DNSSEC basic information
Mark Elkins
mje at posix.co.za
Tue Sep 24 09:23:44 UTC 2019
On 2019/09/23 23:00, John W. Blue wrote:
>
> Jukka,
>
> Some odds n ends in no particular order:
>
> 1. DNSSEC was designed for external zones
>
>
1) I'd also suggest using Algorithm 13 - Elliptical Curve - for any new
key creations....
dnssec-keygen -a ECDSAP256SHA256 ( -f KSK) Zone.being.signed
This way - DNSKEY's are shorter (query responses are shorter, save data)
so in a DNS Amplification attack - you are less lightly to be the source
of the amplification.
In your DNSSEC Authoritative Nameserver, add into your BIND config
(named.conf) :-
|options { directory "/var/named"; ... rate-limit { responses-per-second
10; }; }; |
The "rate-limit" should also help dissuade people from using you as a
source of amplification.
(@BIND) This perhaps should be the default behaviour for an
authoritative only config.
2) When a Zone is signed, you will be given some DS Records - which need
to be passed on for inclusion into the Parent Zone. Currently, BIND
creates two DS keys.
You'll find them inside "dsset-Zone.being.signed". Use just the "13 2"
version - SHA256.... (this needs to become the minimum default
behaviour by DNSSEC operators)
SHA384 Digests may break DNSSEC in some resolvers (unbound) - so perhaps
avoid for now. Not everyone has upgraded.
3) Adding "CDS" (Child versions of the DS record) into your zone is also
a useful thing to do (I *think* BIND may do this automagically?)
4) Keeping DNSSEC aware resolvers and DNSSEC authoritative Nameservers
separate is best practise - follow that. Configs will then be more simple.
--
Mark James ELKINS - Posix Systems - (South) Africa
mje at posix.co.za Tel: +27.128070590 Cell: +27.826010496
For fast, reliable, low cost Internet in ZA: https://ftth.posix.co.za
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20190924/b1be3fd5/attachment.html>
More information about the bind-users
mailing list