DNSSEC

sttng359 · Post by **sttng359** » Wed Jun 14, 2006 2:17 am

This isn't a real high priority yet, but it'd be nice if DNSSEC could be
supported for the slave dns servers. As the slave dns servers will
be authoritize, all they need is to be able to accept the appropriate
RRs for DNSSEC which simply means running bind 9.3.x as 9.2.x
rejects CNAMEs with RRSIG and NSEC records for the corresponding
CNAME. This was required in rfc 1034, but was relaxed in rfc 2181
to allow for the additional records needed for DNSSEC.

Post by **RollerNetSupport** » Wed Jun 14, 2006 12:11 pm

We'll look in to upgrading BIND.

jlbrown · Post by **jlbrown** » Fri Aug 29, 2008 6:48 am

Any news on this? The new BIND supports DNSSEC and TSIG, which would be great to be able to use with our primary DNS.

Also, it fixed the DNS cache poisoning vulnerability in previous versions of BIND (and most DNS software).

Post by **RollerNetSupport** » Fri Aug 29, 2008 1:00 pm

We actually use PowerDNS for our Primary DNS service instead of BIND because it can tie in directly to the database pool. (It was not affected by the cache poisoning issue.)

Secondary DNS has been running BIND 9.3.x; we just neglected to update the thread here.

Post by **RollerNetSupport** » Fri Aug 29, 2008 1:49 pm

Just to follow up on the DNSSEC question, Power DNS is not nearly as far along with DNSSEC support as BIND is. We did some testing a while back and found that it had trouble parsing database entries for some DNSSEC records. This is supposed to be fixed a bit more in the next version of Power DNS and it will be able to serve these types.

jlbrown · Post by **jlbrown** » Fri Aug 29, 2008 6:03 pm

I was really referring to the BIND which you use for Secondary DNS (we have our own DNS but use RollerNet as the Secondary). 9.3.x is vulnerable and I think BIND 9.5.x has much improved DNSSEC etc.

James.

Post by **RollerNetSupport** » Fri Aug 29, 2008 7:46 pm

We're planning on upgrading soon; no ETA at this time. (For the enhancements; the fix was already backported.)

sttng359 · Post by **sttng359** » Sun May 24, 2009 9:07 am

Is it possible to have dnssec enabled on the secondary DNS service? Currently, as it is configured, it will transfer RRSIG and NSEC records when requested specifically, but not in combination with other queries. It looks like in BIND 9.3, dnssec is disabled by default and enabling it also enables dnssec validation in BIND. In BIND 9.4 and later, dnssec enable and dnssec validation are separated options with dnssec enable turn on by default. Are you still planning an upgrade to 9.4+?

Post by **RollerNetSupport** » Sun May 24, 2009 9:13 am

We're still running Debian "oldstable" on the secondary nameservers, but we're slowly making the rounds and upgrading everything to the current "stable" tree after testing to make sure the upgrade procedure doesn't blow anything up. It's just a matter of time, possibly within the next few days. The version of BIND in "stable" is 9.5.1.

Post by **RollerNetSupport** » Thu Jun 04, 2009 11:22 am

Server "ns2.rollernet.us" is now running BIND 9.5.1.

sttng359 · Post by **sttng359** » Tue Apr 06, 2010 1:42 pm

Just thought I'd mention, both NS1 and NS2 are now fully functioning as DNSSEC slave servers. Not sure when you upgraded it, but thanks!

Roller Network

DNSSEC

DNSSEC

Re: DNSSEC