DNSSEC for recursive server
bortzmeyer at nic.fr
Fri May 21 07:05:46 UTC 2010
On Fri, May 21, 2010 at 09:54:01AM +0300,
Techi <techi at tellas.gr> wrote
a message of 46 lines which said:
> I have a Centos 5.x with Bind 9.3.6-4.
That's an extremely old version. Even Debian :-) has a more recent
one. For instance, you won't be able to validate the root (which uses
SHA256) or .ORG (which uses NSEC3).
> dnssec-enable yes;
> dnssec-validation yes;
> Is that correct?
You also need to configure trust anchors:
# Not yet published
. 257 3 5 "BEAAAAPHMu/5onzrEE7z1egmhg/WPO0+juoZrW3euWEn4MxDCE1+lL...";
dnssec-lookaside . trust-anchor dlv.isc.org.;
> If not so, then what DLV should I use? That if ISC, IANA's, RIPE, what? And
As far as I know, IANA and RIPE do not manage a DLV. For ISC, see the
> So, the specific server is DNSSEC aware and I will not face any
> issues with the root zones signing at 01/07/2010. Correct?
The root is already completely signed for one week (the key is not yet
published). You do not need to enable DNSSEC to work with the signed
root, it is a separate issue.
More information about the bind-users