How to Setup DNSSEC
Tony Finch
dot at dotat.at
Wed Oct 17 18:31:45 UTC 2012
babu dheen <babudheen at yahoo.co.in> wrote:
>
> All users in our company using internal DNS server for name resolution.
> All internal DNS server are pointed to our gateway recursive BIND name
> server which is responsible for getting DNS queries from authoritative
> internet DNS server.
>
> Now we would like to configure DNSSEC on my gateway DNS and internal DNS server.
For recursive DNSSEC, I recommend BIND 9.8 or newer, since then you don't
have to mess around with getting the root trust anchor.
Once you have a recent version of the software, check your network isn't
broken using a DNS reply size tester such as
https://www.dns-oarc.net/oarc/services/replysizetest/
If large UDP packets and TCP/53 get through OK, then you can go ahead and
add the following to the options section of your nameserver configuration:
dnssec-validation auto;
dnssec-lookaside auto;
And that's it.
Tony.
--
f.anthony.n.finch <dot at dotat.at> http://dotat.at/
Forties, Cromarty: East, veering southeast, 4 or 5, occasionally 6 at first.
Rough, becoming slight or moderate. Showers, rain at first. Moderate or good,
occasionally poor at first.
More information about the bind-users
mailing list