DNSSEC implementation on IPv6 PTR Zones
Mark Elkins
mje at posix.co.za
Thu Nov 18 10:14:56 UTC 2021
And I can testify that this works. I have 2001:42a0::/32 signed via AFRINIC.
One suggestion though. When one signs an IPv4 reverse - use NSEC - as
everyone can guess what is there anyway.
With IPv6 - you might want to use NSEC3 - as there can be huge holes in
the reverse zone. Make the bad guy work at guessing what is in the zone.
Also - if signing a brand new zone - try using Algo 13 (Elliptical
curve) as it will generate shorter keys - so less chance of your zone
being used in a DNS DDOS amplification attack - it doesn't amplify as much.
On 11/18/21 12:07 PM, Mark Andrews wrote:
> You do it exactly the same as any other zone. You create DNSKEYs. You
> sign the zone. You add DS records to the parent zone.
>
> --
> Mark Andrews
>
>> On 18 Nov 2021, at 20:28, Divya <divya.p at nic.in> wrote:
>>
>>
>> Dear Admin,
>>
>> Has anybody implemented DNSSEC on IPv6 reverse zones?
>> Kindly help us to configure DNSSEC on reverse zones of IPV6 segment
>> with BIND 9.17.16+CentOS 7.9.
>>
>> With Thanks & Regards
>> Divya
>>
>>
>>
>> <https://amritmahotsav.nic.in/>
>>
>>
>> _______________________________________________
>> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
>> unsubscribe from this list
>>
>> ISC funds the development of this software with paid support
>> subscriptions. Contact us at https://www.isc.org/contact/ for more
>> information.
>>
>>
>> bind-users mailing list
>> bind-users at lists.isc.org
>> https://lists.isc.org/mailman/listinfo/bind-users
>
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>
> ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.
>
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
--
Mark James ELKINS - Posix Systems - (South) Africa
mje at posix.co.za Tel: +27.826010496 <tel:+27826010496>
For fast, reliable, low cost Internet in ZA: https://ftth.posix.co.za
<https://ftth.posix.co.za>
Posix SystemsVCARD for MJ Elkins
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20211118/259933fc/attachment-0001.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: abessive_logo.jpg
Type: image/jpeg
Size: 6410 bytes
Desc: not available
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20211118/259933fc/attachment-0001.jpg>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: QR-MJElkins.png
Type: image/png
Size: 2163 bytes
Desc: not available
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20211118/259933fc/attachment-0001.png>
More information about the bind-users
mailing list