DNSSEC implementation on IPv6 PTR Zones
Divya
divya.p at nic.in
Mon Nov 22 10:52:26 UTC 2021
Not able to sign the zone for 2409::/28
dnssec-signzone -A -3 $(head -c 1000 /dev/random | sha1sum | cut -b 1-16) -N INCREMENT -o 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.9.0.4.2.ip6.arpa. -t Zone
Pls help..
With Regards
From: "Divya" <divya.p at nic.in>
To: mje at posix.co.za
Cc: bind-users at lists.isc.org
Sent: Monday, November 22, 2021 3:49:30 PM
Subject: Re: DNSSEC implementation on IPv6 PTR Zones
How to create DS for 2409::/28 ....
With Regards
Divya Parashar
From: mje at posix.co.za
To: bind-users at lists.isc.org
Cc: "Divya" <divya.p at nic.in>
Sent: Thursday, November 18, 2021 3:44:56 PM
Subject: Re: DNSSEC implementation on IPv6 PTR Zones
And I can testify that this works. I have 2001:42a0::/32 signed via AFRINIC.
One suggestion though. When one signs an IPv4 reverse - use NSEC - as everyone can guess what is there anyway.
With IPv6 - you might want to use NSEC3 - as there can be huge holes in the reverse zone. Make the bad guy work at guessing what is in the zone.
Also - if signing a brand new zone - try using Algo 13 (Elliptical curve) as it will generate shorter keys - so less chance of your zone being used in a DNS DDOS amplification attack - it doesn't amplify as much.
On 11/18/21 12:07 PM, Mark Andrews wrote:
You do it exactly the same as any other zone. You create DNSKEYs. You sign the zone. You add DS records to the parent zone.
--
Mark Andrews
BQ_BEGIN
On 18 Nov 2021, at 20:28, Divya [ mailto:divya.p at nic.in | <divya.p at nic.in> ] wrote:
BQ_END
BQ_BEGIN
Dear Admin,
Has anybody implemented DNSSEC on IPv6 reverse zones?
Kindly help us to configure DNSSEC on reverse zones of IPV6 segment with BIND 9.17.16+CentOS 7.9.
With Thanks & Regards
Divya
[ https://amritmahotsav.nic.in/ ]
_______________________________________________
Please visit [ https://lists.isc.org/mailman/listinfo/bind-users | https://lists.isc.org/mailman/listinfo/bind-users ] to unsubscribe from this list
ISC funds the development of this software with paid support subscriptions. Contact us at [ https://www.isc.org/contact/ | https://www.isc.org/contact/ ] for more information.
bind-users mailing list
[ mailto:bind-users at lists.isc.org | bind-users at lists.isc.org ]
[ https://lists.isc.org/mailman/listinfo/bind-users | https://lists.isc.org/mailman/listinfo/bind-users ]
BQ_END
_______________________________________________
Please visit [ https://lists.isc.org/mailman/listinfo/bind-users | https://lists.isc.org/mailman/listinfo/bind-users ] to unsubscribe from this list
ISC funds the development of this software with paid support subscriptions. Contact us at [ https://www.isc.org/contact/ | https://www.isc.org/contact/ ] for more information.
bind-users mailing list [ mailto:bind-users at lists.isc.org | bind-users at lists.isc.org ] [ https://lists.isc.org/mailman/listinfo/bind-users | https://lists.isc.org/mailman/listinfo/bind-users ]
--
Mark James ELKINS - Posix Systems - (South) Africa
[ mailto:mje at posix.co.za | mje at posix.co.za ] Tel: +27.826010496
For fast, reliable, low cost Internet in ZA: [ https://ftth.posix.co.za/ | https://ftth.posix.co.za ]
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20211122/ff49160e/attachment-0001.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: abessive_logo.jpg
Type: image/jpeg
Size: 6410 bytes
Desc: not available
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20211122/ff49160e/attachment-0001.jpg>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: QR-MJElkins.png
Type: image/png
Size: 2163 bytes
Desc: not available
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20211122/ff49160e/attachment-0001.png>
More information about the bind-users
mailing list