Reasonable setup of a dnssec aware recursive resolver

Mark Elkins mje at posix.co.za
Mon Mar 29 18:03:04 UTC 2010 

On Mon, 2010-03-29 at 11:17 +0200, Mark Elkins wrote:
> I'm trying to come up with an interim solution for my ISP's DNS
> Recursive Resolver that is DNSSEC aware.
> 
> My thoughts so far:-
> Use BIND 9.6.1-P3 (this is the latest version named that Gentoo Linux
> gives me).

Ouch! - bitten by the signing of ARPA....
 /etc/bind/named.conf.trust:225: configuring trusted key for 'ARPA.':
algorithm is unsupported.
-and- 
* No specific action is requested of operators. This message is
* for your information only.
* The ARPA zone is about to be signed using DNSSEC. The technical
* parameters by which ARPA will be signed are as follows: 
* KSK Algorithm and Size: 2048 bit RSA

I thought unrecognised algorithms were meant to be ignored?
Time to try Bind 9.7.0-P1 ??

> In order to fetch both iTAR and DLV signatures - use a patched version
> of WGET that is dnssec aware.
> 
> Once a week (is this frequent enough?) fetch the DNSSEC signatures from
> iTAR and ISC/DLV, convert the iTAR xml stuff into Signatures, append the
> DLV signature and then include this file into my named.conf
> configuration.
> (named.conf:   include "named.conf.trust-anchors"; )
> 
> In named.conf --> options, add:
>         dnssec-enable yes;
>         dnssec-validation yes;
>         dnssec-lookaside . trust-anchor dlv.isc.org.;
> 
> This appears to be working for me.
> Questions are - how frequently should one fetch these trust-anchors? I'd
> have though once a week was enough but have read of situations where
> people using ISC's DLV have had past problems.
> 
> I'm hoping that by using both iTAR and DLV - that I won't have this
> problem - have not noticed anything personally yet.
> 
> I call this an "interim" solution - interim until the root is signed
> with live data and contains the data that ITAR is currently being used
> to store. I don't see ISC's DLV disappearing overnight just because the
> root is signed either...
> 
> I'm only doing the 'wget-ting' from one location, then distributing
> internally from there - in order to reduce loads.
> 
> What other suggestions do people have to achieve something similar?
> 
> ps - I find the CZ "DNSSEC Validator" (addon) plugin to Firefox very
> inspiring! Anyone aware of something similar for IE?
> 
> _______________________________________________
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
-- 
  .  .     ___. .__      Posix Systems - Sth Africa.  e.164 VOIP ready
 /| /|       / /__       mje at posix.co.za  -  Mark J Elkins, Cisco CCIE
/ |/ |ARK \_/ /__ LKINS  Tel: +27 12 807 0590  Cell: +27 82 601 0496
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 6696 bytes
Desc: not available
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20100329/1581a3a0/attachment.bin>

More information about the bind-users mailing list