How to Setup DNSSEC

Tony Finch dot at dotat.at
Wed Oct 17 18:31:45 UTC 2012


babu dheen <babudheen at yahoo.co.in> wrote:
>
> All users in our company using internal DNS server for name resolution.
> All internal DNS server are pointed to our gateway recursive BIND name
> server which is responsible for getting DNS queries from authoritative
> internet DNS server.
>
> Now we would like to configure DNSSEC on my gateway DNS and internal DNS server.

For recursive DNSSEC, I recommend BIND 9.8 or newer, since then you don't
have to mess around with getting the root trust anchor.

Once you have a recent version of the software, check your network isn't
broken using a DNS reply size tester such as
https://www.dns-oarc.net/oarc/services/replysizetest/

If large UDP packets and TCP/53 get through OK, then you can go ahead and
add the following to the options section of your nameserver configuration:

  dnssec-validation auto;
  dnssec-lookaside auto;

And that's it.

Tony.
-- 
f.anthony.n.finch  <dot at dotat.at>  http://dotat.at/
Forties, Cromarty: East, veering southeast, 4 or 5, occasionally 6 at first.
Rough, becoming slight or moderate. Showers, rain at first. Moderate or good,
occasionally poor at first.



More information about the bind-users mailing list