DNSSEC for recursive server

Stephane Bortzmeyer bortzmeyer at nic.fr
Fri May 21 07:05:46 UTC 2010

On Fri, May 21, 2010 at 09:54:01AM +0300,
 Techi <techi at tellas.gr> wrote 
 a message of 46 lines which said:

> I have a Centos 5.x with Bind 9.3.6-4. 

That's an extremely old version. Even Debian :-) has a more recent
one. For instance, you won't be able to validate the root (which uses
SHA256) or .ORG (which uses NSEC3).

>         dnssec-enable yes;
>         dnssec-validation yes;
> ****************************
> Is that correct?

You also need to configure trust anchors:

trusted-keys {
   # Not yet published     
   . 257 3 5 "BEAAAAPHMu/5onzrEE7z1egmhg/WPO0+juoZrW3euWEn4MxDCE1+lL...";


dnssec-lookaside . trust-anchor dlv.isc.org.;

> If not so, then what DLV should I use? That if ISC, IANA's, RIPE, what? And 
> how?

As far as I know, IANA and RIPE do not manage a DLV. For ISC, see the
line above.

> So, the specific server is DNSSEC aware and I will not face any
> issues with the root zones signing at 01/07/2010. Correct?

The root is already completely signed for one week (the key is not yet
published). You do not need to enable DNSSEC to work with the signed
root, it is a separate issue.

More information about the bind-users mailing list