Server Fault Stack Exchange
Server Fault Stack Exchange

Questions tagged [dnssec]

Domain Name System Security Extension is a specification for securing certain kinds of information provided by Domain Name System

Domain Name System Security Extension is a specification for securing certain kinds of information provided by Domain Name System.

Its purpose is to allow DNS resolvers (clients) to establish origin and authenticity of DNS records. It works by digitally signing these records using public-key cryptography.

Currently it is described in IETF RFC 2535.

216 questions
6
votes
1 answer

DNSSEC NSEC3 opt-out

Can someone please explain, in simple language, the meaning of opt-out flag in the NSEC3 RR. I did read RFC 5155 and understand nothing.
Sandman4
  • 4,095
  • 2
  • 22
  • 27
4
votes
2 answers

DNSSEC - How does it protect from an MITM attack?

I have been reading for several hours about DNSSEC and I'm still failing to understand how it protects from MITM attacks. I have also read every question here on serverfault related to DNSSEC. Please have a look at this DNSSEC packet capture :…
pHeoz
  • 163
2
votes
1 answer

DNSSEC NSEC3 salt length

Is there any recommendation for salt length in the NSEC3 records ? Does longer salt means better security, and do longer salt affect performance of (authoritative) servers ? DNSSEC operational practices don't mention salt length. While looking at…
Sandman4
  • 4,095
  • 2
  • 22
  • 27
2
votes
1 answer

DNSSec do you need to renew anything?

I have followed this tutorial to configure DNSsec: https://www.digitalocean.com/community/tutorials/how-to-setup-dnssec-on-an-authoritative-bind-dns-server-2 If you don't modify your zone, do you ever need to redo anything like in case of…
nft
  • 21
  • 1
1
vote
1 answer

NSEC3 resource records with RSASHA256 or only NSEC3*?

Is it possible to use NSEC3 resource records with RSASHA256 keys or does NSEC3 require using NSEC3RSASHA1 or NSEC3DSA keys?
user178826
1
vote
2 answers

How Do I Fix My DNSSEC? I never got DNSSEC working and have probably worsened the problems

My attempt to DNSSEC has not been successful. To help understand DNSSEC I have read many online articles, man pages for rndc, dnssec-*, viewed dnsviz.net and dnssec-analyzer.verisignlabs.com/. Most of the information explains DNSSEC in great detail…
Anthon
  • 11
1
vote
0 answers

Do clients need to validate DNSSEC signatures?

I'm tasked to configure our domain to use DNSSEC. We currently use AWS Route 53 as both our registrar and DNS hosting provider. According to the AWS documentation, Route 53 supports DNSSEC at both of these services. As far as I understand, the whole…
Juan Vega
  • 113
1
vote
1 answer

DNSSEC - Google Cloud and Cloudflare - Which DS Record do I give to the Registrar?

I have managed to really confuse myself here with enabling DNSSEC for the first time ever. I am using Google Cloud compute engine running a WordPress website for hosting. My domain registrar has its name servers set to Cloudflare which then routes…
Dilation
  • 11
0
votes
1 answer

DNSSEC resolution when NS records are not accompanied by A records

Been trying to find the right place to ask this. hopefully this is the place! There are a few subtleties behind DNS and DNSSEC in particular that I am trying to understand. DNSSEC uses a chain of trust to go from the trusted root DNS servers down to…
user308485
  • 275
  • 2
  • 7
0
votes
1 answer

Could a DNSSEC at level n manipulate a zone at level n+2?

With some people wondering how DNSSEC could affect global censorship, I'd like to know if DNSSEC could protect a zone from being partially modified by a grandparent zone. (The point of this question is not to suggest that ICANN or it's members are…
jroith
  • 103
  • 1
0
votes
1 answer

DNSSEC - Recommended parameters

Does anybody know which could be the recommended values for RRSIG validity period and resign interval? Regards
Arancha
0
votes
0 answers

Which DS record will a validator choose when there are multiple valid DS records?

If there are multiple DS records with each using a different but RFC-compliant algorithm and digest type, is there any way to predict how real world validators will select one? I've tried to, for example, to review what the default behavior BIND…
Paul
  • 3,137
0
votes
0 answers

My co.za domain name won't propagate

I bought a co.za domain name at Godaddy and changed the A record to point to Justhost. However the domain will not propagate. I checked https://dnschecker.org https://dnschecker.org. It's been over 72 hours and nothing. What must I do? Neither…
Justine
  • 1
0
votes
1 answer

DNSSEC can easily be spoofed?

I want to know the purpose of DNSSEC, what problem does it really try to solve? I think DNSSEC can easily be spoofed by inserting a non-DNSSEC DNS server into the network that serves a non-DNSSEC copy of the zone. But maybe that is not the problem…
anneb
  • 206
-2
votes
1 answer

Migrated from Google Domains to Cloudflare with DNSSEC turned on, how can I fix this?

While changing configuration to address the deprecation of Dynamic DNS in Google Domains October 2023 announcement, I changed the nameservers in Google Domains for my .org and .com domains to point to my new Cloudflare account. Then, I unlocked and…
Nicholas Hill
  • 97