Re: All client resolvers support DNSSEC compatible queries ???
Hello Jeronimo, Jeronimo L. Cabral jelocab...@gmail.com writes: Dear, we have several hosts in our LAN that ask our BIND DNS: Debian, Windows 7, Red Hat and CentOS. If we implement DNSSEV validation support in our BIND9 server...how can I know if our hosts' resolvers are compatible with DNSSEC queries ??? client host resolvers are usually not DNSSEC aware today. Certain applications (Browser with a DNSSEC validator plugin, postfix MTA ...) running on a client can be DNSSEC aware. You can enable DNSSEC validation support on a BIND 9 caching server that is used as a resolver by your clients. BIND 9 9.9.x already comes with DNSSEC validation enabled, for older versions you need to enable it manually in the configuration. Legacy (non DNSSEC aware) clients will send just regular DNS queries towards the BIND 9 caching resolver. BIND 9 will send queries with the DO-Flag (DNSSEC OK) towards the authoritative DNS server in the network. For DNSSEC signed zones, BIND 9 will validate the DNSSEC data. If the data is validating without issues, the data is returned to the client as normal DNS (no DNSSEC). If the data fails to validate, the bad data is not send to the clients, instead a SERVFAIL error message is send to the client. DNSSEC is backwards compatible in the sense that you can enable DNSSEC validation without the need to make changes to legacy clients. Windows 7 and Windows 8 clients can build a special trust relationship with an AD integrated Windows DNS Server to secure the last mile between the client and the resolving DNS cache. However to my knowledge this is not possible with Windows and a BIND 9 DNS. Best regards Carsten ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: All client resolvers support DNSSEC compatible queries ???
Carsten Strotmann c...@strotmann.de wrote: You can enable DNSSEC validation support on a BIND 9 caching server that is used as a resolver by your clients. BIND 9 9.9.x already comes with DNSSEC validation enabled, for older versions you need to enable it manually in the configuration. DNSSEC validation needs to be explicitly enabled in every version of BIND. Since version 9.8 BIND ships with a built-in root trust anchor, so to enable validation you can just add dnssec-validation auto; (and dnssec-lookaside auto; if you like). The dnssec-enable option defaults to yes (since version 9.5), but this just makes BIND DNSSEC-aware (so it supports the special semantics of DNSSEC RR types) but does not make it validate. The rest of what you said is correct. Tony. -- f.anthony.n.finch d...@dotat.at http://dotat.at/ Fair Isle, Faeroes, South-east Iceland: Mainly southeasterly 5 or 6, decreasing 4 at times. Moderate or rough. Occasional rain, fog patches. Moderate or good, occasionally very poor. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: All client resolvers support DNSSEC compatible queries ???
2014-04-24 13:46 GMT+04:00 Carsten Strotmann c...@strotmann.de: Hello Jeronimo, Jeronimo L. Cabral jelocab...@gmail.com writes: Dear, we have several hosts in our LAN that ask our BIND DNS: Debian, Windows 7, Red Hat and CentOS. If we implement DNSSEV validation support in our BIND9 server...how can I know if our hosts' resolvers are compatible with DNSSEC queries ??? client host resolvers are usually not DNSSEC aware today. Certain applications (Browser with a DNSSEC validator plugin, postfix MTA ...) running on a client can be DNSSEC aware. You can enable DNSSEC validation support on a BIND 9 caching server that is used as a resolver by your clients. BIND 9 9.9.x already comes with DNSSEC validation enabled, for older versions you need to enable it manually in the configuration. Legacy (non DNSSEC aware) clients will send just regular DNS queries towards the BIND 9 caching resolver. BIND 9 will send queries with the DO-Flag (DNSSEC OK) towards the authoritative DNS server in the network. For DNSSEC signed zones, BIND 9 will validate the DNSSEC data. If the data is validating without issues, the data is returned to the client as normal DNS (no DNSSEC). If the data fails to validate, the bad data is not send to the clients, instead a SERVFAIL error message is send to the client. Actually a resolver sends to client an answer with AD (authenticated data) bit set if response from authoritative server is successfully validated. If zone in question isn't secured by DNSSec, then client receives response without AD bit. If validation fails - SERVFAIL. DNSSEC is backwards compatible in the sense that you can enable DNSSEC validation without the need to make changes to legacy clients. Windows 7 and Windows 8 clients can build a special trust relationship with an AD integrated Windows DNS Server to secure the last mile between the client and the resolving DNS cache. However to my knowledge this is not possible with Windows and a BIND 9 DNS. IPSec, AFAIK. Best regards Carsten ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Is there any problem Exterminatus cannot solve? I have not found one yet. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
