Reasonable setup of a dnssec aware recursive resolver
Mark Elkins
mje at posix.co.za
Mon Mar 29 18:03:04 UTC 2010
On Mon, 2010-03-29 at 11:17 +0200, Mark Elkins wrote:
> I'm trying to come up with an interim solution for my ISP's DNS
> Recursive Resolver that is DNSSEC aware.
>
> My thoughts so far:-
> Use BIND 9.6.1-P3 (this is the latest version named that Gentoo Linux
> gives me).
Ouch! - bitten by the signing of ARPA....
/etc/bind/named.conf.trust:225: configuring trusted key for 'ARPA.':
algorithm is unsupported.
-and-
* No specific action is requested of operators. This message is
* for your information only.
* The ARPA zone is about to be signed using DNSSEC. The technical
* parameters by which ARPA will be signed are as follows:
* KSK Algorithm and Size: 2048 bit RSA
I thought unrecognised algorithms were meant to be ignored?
Time to try Bind 9.7.0-P1 ??
> In order to fetch both iTAR and DLV signatures - use a patched version
> of WGET that is dnssec aware.
>
> Once a week (is this frequent enough?) fetch the DNSSEC signatures from
> iTAR and ISC/DLV, convert the iTAR xml stuff into Signatures, append the
> DLV signature and then include this file into my named.conf
> configuration.
> (named.conf: include "named.conf.trust-anchors"; )
>
> In named.conf --> options, add:
> dnssec-enable yes;
> dnssec-validation yes;
> dnssec-lookaside . trust-anchor dlv.isc.org.;
>
> This appears to be working for me.
> Questions are - how frequently should one fetch these trust-anchors? I'd
> have though once a week was enough but have read of situations where
> people using ISC's DLV have had past problems.
>
> I'm hoping that by using both iTAR and DLV - that I won't have this
> problem - have not noticed anything personally yet.
>
> I call this an "interim" solution - interim until the root is signed
> with live data and contains the data that ITAR is currently being used
> to store. I don't see ISC's DLV disappearing overnight just because the
> root is signed either...
>
> I'm only doing the 'wget-ting' from one location, then distributing
> internally from there - in order to reduce loads.
>
> What other suggestions do people have to achieve something similar?
>
> ps - I find the CZ "DNSSEC Validator" (addon) plugin to Firefox very
> inspiring! Anyone aware of something similar for IE?
>
> _______________________________________________
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
--
. . ___. .__ Posix Systems - Sth Africa. e.164 VOIP ready
/| /| / /__ mje at posix.co.za - Mark J Elkins, Cisco CCIE
/ |/ |ARK \_/ /__ LKINS Tel: +27 12 807 0590 Cell: +27 82 601 0496
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 6696 bytes
Desc: not available
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20100329/1581a3a0/attachment.bin>
More information about the bind-users
mailing list