DNSSEC and secondary DNS servers

Mark Elkins mje at posix.co.za
Sat Sep 8 16:21:34 UTC 2018 

Some clarification....

Have you DNSSEC Signed your Domain - that is "covisp.net" because I
don't see any DS records for it in the "net" zone.

dig @a.gtld-servers.net. covisp.net ds
flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
returns the SOA for NET - so I know I got to the right place but there
was no answer...

If you mean you want to switch on DNSSEC for recursion - that is - when
you look up names and want DNSSEC protection - you should not do that on
your authoritative servers. If an authoritative server has a DNSSEC
signed zone and you ask it directly (e.g. with DIG) - it will set the
"AA" flag for that domain but never set the AD bit.

In my case, posix.co.za is signed and if I ask my local DNS Server which
is DNSSEC aware - I get...

$ dig posix.co.za a
...
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
...
posix.co.za.        3600    IN    A    192.96.24.1
...
;; SERVER: 127.0.0.1#53(127.0.0.1)

If I ask my authoritative (for "posix.co.za") Nameserver for the same:

$ dig posix.co.za a @secdns1.posix.co.za
...
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 6
...
posix.co.za.        3600    IN    A    192.96.24.1
...
;; SERVER: 192.96.24.81#53(192.96.24.81)

Notice there is no AD bit, just AA.

In a new install of bind (on my Linux Laptop: BIND 9.11.2-P1 )  I think
you'll find DNSSEC is already switched on otherwise you want:

options {
        dnssec-enable yes;
        dnssec-validation auto;
};

On an Authoritative system - anyone can query it but only for your
domain and there should be no recursion
allow-recursion { none; };

On a Recursive server, recursion should be on but only for a few trusted
people...
allow-recursion { trusted; };     // Trusted is only my local networks

Thus Recursive and Authoritative Nameservers should *ideally* be on
separate servers (virtual or physical)

On 09/08/2018 03:58 PM, @lbutlr wrote:
> So, I setup up DNSSEC on my authoritative bind 9.12 server, which was very straightforward and works fine:
>
> dig covisp.net +dnssec +short @8.8.8.8
> 65.121.55.42
> A 7 2 86400 20181008122535 20180908122535 17363 covisp.net. pkpVdFONJ2dYN+7wQ4pVcQTlWIThY3+mbNdXsE8p5uWiLNvIefVT32JE i9itA3Si91/pImofmPnLPbxRbLzWt+dSfbxBoHaoCYK1ZCngw/vy9QlG 36Um0De5ItCC/GuflXUnBKmEJKx0pQOlvqSnkRSV75yLnAw3NA0BdKnf CBJP9QLQH/A1vojRafIER5MNM34lKfJC9QrMDBiUBYzrv3i/2QK3gE7t 8Y1Zpoemux8Uz/zps1I/pmjVAIixk2ilVOLDXkeS6Ta4ODrWayyuFM8b xwkodXsMtFAx5PhkVyHT5zJyScYYzC82aZs7fTmA6F01saabVsxIYAi6 78upgA==
>
> But now, what do I need to do for other DNS servers? Is it enough to simply add
>
> 	dnssec-enable yes;
>         dnssec-validation yes;
> 	managed-keys-directory "/usr/local/etc/namedb/working/keys";
>
> ? Should it simply validate the key with the primary and go from there? 
>
> I tried this, but trying to do a dig +dnssec on the secondary DNS doesn’t return the record, so I think there must be something else.
>
>
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

-- 
Mark James ELKINS  -  Posix Systems - (South) Africa
mje at posix.co.za       Tel: +27.128070590  Cell: +27.826010496
For fast, reliable, low cost Internet in ZA: https://ftth.posix.co.za

More information about the bind-users mailing list