DNSSEC

New ideas and constructive comments go here.

Moderator: Moderators

Post Reply
sttng359
Posts: 21
Joined: Tue Jun 13, 2006 10:50 am
Contact:

DNSSEC

Post by sttng359 »

This isn't a real high priority yet, but it'd be nice if DNSSEC could be
supported for the slave dns servers. As the slave dns servers will
be authoritize, all they need is to be able to accept the appropriate
RRs for DNSSEC which simply means running bind 9.3.x as 9.2.x
rejects CNAMEs with RRSIG and NSEC records for the corresponding
CNAME. This was required in rfc 1034, but was relaxed in rfc 2181
to allow for the additional records needed for DNSSEC.
RollerNetSupport
Site Admin
Posts: 598
Joined: Wed Nov 17, 2004 10:05 pm
Location: Nevada
Contact:

Post by RollerNetSupport »

We'll look in to upgrading BIND.
Technical Support support@rollernet.us
Roller Network LLC
jlbrown
Posts: 2
Joined: Sat Aug 09, 2008 7:59 am

Post by jlbrown »

Any news on this? The new BIND supports DNSSEC and TSIG, which would be great to be able to use with our primary DNS.

Also, it fixed the DNS cache poisoning vulnerability in previous versions of BIND (and most DNS software).
RollerNetSupport
Site Admin
Posts: 598
Joined: Wed Nov 17, 2004 10:05 pm
Location: Nevada
Contact:

Post by RollerNetSupport »

We actually use PowerDNS for our Primary DNS service instead of BIND because it can tie in directly to the database pool. (It was not affected by the cache poisoning issue.)

Secondary DNS has been running BIND 9.3.x; we just neglected to update the thread here.
Technical Support support@rollernet.us
Roller Network LLC
RollerNetSupport
Site Admin
Posts: 598
Joined: Wed Nov 17, 2004 10:05 pm
Location: Nevada
Contact:

Post by RollerNetSupport »

Just to follow up on the DNSSEC question, Power DNS is not nearly as far along with DNSSEC support as BIND is. We did some testing a while back and found that it had trouble parsing database entries for some DNSSEC records. This is supposed to be fixed a bit more in the next version of Power DNS and it will be able to serve these types.
Technical Support support@rollernet.us
Roller Network LLC
jlbrown
Posts: 2
Joined: Sat Aug 09, 2008 7:59 am

Post by jlbrown »

I was really referring to the BIND which you use for Secondary DNS (we have our own DNS but use RollerNet as the Secondary). 9.3.x is vulnerable and I think BIND 9.5.x has much improved DNSSEC etc.

James.
RollerNetSupport
Site Admin
Posts: 598
Joined: Wed Nov 17, 2004 10:05 pm
Location: Nevada
Contact:

Post by RollerNetSupport »

We're planning on upgrading soon; no ETA at this time. (For the enhancements; the fix was already backported.)
Technical Support support@rollernet.us
Roller Network LLC
sttng359
Posts: 21
Joined: Tue Jun 13, 2006 10:50 am
Contact:

Post by sttng359 »

Is it possible to have dnssec enabled on the secondary DNS service? Currently, as it is configured, it will transfer RRSIG and NSEC records when requested specifically, but not in combination with other queries. It looks like in BIND 9.3, dnssec is disabled by default and enabling it also enables dnssec validation in BIND. In BIND 9.4 and later, dnssec enable and dnssec validation are separated options with dnssec enable turn on by default. Are you still planning an upgrade to 9.4+?
RollerNetSupport
Site Admin
Posts: 598
Joined: Wed Nov 17, 2004 10:05 pm
Location: Nevada
Contact:

Post by RollerNetSupport »

We're still running Debian "oldstable" on the secondary nameservers, but we're slowly making the rounds and upgrading everything to the current "stable" tree after testing to make sure the upgrade procedure doesn't blow anything up. It's just a matter of time, possibly within the next few days. The version of BIND in "stable" is 9.5.1.
Technical Support support@rollernet.us
Roller Network LLC
RollerNetSupport
Site Admin
Posts: 598
Joined: Wed Nov 17, 2004 10:05 pm
Location: Nevada
Contact:

Post by RollerNetSupport »

Server "ns2.rollernet.us" is now running BIND 9.5.1.
Technical Support support@rollernet.us
Roller Network LLC
sttng359
Posts: 21
Joined: Tue Jun 13, 2006 10:50 am
Contact:

Re: DNSSEC

Post by sttng359 »

Just thought I'd mention, both NS1 and NS2 are now fully functioning as DNSSEC slave servers. Not sure when you upgraded it, but thanks!
Post Reply