DNSSEC validation via DLV
Mark Elkins
mje at posix.co.za
Fri Jul 19 06:35:31 UTC 2019
That I understand. Use me (Posix) then, full DNSSEC support.
https://vweb.co.za. If you like, run your DNS wherever you want, just
use me at the Registrar.
Unfortunately, very few Registrars in ZA-Land have implemented DNSSEC
support - despite ZA having a very high percentage of DNSSEC resolver
support (about 50% of all queries hit a DNSSEC aware recursive resolver!)
On 2019/07/19 01:57, peek at vspace.co.za wrote:
> By all means, not a difficult process at all. I have DNSSEC enabled and fully operational on .com domains.
>
> Problem being, no options exist as to export the DS record of co.za, com.au or net.au domains to the respective registrars, being namecheap.com and axxess.co.za.
>
> Noted that namecheap.com does accept the DS records for .com domains, yet not for .au domains.
>
> -----Original Message-----
> From: bind-users [mailto:bind-users-bounces at lists.isc.org] On Behalf Of Mal via bind-users
> Sent: Thursday, 18 July 2019 10:22 PM
> To: mje at posix.co.za; bind-users at lists.isc.org
> Subject: Re: DNSSEC validation via DLV
>
>
> Not a difficult process really..
>
> -Configure a DNSSEC enabled name server
> -Create a some zone keys (dnssec-keygen) -Sign your zone (dnssec-signzone) -Update your nameserver configuration to point to the signed zone file -Export your DS records (dsset) to the domain registration company (EPP).
>
> Confirm the chain.. http://dnsviz.net/d/apnic.com.au/dnssec/
>
> Mal
>
>
>
> On 18/07/2019 4:46 pm, Mark Elkins wrote:
>> I can't comment on com.au (but looking up the Nameservers, I see the
>> AD bit set - so DNSSEC appears to be in use..
>>
>> However, co.za (and net.oza, org.za & web.za) which are managed by the
>> ZACR (and DNS) - they are all signed and I personally have domains
>> under these second levels - all running DNSSEC. The DS records are
>> added to the parents using EPP - and it works perfectly. I used to
>> present free (to the community) DNS classes to the community (the ZACR
>> paid me) and this (DNSSEC) was taught to attendees. Unfortunately, no
>> more classes for now.
>>
>> DNSSEC in CO.ZA became live at about the time DLV stopped running. The
>> other SLD's had already been running for about a year.
>>
>> For the record, EDU.ZA is also signed and can accept DS records -
>> albeit via a Web interface.
>>
>> @peek - you are most welcome to chat to me.
>>
>>
>> On 2019/07/18 04:34, peek at vspace.co.za wrote:
>>
>>> With DLV (DNSSEC Lookaside Validation) having been decommissioned,
>>> though zones still exists that does not provide a fully signed path
>>> from root to zone, i.e. .com.au , co.za etc, how would an
>>> administrator enable / implement DNSSEC validation for these zones ?
>>>
>>>
>>> _______________________________________________
>>> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
>>> unsubscribe from this list
>>>
>>> bind-users mailing list
>>> bind-users at lists.isc.org
>>> https://lists.isc.org/mailman/listinfo/bind-users
>>
>> _______________________________________________
>> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
>> unsubscribe from this list
>>
>> bind-users mailing list
>> bind-users at lists.isc.org
>> https://lists.isc.org/mailman/listinfo/bind-users
>>
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
--
Mark James ELKINS - Posix Systems - (South) Africa
mje at posix.co.za Tel: +27.128070590 Cell: +27.826010496
For fast, reliable, low cost Internet in ZA: https://ftth.posix.co.za
More information about the bind-users
mailing list