Re: How to Setup DNSSEC
IMO, a resolver will have the ability to get the public key of a ZSK for validating the signed RR. How will it get this public key? And, is the usage of a KSK similiar to the CA certificate? Thanks again. 于 2012-10-17 11:25, Alan Clegg 写道: On Oct 16, 2012, at 8:17 PM, pangj wrote: 于 2012-10-17 11:10, Alan Clegg 写道: No, it means that I haven't inserted the DS record for dnslab.org into the .org zone. for DS record's data, is it the public key of ZSK? thanks. No, it's a hash of the KSK. AlanC ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: How to Setup DNSSEC
于 2012-10-17 11:25, Alan Clegg 写道: On Oct 16, 2012, at 8:17 PM, pangj wrote: 于 2012-10-17 11:10, Alan Clegg 写道: No, it means that I haven't inserted the DS record for dnslab.org into the .org zone. for DS record's data, is it the public key of ZSK? thanks. No, it's a hash of the KSK. AlanC Thanks. Never deployed DNSSec. Will find a server to give a try. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: How to Setup DNSSEC
On Oct 16, 2012, at 8:17 PM, pangj wrote: > 于 2012-10-17 11:10, Alan Clegg 写道: >> No, it means that I haven't inserted the DS record for dnslab.org into the >> .org zone. > > for DS record's data, is it the public key of ZSK? thanks. No, it's a hash of the KSK. AlanC -- Alan Clegg | +1-919-355-8851 | a...@clegg.com smime.p7s Description: S/MIME cryptographic signature ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: How to Setup DNSSEC
于 2012-10-17 11:10, Alan Clegg 写道: No, it means that I haven't inserted the DS record for dnslab.org into the .org zone. for DS record's data, is it the public key of ZSK? thanks. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: How to Setup DNSSEC
In message <507e212e.5090...@riseup.net>, pangj writes: > ÓÚ 2012-10-17 10:54, Mark Andrews дµÀ: > > There is no DS for udp53.org so there is no secure trust chain. > > does this mean .org has not been signed? No. It means that there is no DS for udp53.org. For udp53.org to validate as secure there needs to the following set to records. . DNSKEY ORG DS ORG DNSKEY UDP53.ORG DS # Missing UDP53.ORG DNSKEY Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: How to Setup DNSSEC
On Oct 16, 2012, at 8:08 PM, pangj wrote: > 于 2012-10-17 10:54, Mark Andrews 写道: >> There is no DS for udp53.org so there is no secure trust chain. > > does this mean .org has not been signed? No, it means that I haven't inserted the DS record for dnslab.org into the .org zone. AlanC -- Alan Clegg | +1-919-355-8851 | a...@clegg.com smime.p7s Description: S/MIME cryptographic signature ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: How to Setup DNSSEC
于 2012-10-17 10:54, Mark Andrews 写道: > There is no DS for udp53.org so there is no secure trust chain. does this mean .org has not been signed? ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: How to Setup DNSSEC
In message <507e1c73.6050...@riseup.net>, pangj writes: > Hi, > > $ dig +dnssec udp53.org soa > > ; <<>> DiG 9.6.1-P2 <<>> +dnssec udp53.org soa > ;; global options: +cmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 37254 > ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 5, ADDITIONAL: 11 > > ;; OPT PSEUDOSECTION: > ; EDNS: version: 0, flags: do; udp: 4096 > ;; QUESTION SECTION: > ;udp53.org. IN SOA > > ;; ANSWER SECTION: > udp53.org. 3600IN SOA blox.wetworks.org. > alan.clegg.com. 1259962123 86400 3600 2419200 300 > udp53.org. 3600IN RRSIG SOA 8 2 3600 > 20121030214830 20121016204830 48948 udp53.org. > eVftM2Iu4Q/pn0AVW3EXYricq2BagrleTAbQvAtbqOOj3UgSzQHwxR/i > 2zOTayebAx65K7mDql1qXaXUh7GAj1fmjKiaf1YR4QR1RHg2tV5dFEuP > j6bha3QD0YfxS8pPGywsNeLn+6BwM2FrSOKefvc1S/GAv6y9ei/gj8qG 94Y= > > > from the result above, I didn't see a AD flag setted. why? There is no DS for udp53.org so there is no secure trust chain. > The nameserver in /etc/resolv.conf is 119.147.163.133 which is a > stardard BIND. > $ dig txt chaos version.bind @119.147.163.133 +short > "9.6.1-P2" Upgrade. BIND 9.6.1-P2 is seriously out of date and has known security vulnerabilities. The current release on the BIND 9.6 train is 9.6-ESV-R8 which is about 12 maintainance releases futher on than the code you are running. -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: How to Setup DNSSEC
Hi, $ dig +dnssec udp53.org soa ; <<>> DiG 9.6.1-P2 <<>> +dnssec udp53.org soa ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 37254 ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 5, ADDITIONAL: 11 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;; QUESTION SECTION: ;udp53.org. IN SOA ;; ANSWER SECTION: udp53.org. 3600IN SOA blox.wetworks.org. alan.clegg.com. 1259962123 86400 3600 2419200 300 udp53.org. 3600IN RRSIG SOA 8 2 3600 20121030214830 20121016204830 48948 udp53.org. eVftM2Iu4Q/pn0AVW3EXYricq2BagrleTAbQvAtbqOOj3UgSzQHwxR/i 2zOTayebAx65K7mDql1qXaXUh7GAj1fmjKiaf1YR4QR1RHg2tV5dFEuP j6bha3QD0YfxS8pPGywsNeLn+6BwM2FrSOKefvc1S/GAv6y9ei/gj8qG 94Y= from the result above, I didn't see a AD flag setted. why? The nameserver in /etc/resolv.conf is 119.147.163.133 which is a stardard BIND. $ dig txt chaos version.bind @119.147.163.133 +short "9.6.1-P2" thanks. 于 2012-10-17 6:31, Alan Clegg 写道: You can still find it at ISC:http://www.isc.org/files/DNSSEC_in_6_minutes.pdf It is a bit long in the tooth. I'll be updating it soon to cover the work done by ISC in BIND 9.9 All are welcome to propose titles for this new work. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: How to Setup DNSSEC
On Tue, 2012-10-16 at 15:35 -0700, Alan Clegg wrote: > > You can still find it at ISC: > http://www.isc.org/files/DNSSEC_in_6_minutes.pdf > > It is a bit long in the tooth. I'll be updating it soon to cover the work > done by ISC in BIND 9.9 > > All are welcome to propose titles for this new work. :) > DNSSEC in 5 minutes ? :) <> signature.asc Description: This is a digitally signed message part ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: How to Setup DNSSEC
On Oct 16, 2012, at 3:11 PM, Noel Butler wrote: > Alan Clegg wrote a quick howto DNSSEC in 6 minutes, you might want to google > it, since ISC has destroyed their "new" website, I no longer see it in quick > look to show you a link, apparently, it might be buried somewhere in > kb.isc.org, if Alan doesn't pitch in with its location, Google might be > better.. ( DNSSEC_in_6_minutes.pdf ) You can still find it at ISC: http://www.isc.org/files/DNSSEC_in_6_minutes.pdf It is a bit long in the tooth. I'll be updating it soon to cover the work done by ISC in BIND 9.9 All are welcome to propose titles for this new work. :) AlanC -- Alan Clegg | +1-919-355-8851 | a...@clegg.com smime.p7s Description: S/MIME cryptographic signature ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: How to Setup DNSSEC
On Oct 16, 2012, at 3:11 PM, Noel Butler wrote: > Alan Clegg wrote a quick howto DNSSEC in 6 minutes, you might want to google > it, since ISC has destroyed their "new" website, I no longer see it in quick > look to show you a link, apparently, it might be buried somewhere in > kb.isc.org, if Alan doesn't pitch in with its location, Google might be > better.. ( DNSSEC_in_6_minutes.pdf ) You can still find it at ISC: http://www.isc.org/files/DNSSEC_in_6_minutes.pdf It is a bit long in the tooth. I'll be updating it soon to cover the work done by ISC in BIND 9.9 All are welcome to propose titles for this new work. :) AlanC -- Alan Clegg | +1-919-355-8851 | a...@clegg.com smime.p7s Description: S/MIME cryptographic signature ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: How to Setup DNSSEC
On Tue, 2012-10-16 at 22:07 +0800, babu dheen wrote: > Dear All, > > I am new to DNSSEC. I need your valuable help to understand and > configure DNSSEC on my company Name servers. > > All users in our company using internal DNS server for name > resolution. All internal DNS server are pointed to our gateway > recursive BIND name server which is responsible for getting DNS > queries from authoritative internet DNS server. > > Now we would like to configure DNSSEC on my gateway DNS and internal > DNS server. > > Kindly help me > Alan Clegg wrote a quick howto DNSSEC in 6 minutes, you might want to google it, since ISC has destroyed their "new" website, I no longer see it in quick look to show you a link, apparently, it might be buried somewhere in kb.isc.org, if Alan doesn't pitch in with its location, Google might be better.. ( DNSSEC_in_6_minutes.pdf ) signature.asc Description: This is a digitally signed message part ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users