DNSSEC validation via DLV

Mal malz at jetlan.com
Thu Jul 18 12:22:20 UTC 2019


Not a difficult process really..

-Configure a DNSSEC enabled name server
-Create a some zone keys (dnssec-keygen)
-Sign your zone (dnssec-signzone)
-Update your nameserver configuration to point to the signed zone file
-Export your DS records (dsset) to the domain registration company (EPP).

Confirm the chain..   http://dnsviz.net/d/apnic.com.au/dnssec/

Mal



On 18/07/2019 4:46 pm, Mark Elkins wrote:
> I  can't comment on com.au (but looking up the Nameservers, I see the AD
> bit set - so DNSSEC appears to be in use..
> 
> However, co.za (and net.oza, org.za & web.za) which are managed by the
> ZACR (and DNS) - they are all signed and I personally have domains under
> these second levels - all running DNSSEC. The DS records are added to
> the parents using EPP - and it works perfectly. I used to present free
> (to the community) DNS classes to the community (the ZACR paid me) and
> this (DNSSEC) was taught to attendees. Unfortunately, no more classes
> for now.
> 
> DNSSEC in CO.ZA became live at about the time DLV stopped running. The
> other SLD's had already been running for about a year.
> 
> For the record, EDU.ZA is also signed and can accept DS records - albeit
> via a Web interface.
> 
> @peek - you are most welcome to chat to me.
> 
> 
> On 2019/07/18 04:34, peek at vspace.co.za wrote:
> 
>> With DLV (DNSSEC Lookaside Validation) having been decommissioned,
>> though zones still exists that does not provide a fully signed path
>> from root to zone, i.e. .com.au , co.za etc, how would an
>> administrator enable / implement DNSSEC validation for these zones ?
>>
>>
>> _______________________________________________
>> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
>> unsubscribe from this list
>>
>> bind-users mailing list
>> bind-users at lists.isc.org
>> https://lists.isc.org/mailman/listinfo/bind-users
> 
> 
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
> 
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
> 


More information about the bind-users mailing list