Reasonable setup of a dnssec aware recursive resolver

Mark Elkins mje at posix.co.za
Mon Mar 29 09:17:54 UTC 2010 

I'm trying to come up with an interim solution for my ISP's DNS
Recursive Resolver that is DNSSEC aware.

My thoughts so far:-
Use BIND 9.6.1-P3 (this is the latest version named that Gentoo Linux
gives me).
In order to fetch both iTAR and DLV signatures - use a patched version
of WGET that is dnssec aware.

Once a week (is this frequent enough?) fetch the DNSSEC signatures from
iTAR and ISC/DLV, convert the iTAR xml stuff into Signatures, append the
DLV signature and then include this file into my named.conf
configuration.
(named.conf:   include "named.conf.trust-anchors"; )

In named.conf --> options, add:
        dnssec-enable yes;
        dnssec-validation yes;
        dnssec-lookaside . trust-anchor dlv.isc.org.;

This appears to be working for me.
Questions are - how frequently should one fetch these trust-anchors? I'd
have though once a week was enough but have read of situations where
people using ISC's DLV have had past problems.

I'm hoping that by using both iTAR and DLV - that I won't have this
problem - have not noticed anything personally yet.

I call this an "interim" solution - interim until the root is signed
with live data and contains the data that ITAR is currently being used
to store. I don't see ISC's DLV disappearing overnight just because the
root is signed either...

I'm only doing the 'wget-ting' from one location, then distributing
internally from there - in order to reduce loads.

What other suggestions do people have to achieve something similar?

ps - I find the CZ "DNSSEC Validator" (addon) plugin to Firefox very
inspiring! Anyone aware of something similar for IE?

-- 
  .  .     ___. .__      Posix Systems - Sth Africa.  e.164 VOIP ready
 /| /|       / /__       mje at posix.co.za  -  Mark J Elkins, Cisco CCIE
/ |/ |ARK \_/ /__ LKINS  Tel: +27 12 807 0590  Cell: +27 82 601 0496
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 6696 bytes
Desc: not available
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20100329/c3e57547/attachment.bin>

More information about the bind-users mailing list