All client resolvers support DNSSEC compatible queries ???
Peter Andreev
andreev.peter at gmail.com
Thu Apr 24 11:19:48 UTC 2014
2014-04-24 13:46 GMT+04:00 Carsten Strotmann <cas at strotmann.de>:
> Hello Jeronimo,
>
> "Jeronimo L. Cabral" <jelocabral at gmail.com> writes:
>
>> Dear, we have several hosts in our LAN that ask our BIND DNS: Debian,
>> Windows 7, Red Hat and CentOS.
>>
>> If we implement DNSSEV validation support in our BIND9 server...how
>> can I know if our hosts' resolvers are compatible with DNSSEC queries
>> ???
>>
>
> client host resolvers are usually not DNSSEC aware today. Certain
> applications (Browser with a DNSSEC validator plugin, postfix MTA ...)
> running on a client can be DNSSEC aware.
>
> You can enable DNSSEC validation support on a BIND 9 caching server that
> is used as a resolver by your clients. BIND 9 9.9.x already comes with
> DNSSEC validation enabled, for older versions you need to enable it
> manually in the configuration.
>
> Legacy (non DNSSEC aware) clients will send just regular DNS queries
> towards the BIND 9 caching resolver. BIND 9 will send queries with the
> "DO"-Flag (DNSSEC OK) towards the authoritative DNS server in the
> network. For DNSSEC signed zones, BIND 9 will validate the DNSSEC
> data. If the data is validating without issues, the data is returned to
> the client as normal DNS (no DNSSEC). If the data fails to validate, the
> bad data is not send to the clients, instead a "SERVFAIL" error message
> is send to the client.
Actually a resolver sends to client an answer with AD (authenticated
data) bit set if response from authoritative server is successfully
validated. If zone in question isn't secured by DNSSec, then client
receives response without AD bit. If validation fails - SERVFAIL.
>
> DNSSEC is backwards compatible in the sense that you can enable DNSSEC
> validation without the need to make changes to legacy clients.
>
> Windows 7 and Windows 8 clients can build a special trust relationship
> with an AD integrated Windows DNS Server to secure the "last mile"
> between the client and the resolving DNS cache. However to my knowledge
> this is not possible with Windows and a BIND 9 DNS.
IPSec, AFAIK.
>
> Best regards
>
> Carsten
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
--
Is there any problem Exterminatus cannot solve? I have not found one yet.
More information about the bind-users
mailing list