DNSSEC

New ideas and constructive comments go here.

Moderator: Moderators

Post Reply
sttng359
Posts: 21
Joined: Tue Jun 13, 2006 10:50 am
Contact:

DNSSEC

Post by sttng359 » Wed Jun 14, 2006 2:17 am

This isn't a real high priority yet, but it'd be nice if DNSSEC could be
supported for the slave dns servers. As the slave dns servers will
be authoritize, all they need is to be able to accept the appropriate
RRs for DNSSEC which simply means running bind 9.3.x as 9.2.x
rejects CNAMEs with RRSIG and NSEC records for the corresponding
CNAME. This was required in rfc 1034, but was relaxed in rfc 2181
to allow for the additional records needed for DNSSEC.

RollerNetSupport
Site Admin
Posts: 850
Joined: Wed Nov 17, 2004 10:05 pm
Location: Nevada
Contact:

Post by RollerNetSupport » Wed Jun 14, 2006 12:11 pm

We'll look in to upgrading BIND.
Technical Support support@rollernet.us
Roller Network LLC

jlbrown
Posts: 2
Joined: Sat Aug 09, 2008 7:59 am

Post by jlbrown » Fri Aug 29, 2008 6:48 am

Any news on this? The new BIND supports DNSSEC and TSIG, which would be great to be able to use with our primary DNS.

Also, it fixed the DNS cache poisoning vulnerability in previous versions of BIND (and most DNS software).

RollerNetSupport
Site Admin
Posts: 850
Joined: Wed Nov 17, 2004 10:05 pm
Location: Nevada
Contact:

Post by RollerNetSupport » Fri Aug 29, 2008 1:00 pm

We actually use PowerDNS for our Primary DNS service instead of BIND because it can tie in directly to the database pool. (It was not affected by the cache poisoning issue.)

Secondary DNS has been running BIND 9.3.x; we just neglected to update the thread here.
Technical Support support@rollernet.us
Roller Network LLC

RollerNetSupport
Site Admin
Posts: 850
Joined: Wed Nov 17, 2004 10:05 pm
Location: Nevada
Contact:

Post by RollerNetSupport » Fri Aug 29, 2008 1:49 pm

Just to follow up on the DNSSEC question, Power DNS is not nearly as far along with DNSSEC support as BIND is. We did some testing a while back and found that it had trouble parsing database entries for some DNSSEC records. This is supposed to be fixed a bit more in the next version of Power DNS and it will be able to serve these types.
Technical Support support@rollernet.us
Roller Network LLC

jlbrown
Posts: 2
Joined: Sat Aug 09, 2008 7:59 am

Post by jlbrown » Fri Aug 29, 2008 6:03 pm

I was really referring to the BIND which you use for Secondary DNS (we have our own DNS but use RollerNet as the Secondary). 9.3.x is vulnerable and I think BIND 9.5.x has much improved DNSSEC etc.

James.

RollerNetSupport
Site Admin
Posts: 850
Joined: Wed Nov 17, 2004 10:05 pm
Location: Nevada
Contact:

Post by RollerNetSupport » Fri Aug 29, 2008 7:46 pm

We're planning on upgrading soon; no ETA at this time. (For the enhancements; the fix was already backported.)
Technical Support support@rollernet.us
Roller Network LLC

sttng359
Posts: 21
Joined: Tue Jun 13, 2006 10:50 am
Contact:

Post by sttng359 » Sun May 24, 2009 9:07 am

Is it possible to have dnssec enabled on the secondary DNS service? Currently, as it is configured, it will transfer RRSIG and NSEC records when requested specifically, but not in combination with other queries. It looks like in BIND 9.3, dnssec is disabled by default and enabling it also enables dnssec validation in BIND. In BIND 9.4 and later, dnssec enable and dnssec validation are separated options with dnssec enable turn on by default. Are you still planning an upgrade to 9.4+?

RollerNetSupport
Site Admin
Posts: 850
Joined: Wed Nov 17, 2004 10:05 pm
Location: Nevada
Contact:

Post by RollerNetSupport » Sun May 24, 2009 9:13 am

We're still running Debian "oldstable" on the secondary nameservers, but we're slowly making the rounds and upgrading everything to the current "stable" tree after testing to make sure the upgrade procedure doesn't blow anything up. It's just a matter of time, possibly within the next few days. The version of BIND in "stable" is 9.5.1.
Technical Support support@rollernet.us
Roller Network LLC

RollerNetSupport
Site Admin
Posts: 850
Joined: Wed Nov 17, 2004 10:05 pm
Location: Nevada
Contact:

Post by RollerNetSupport » Thu Jun 04, 2009 11:22 am

Server "ns2.rollernet.us" is now running BIND 9.5.1.
Technical Support support@rollernet.us
Roller Network LLC

sttng359
Posts: 21
Joined: Tue Jun 13, 2006 10:50 am
Contact:

Re: DNSSEC

Post by sttng359 » Tue Apr 06, 2010 1:42 pm

Just thought I'd mention, both NS1 and NS2 are now fully functioning as DNSSEC slave servers. Not sure when you upgraded it, but thanks!

Post Reply

Who is online

Users browsing this forum: No registered users and 2 guests