This archive is retained to ensure existing URLs remain functional. It will not contain any emails sent to this mailing list after July 1, 2024. For all messages, including those sent before and after this date, please visit the new location of the archive at https://mailman.ripe.net/archives/list/dns-wg@ripe.net/
[dns-wg] New on RIPE Labs: Securing DNS Across all of my Devices
- Previous message (by thread): [dns-wg] New on RIPE Labs: Securing DNS Across all of my Devices
- Next message (by thread): [dns-wg] Announcement - Joint CENTR-Tech / DNS-OARC Workshop, Amsterdam, NL, 13th/14th October 2018
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Tony Finch
dot at dotat.at
Thu May 17 17:48:48 CEST 2018
Masud Akhtar Ahmed <m.ahmed at londontelecom.net> wrote: > It's easier than that :-) > a) Need to enable dnssec in /etc/named.conf configuration file. > options { dnssec-enable yes; dnssec-validation yes; dnssec-lookaside auto; } You don't need the dnssec-enable option: the default is "yes" and turning it off will break things. The DLV has been decommissioned, so you should omit the dnssec-lookaside option. On a resolver you should set `dnssec-validation auto` which enables RFC 5011 trust anchor rollover, initialized using the root key that is built in to BIND. If you set it to `yes` then you must be prepared to do manual trust anchor management, and you should ask yourself probing questions why. > # dnssec-keygen -a RSASHA1 -b 1024 -n ZONE londontelecom.net You should use ECDSAP256SHA256, or RSASHA256 with 2048 bit keys, same for ZSK and KSK. 1024 is too small and 4096 is wasteful. > d) To make the zones use DNSSEC, Use `named`s built-in signer: `auto-dnssec maintain`. Don't use `dnssec-signzone` unless you are an expert doing weird stuff. The `inline-signing` option requires fewer changes to existing setups that edit zone files; it isn't necessary if your zones are dynamic. Remember to make your private keys readable by named, e.g. # chgrp named K*.private # chmog g+r K*.private Tony. -- f.anthony.n.finch <dot at dotat.at> http://dotat.at/ an equitable and peaceful international order
- Previous message (by thread): [dns-wg] New on RIPE Labs: Securing DNS Across all of my Devices
- Next message (by thread): [dns-wg] Announcement - Joint CENTR-Tech / DNS-OARC Workshop, Amsterdam, NL, 13th/14th October 2018
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
[ dns-wg Archives ]