DNSSEC Howto Documentation

Submitted by sonoracomm on Wed, 11/10/2010 - 17:03 Pro Licensee

Hi,

Now that the root zone is signed, is there any configuration info for DNSSEC?

I'm not overly familiar with the subject nor it's pro's nor cons.

https://www.virtualmin.com/node/9058

Thanks much,

G

Status: 
Active

Comments

Submitted by JamieCameron on Thu, 11/11/2010 - 00:14

I don't have a specific documentation page on this, but you can enable DNSSEC verification at Webmin -> Servers -> BIND DNS Server -> DNSSEC Verification.

If you want to sign zones with DNSSEC, you can enable this in Virtualmin at System Settings -> Server Templates -> Default Settings -> BIND DNS Domain -> Create DNSSEC key and sign new domains?.

Submitted by JamieCameron on Thu, 11/11/2010 - 00:17

I don't have a specific documentation page on this, but you can enable DNSSEC verification at Webmin -> Servers -> BIND DNS Server -> DNSSEC Verification.

If you want to sign zones with DNSSEC, you can enable this in Virtualmin at System Settings -> Server Templates -> Default Settings -> BIND DNS Domain -> Create DNSSEC key and sign new domains?.

Submitted by sonoracomm on Thu, 07/14/2011 - 21:47 Pro Licensee

Hi,

I had trouble (don't remember what) with this feature when it was new, so I turned both signing and verification back off figuring I'd wait until the dust settled before I revisited the issue.

Is there any new documentation?

At this point, is it safe to enable verification and/or signing?

Does the lack of hits to a search here for 'dnssec' indicate no one is having problems? Or that no one is using this feature?

I'm 'chicken' to play with my perfectly functioning DNS... ;-)

Thanks for any comments by anyone.

G

Submitted by JamieCameron on Fri, 07/15/2011 - 00:03

The DNSSEC feature should be pretty simple to use - all you need to do is enable it for a domain, and signing will happen automatically. If this isn't working for some reason, please let us know what goes wrong in detail ..

Submitted by sonoracomm on Mon, 07/25/2011 - 17:08 Pro Licensee

Hi Jamie,

Thanks for the reply.

Unfortunately, this didn't get me very far.

Some, even rudimentary documentation on this feature is really needed:

1) How to turn on verification?

2) How to test verification?

3) How to test DLV?

4) How to configure a domain for signing?

5) How to configure new domains for signing as they are created.

6) How to propagate to slave DNS server (Virtualmin GPL)

After attempting to enable DNSSEC for my personal domain (gcooper.org), I tried testing with a few web-based services. All showed some errors or warnings.

Some of the warnings will be difficult to do anything about, such as reverse lookups of the nameserver IPs not matching the A records.

One problem noted was that the secondary (slave) nameserver did not reply with RRSIG records:

RRSIG gcooper.org/A by gcooper.org/DNSKEY alg 5, key 58092: This RRSIG is not returned by server(s) 109.169.59.200.
RRSIG gcooper.org/DNSKEY by gcooper.org/DNSKEY alg 5, key 15343: This RRSIG is not returned by server(s) 109.169.59.200.
RRSIG gcooper.org/DNSKEY by gcooper.org/DNSKEY alg 5, key 58092: This RRSIG is not returned by server(s) 109.169.59.200.
RRSIG gcooper.org/MX by gcooper.org/DNSKEY alg 5, key 58092: This RRSIG is not returned by server(s) 109.169.59.200.
RRSIG gcooper.org/SOA by gcooper.org/DNSKEY alg 5, key 58092: This RRSIG is not returned by server(s) 109.169.59.200.

I attempted to enable verification, but it doesn't seem to be working as tested like this:

dig +dnssec +multiline -t ns gov. @localhost

The output does not contain the 'ad' flag indicating authenticated data.

I wished to enable signing of a domain for testing, but it is not obvious how to do this...probably because I don't know what I'm doing. Virtualmin appears not to have any tools for doing this.

Webmin has "Setup DNSSEC Key" for the domain (zone), which I did using default options, however testing with this command:

dig +dnssec +multiline -t ns gcooper.org. @localhost

did not display the 'ad' flag. This test did reveal the RRSIG record with signing key though.

Etc.

Can we get some sort of guidance on this issue from you folks?

Thanks in advance,

G

Submitted by kappler0 on Mon, 02/13/2012 - 09:44 Pro Licensee

Hello,

I have searched for more info on this as well. I have issues with certain ISP's rejecting mail and other issues due to the current DNSSEC settings. This is what they are telling me is the issue..

DNSSEC is apparently turned on in BIND but has default settings... http://dnsviz.net has a nice DNSSEC tool which shows all my domains as insecure still...

Please advise how to set this up properly in virtualmin. Thank you!

Scott