I have a connection of the domestic type, with 7 computers in an internal network, in which I do not have access to make any changes to the ip. I use external dns service to manage the bind9 service, although I have another installed and running locally. Both in the external and internal services of bind I have the same configuration of dmarc and dkim and of course I would like to know, I am really a novice in system administration, if the external dnssec configuration that manages the domain, zoneedit, is enough to use dnssec correctly?

El 27/03/2021 a las 13:34, Viktor Dukhovni escribió:
On Sat, Mar 27, 2021 at 12:51:36PM +0100, Francesc Peñalvez wrote:

I have the dns of the domain managed externally, configured with
dnssec, and another host running postfix. How could I integrate that
postfix use the dnssec configuration? Would it be enough to add the
dns of the external service to the postfix resolv.conf?

As written, the question makes no sense.  You'll need to
explain your goals in more detail.

     - If your domain is already signed, then clients
       resolving data about your domain are able (when
       suitably configured) to validate the integrity
       of that data.

     - If you're looking to use DNSSEC as a client, to
       validate DNS records of remote domains, all you
       need is a local (running on the Postfix server
       itself, listening on 127.0.0.1:53) validating
       resolver, such as unbound, Knot, BIND, ...

* The DNSSEC status of your own domain is irrelevant
   for validating remote domains.

* Validating remote domains does not directly do anything
   to ensure data integrity for your own domains when queried
   by others.

See:

     https://stats.dnssec-tools.org/explore/?almogavers.net
     https://dnsviz.net/d/almogavers.net/YFjc3g/dnssec/

I would perhaps recommed either switching to algorithm 13 (ECDSA P256),
which has better security at a lower key size, or use a ZSK that is
shorter than 2048 bits (1280 bits is what .COM uses), which tends to be
a bit too large for unfragmented UDP when responses carry multiple
signatures (e.g.  NSEC3 negative answers).  Fragmented UDP is not
reliable these days over wide-area networks.

For small zones with no names to hide, just use NSEC.


Attachment: smime.p7s
Description: Firma criptográfica S/MIME

Reply via email to