Sunday, May 5, 2024
Homepage · security
 Popular · Latest · Hot · Upcoming
5
rated 0 times [  5] [ 0]  / answers: 1 / hits: 3585  / 3 Years ago, fri, may 7, 2021, 11:19:17

Since the root of the DNS tree has been signed, how do I change my caching DNS server to start validating DNSSEC signatures?


More From » security
 Answers
4

Install and set up your nameserver (bind9 package) normally, and then just add the following stanza to /etc/bind/named.conf.options:



managed-keys {

  "." initial-key 257 3 8

    "AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF

     FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX

     bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD

     X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz

     W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS

     Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq

     QxA+Uk1ihz0=";

};


Then restart the service (sudo service bind9 restart).



To make sure it is working, try to resolve "www.dnssec-failed.org", it should fail:



$ host www.dnssec-failed.org

Host www.dnssec-failed.org not found: 3(NXDOMAIN)


If it gives an IP address, then DNSSEC validation is not working.


[#44375] Saturday, May 8, 2021, 3 Years  [reply] [flag answer]
Only authorized users can answer the question. Please sign in first, or register a free account.
rinstracte
Add To Favorites
Follow
Total Points: 221
Total Questions: 114
Total Answers: 120
Location: France
Member since Fri, Jan 28, 2022
2 Years ago
rinstracte questions
Wed, Jun 15, 22, 02:09, 2 Years ago
Tue, Jan 24, 23, 01:39, 1 Year ago
Wed, Jun 9, 21, 04:34, 3 Years ago
Sun, Apr 17, 22, 11:38, 2 Years ago
Sat, Jan 29, 22, 12:24, 2 Years ago
View All
;