On Mon, 2010-03-29 at 11:17 +0200, Mark Elkins wrote: > I'm trying to come up with an interim solution for my ISP's DNS > Recursive Resolver that is DNSSEC aware. > > My thoughts so far:- > Use BIND 9.6.1-P3 (this is the latest version named that Gentoo Linux > gives me).
Ouch! - bitten by the signing of ARPA.... /etc/bind/named.conf.trust:225: configuring trusted key for 'ARPA.': algorithm is unsupported. -and- * No specific action is requested of operators. This message is * for your information only. * The ARPA zone is about to be signed using DNSSEC. The technical * parameters by which ARPA will be signed are as follows: * KSK Algorithm and Size: 2048 bit RSA I thought unrecognised algorithms were meant to be ignored? Time to try Bind 9.7.0-P1 ?? > In order to fetch both iTAR and DLV signatures - use a patched version > of WGET that is dnssec aware. > > Once a week (is this frequent enough?) fetch the DNSSEC signatures from > iTAR and ISC/DLV, convert the iTAR xml stuff into Signatures, append the > DLV signature and then include this file into my named.conf > configuration. > (named.conf: include "named.conf.trust-anchors"; ) > > In named.conf --> options, add: > dnssec-enable yes; > dnssec-validation yes; > dnssec-lookaside . trust-anchor dlv.isc.org.; > > This appears to be working for me. > Questions are - how frequently should one fetch these trust-anchors? I'd > have though once a week was enough but have read of situations where > people using ISC's DLV have had past problems. > > I'm hoping that by using both iTAR and DLV - that I won't have this > problem - have not noticed anything personally yet. > > I call this an "interim" solution - interim until the root is signed > with live data and contains the data that ITAR is currently being used > to store. I don't see ISC's DLV disappearing overnight just because the > root is signed either... > > I'm only doing the 'wget-ting' from one location, then distributing > internally from there - in order to reduce loads. > > What other suggestions do people have to achieve something similar? > > ps - I find the CZ "DNSSEC Validator" (addon) plugin to Firefox very > inspiring! Anyone aware of something similar for IE? > > _______________________________________________ > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users -- . . ___. .__ Posix Systems - Sth Africa. e.164 VOIP ready /| /| / /__ m...@posix.co.za - Mark J Elkins, Cisco CCIE / |/ |ARK \_/ /__ LKINS Tel: +27 12 807 0590 Cell: +27 82 601 0496
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users