DNSSEC and secondary DNS servers

@lbutlr kremels at kreme.com
Wed Sep 12 07:34:35 UTC 2018

On 9 Sep 2018, at 14:58, Mark Elkins <mje at posix.co.za> wrote:
> Umm... this initially looks great but something is seriously strange. The first numerical value after DS should be the Key ID (or Key Tag). I really doubt that you would (randomly) create two different DNSKEY records with sequential Key-ID's (Tags) starting from "1"... its usually a relatively random value between 1 and 2^16

Yes, that was a mistake in the configuration.

> Also as an aside - many people are no longer putting the SHA-1 Digest type DS record in their parent, just the longer (more secure?) SHA-256 (Digest Type 2) record.

Thanks, I keep that in mind.

> As the root uses Algorithm 8 - many people also use algorithm 8 - you are using algorithm 7. Algorithm roll-overs are a pain so if you can - move straight to 8.

And that.

> I also can not detect a DNSKEY in your zone?
> dig covisp.net dnskey +cd
> ...gives your SOA.
> Without the "+cd" (ignore any DNSSEC validation) - I get a SERVFAIL.

Yes, I was in the midst of futzing with things at the time.

> Adding DS records into your parent should be the last part of the process in securing your Zone with DNSSEC.

I've pulled the DNSSEC entirely for right now as there is still some research I need to do (things like renewal, automating the process for other domains, etc).

"I've had a perfectly wonderful evening. But this wasn't it." - Groucho

More information about the bind-users mailing list