DNSSEC basic information

John W. Blue john.blue at rrcic.com
Mon Sep 23 21:00:22 UTC 2019 

Jukka,

Some odds n ends in no particular order:

1. DNSSEC was designed for external zones

2. Use delv instead of dig when troubleshooting DNSSEC and play around with these options:

+rtrace (resolver)
+vtrace (validation)

You want to see “fully validated”.

3. Commit these values to memory so that when using delve you will know what is being returned:

256 = ZSK
257 = KSK

4. Always remember that the way that records are signed is linear and it will help with situational awareness:

A DNS record is signed by the ZSK and the ZSK is signed by KSK.  And a DSKEY is created by the KSK.

5. DNSSEC takes a small amount of maintenance and housekeeping to manage key rollovers.

Rolling a ZSK is purely an internal operation and requires no interaction with the outside world.  Roll monthly.
Rolling a KSK requires a new DS record to be published to the parent.  Roll yearly.

6. Use NSEC3.

Hope that helps!

John

From: bind-users [mailto:bind-users-bounces at lists.isc.org] On Behalf Of Jukka Pakkanen
Sent: Monday, September 23, 2019 3:32 PM
To: Jukka Pakkanen; bind-users at isc.org
Subject: VS: DNSSEC basic information

Already found out about https://ftp.isc.org/isc/dnssec-guide/html/dnssec-guide.html, and that example the dnssec-enable option is now on by default…   but any usefull hints still gladly received 😊

Jukka

Lähettäjä: bind-users <bind-users-bounces at lists.isc.org<mailto:bind-users-bounces at lists.isc.org>> Puolesta Jukka Pakkanen
Lähetetty: 23. syyskuuta 2019 22:17
Vastaanottaja: bind-users at isc.org<mailto:bind-users at isc.org>
Aihe: DNSSEC basic information

I am finally diging in to DNSSEC, updating out BIND 9.14.5 servers to support it, both resolving & signing, secure zone transfers etc.

I just have read the DNSSEC Mastery by Michael W. Lucas from year 2013, and my question basically is, is this information from 6 years back still valid, or hopelessly outdated?  I do suppose in six years things have already changed a lot.  And while started testing some things, noticed they are not working as expected, as presented in the book.  Like when upgraded our servers to DNSSEC resolving, the only zone I can find the ad flag set is paypal.com, example isc.org does not show it.

Also, with current status of DNSSEC, is it still recommend/required to have separate authoritative & recursive servers, DNSSEC-wise?

DLV functionality seems to be dropped from the current BIND too?

And so on... would like to know how outdated this book is, what has changed since 2013, and also, any hints for a good DNSSEC tutorials with todays BIND versions.

Jukka
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20190923/9e67a417/attachment-0001.html>

More information about the bind-users mailing list