Hi all,
I'm trying to implement DNSSEC using BIND and SoftHSM. I'm using the
pkcs11-* and dnssec-* tools to manage the keys in the HSM and sign the
zones. When I store both KSK and ZSK under single slot there is no problem
to create local key files with dnssec-keyfromlabel and sign the zone. What
One of my responsibilities has been general DNS (across platform) expertise
in the organisation I currently work for. Over a fair amount of time, one
thing that's repeatedly cropped up, has been the (ideally selective)
subversion of DNS resolution of certain internet DNS domains.
Sometimes that
On 05/02/13 15:16, funky monkey wrote:
But to get back to what I'm often asked for, more as a tactical
solution, is there any way of being able to subvert specific DNS names
with alternate responses, whilst leaving the rest of the resolution to
be obtained in the normal way - I know that
Look for my answer below.
On Tue, Feb 5, 2013 at 5:16 PM, funky monkey wongsky.mon...@gmail.comwrote:
One of my responsibilities has been general DNS (across platform)
expertise in the organisation I currently work for. Over a fair amount of
time, one thing that's repeatedly cropped up, has
From: Phil Mayers p.may...@imperial.ac.uk
To: bind-users@lists.isc.org,
Date: 05/02/2013 15:26
Subject: Re: Selective resolution in a corporate environment
On 05/02/13 15:16, funky monkey wrote:
But to get back to what I'm often asked for, more as a tactical
solution, is there any way
sorry, left the subject blank on my previous reply
From: Phil Mayers p.may...@imperial.ac.uk
To: bind-users@lists.isc.org,
Date: 05/02/2013 15:26
Subject: Re: Selective resolution in a corporate environment
On 05/02/13 15:16, funky monkey wrote:
But to get back to what I'm often asked
On 05/02/13 15:36, funky monkey wrote:
Could you sandwich that in a forwarding chain - say have a bind
9.compliant version in between your normal forwarders to internet, and
does it just look fo rthe entries you've specified as either alternate
data or does not exist, but otherwise, carries on
From: Phil Mayers p.may...@imperial.ac.uk
To: bind-users@lists.isc.org,
Date: 05/02/2013 15:44
Subject: Re: Selective resolution in a corporate environment
On 05/02/13 15:36, funky monkey wrote:
Could you sandwich that in a forwarding chain - say have a bind
9.compliant version in
I did not know about RPZ Here is a good configuration example:
http://jpmens.net/2011/04/26/how-to-configure-your-bind-resolvers-to-lie-using-response-policy-zones-rpz/
IMHO (and I am really nobody) THIS IS WRONG! BAD BAD BAD! Your giving companies
the ability to selective lie about DNS
From: Shawn Bakhtiar shashan...@hotmail.com
(about RPZ)
IMHO (and I am really nobody) THIS IS WRONG! BAD BAD BAD! Your giving compa=
nies the ability to selective lie about DNS without the end user knowing it=
. Unfortunately (and I have the heights and greatest respect for Paul) but =
IMHO (and I am really nobody) THIS IS WRONG! BAD BAD BAD! Your giving compa=
nies the ability to selective lie about DNS without the end user knowing it=
Unless DNSSEC is in use, in which case the end user can figure it out,
so RPZ doesn't bother lying.
(I've wished before that there were
From: Evan Hunt e...@isc.org
IMHO (and I am really nobody) THIS IS WRONG! BAD BAD BAD! Your giving compa=
nies the ability to selective lie about DNS without the end user knowing it=
Unless DNSSEC is in use, in which case the end user can figure it out,
so RPZ doesn't bother lying.
Hello -
I am trying to add a DS record via nsupdate and I can't get it to succeed.
It does not generate an error, but when I dig for the DS record I get NXDOMAIN.
What I edit the zone file and add the same DS record and reload, I can query it
just fine.
I do the following as an example:
On Tue, Feb 5, 2013 at 6:30 PM, Jack Tavares j.tava...@f5.com wrote:
Hello -
I am trying to add a DS record via nsupdate and I can't get it to succeed.
It does not generate an error, but when I dig for the DS record I get
NXDOMAIN.
What I edit the zone file and add the same DS record and
On 02/05/2013 03:30 PM, Jack Tavares wrote:
Hello -
I am trying to add a DS record via nsupdate and I can't get it to succeed.
It does not generate an error, but when I dig for the DS record I get NXDOMAIN.
What I edit the zone file and add the same DS record and reload, I can query it
just
Is there a way to exclude a domain from DNSSEC validation, like
Unbound's domain-insecure?
For example if a popular site ( say nasa.gov ) updates their keys
incorrectly so that their domain fails validation, you contact their
admins. and with a high level of confidence you determine this is a
The update code has sanity checks. You can only add DS records
where delegating NS records exist. If you remove a delegating NS
rrset any DS records there will also be removed. This check is
done after all the records have been processed.
Mark
server 127.0.0.1
zone example
key
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On Tue, 2013-02-05 at 17:01 -0800, Augie Schwer wrote:
Is there a way to exclude a domain from DNSSEC validation, like
Unbound's domain-insecure?
I have not tested this, but if you use RPZ to block the DS record for
nasa.gov, that should turn it
18 matches
Mail list logo
