[dns-wg] New on RIPE Labs: Securing DNS Across all of my Devices

Masud Akhtar Ahmed <m.ahmed at londontelecom.net> wrote:
>

It's easier than that :-)

> a)  Need to enable dnssec in /etc/named.conf configuration file.

> options { dnssec-enable yes; dnssec-validation yes; dnssec-lookaside auto; }

You don't need the dnssec-enable option: the default is "yes" and turning
it off will break things.

The DLV has been decommissioned, so you should omit the dnssec-lookaside
option.

On a resolver you should set `dnssec-validation auto` which enables RFC
5011 trust anchor rollover, initialized using the root key that is built
in to BIND. If you set it to `yes` then you must be prepared to do manual
trust anchor management, and you should ask yourself probing questions
why.

> # dnssec-keygen -a RSASHA1 -b 1024 -n ZONE londontelecom.net

You should use ECDSAP256SHA256, or RSASHA256 with 2048 bit keys, same for
ZSK and KSK. 1024 is too small and 4096 is wasteful.

> d) To make the zones use DNSSEC,

Use `named`s built-in signer: `auto-dnssec maintain`. Don't use
`dnssec-signzone` unless you are an expert doing weird stuff.

The `inline-signing` option requires fewer changes to existing setups that
edit zone files; it isn't necessary if your zones are dynamic.

Remember to make your private keys readable by named, e.g.

# chgrp named K*.private
# chmog g+r K*.private


Tony.
-- 
f.anthony.n.finch  <dot at dotat.at>  http://dotat.at/
an equitable and peaceful international order