSSEC allows me to create a public key and sign my DNS records. There appears to be multiple ways to have a certificate record (such as DANE see https://wiki.mozilla.org/...
4
votes
2
answers
2k
views
DNSSEC - How does it protect from an MITM attack?
I have been reading for several hours about DNSSEC and I'm still failing to understand how it protects from MITM attacks. I have also read every question here on serverfault related to DNSSEC.
Please ...
4
votes
1
answer
1k
views
Do I need DNSSEC?
After reading about DNSSEC realization in Windows Server 2008 R2 it seems to me that it adds extra complexity without being fully secure anyway (I do understand that more security is always means more ...
4
votes
3
answers
5k
views
bind is not validating dnssec
Strange. My bind is not validating dnssec even though I configured it to. Version according to named -V is BIND 9.8.2rc1-RedHat-9.8.2-0.10.rc1.el6_3.2 which has a built-in DLV key.
Under options in ...
4
votes
1
answer
1k
views
Inline signing with bind 9.9 and NSEC3
Since version 9.9, Bind supports inline signing, but I don't find any information on how to make it working with NSEC3. I cannot add NSEC3PARAM RR with nsupdate : I think it's normal because of inline ...
4
votes
2
answers
9k
views
DNSSEC broken in Windows 2016's DNS server?
I'm currently in the process of migrating a DNS server from Windows 2012 R2 to Windows 2016. However, I have run into an issue with DNSSEC. So far I have just moved one domain, an unused test domain, ...
4
votes
1
answer
1k
views
Managing multiple equal zones with DNSSEC
I run an authoritative name server (BIND), and I have a few dozens domain with identical zone files, i.e. they all use /etc/bind/db.default3.
I’m considering deploying DNSSEC on my server, but so far ...
4
votes
1
answer
351
views
What are the downsides of enabling DNSSEC for your website? (Hosted at a shared web host.)
I own a domain name via Google domains and my website is hosted as a shared account with Dream Host. I see that both provide DNSSEC vs old DNS. I was thinking to enable it.
But before I do so, I was ...
4
votes
1
answer
8k
views
Can't resolve website using Google's public dns
I can't seem to be able access my site: yippie.nl, using Google's public DNS 8.8.8.8. Other DNS's work fine.
Could this be due to DNSKEY? Cause Route53 doesn't provide it.
http://dnscheck.pingdom....
4
votes
1
answer
329
views
What TLDs should I use for my NS records for redundancy? (DNSSEC support required)
Question
As a general practice, is it a good idea to use multiple TLDs for the name servers?
How should I choose between which TLD would be a good candidate for being the root server for my NS name?...
4
votes
2
answers
9k
views
Bind9: Disable DNSSEC validation on per zone basis?
I am trying to make a caching / forwarding only DNS server using Bind9 with DNSSEC validation being enabled by default.
Assume you have the following informations from my config file:
acl "home-...
4
votes
0
answers
282
views
Keeping DNSSEC KSKs offline with BIND9
I am looking to move the private part of the KSK for my domains off my main nameserver. I've tried this with a test domain and get errors like this:
dns_dnssec_keylistfromrdataset: error reading /etc/...
3
votes
2
answers
7k
views
dnsmasq returns (false) "bogus" result for DNSSEC validation
I'm running a local Debian 8.1 installation with a DNSSEC-validating DNS-Resolver called dnsmasq (version 2.72-3+deb8u1).
I set it up to return a SERVFAIL if it isn't able to validate a DNSSEC-...
3
votes
2
answers
200
views
What are possible security issues with TLD not being secured with DNSSEC, even if subdomain is?
We are working on a stablished network with a BIND9 server running (as well as many other services). I'm learning and trying to reorganize the old configuration files to comply with the present day (...
3
votes
1
answer
433
views
DNSSEC key rollover guidelines
I've started playing with DNSSEC on my personal domain and I'm using OpenDNSSEC to perform signing and key maintenance; I only have a static zone, so OpenDNSSEC is an easy fit.
Just to toy with ...
3
votes
1
answer
2k
views
How do I remove a DS record from my parent zone using Amazon Route 53?
My website is currently inaccessible due to the presence of a DS record in the parent zone, when I am using nameservers that don't support DNSSEC. See this question for more context.
I am using ...
3
votes
3
answers
4k
views
BIND unable to resolve one domain but works on others
On an SMTP server running bind 9.11 for DNS, DNS resolution is failing for one domain causing an email to that domain to fail. There are no problems resolving other domains. However, it can resolve on ...
3
votes
2
answers
5k
views
Proper way to reload master zone on bind9 doing inline-signing
I have a master BIND9 (v9.10.3) properly serving several signed zones (verified with dnsviz, etc.)
I have not been able to find in any documentation a proper way to reload and resign a static zone ...
3
votes
1
answer
2k
views
failed loading zone from 'myzone.local.zone': no ttl
I run the following command for dnssec on debian 8. But I get error:
# dnssec-signzone -A -3 $(head -c 1000 /dev/random | sha1sum | cut -b 1-16) -N INCREMENT -o myzone.local -t myzone.local.zone
...
3
votes
2
answers
1k
views
Where does my ds record originate from?
The domain dwc-amsterdam.com was acquired on hosting company A (hostA) which supports DNSSEC.
It was then transferred to hosting company B (hostB) which doesnot offer DNSSEC.
After detecting certain ...
3
votes
1
answer
2k
views
DNSSEC and IPSec DNS Server and DNS Client Configuration
I'm about to deploy DNSSEC for some of my domains and as I was getting ready I did some reading on the subject. I came across some Microsoft Technet articles talking about Name Resolution Policy Table ...