DNSSEC - many doubts
David Alexandre M. de Carvalho
david at di.ubi.pt
Thu Apr 2 15:13:44 UTC 2020
Hello, good afternoon.
My first post in this list :)
I'm running BIND Chroot for many years (currently version 9.8.2) on some old hardware running Oracle Linux 6.
I believe it was last year when I was reading about implementing DNSSEC, and I think I've even tried to generate a
keypair in the slowest server, which after more than a day, wasn't ready yet. Maybe I was doing something wrong, I
honestly don't know. So now I had some time and reading about this again.
If I query either of my servers about my domain:
dig @dns di.ubi.pt DNSKEY
I do get the DNSKEY, but I have no records when querying about +dnssec. My topdomain (ubi.pt) doesn't have DNSSEC yet
either.
my named.conf already has the following:
dnssec-enable yes;
dnssec-validation auto;
dnssec-lookaside auto;
bindkeys-file "/etc/named.iscdlv.key";
managed-keys-directory "/var/named/dynamic";
Outside the configuration file I also have a /etc/named.root.key
My questions:
1) Will my old servers (1GB RAM) become much slower with DNSSEC? Is it worth it?
2) I have one global "hosts" file and 3 reverse zone files, each for the respective IP network. Can I use the same
Keypair in all of them?
3) Are the files /etc/named.root.key file and /etc/named.iscdlv.key already being used? I compared them to the result
of the DNSKEY dig query but they are different.
Thank you so much for your time!
Best regards
Os melhores cumprimentos
David Alexandre M. de Carvalho
---------------------------------------
Especialista de Informática
Departamento de Informática
Universidade da Beira Interior
More information about the bind-users
mailing list