Unix and Linux Stack Exchange
Unix and Linux Stack Exchange

Questions tagged [dnssec]

13 questions
8
votes
4 answers

Chicken and egg problem with NTP and Bind

This a report of a problem I solved but I feel the solution could be useful to other. The problem appeared on a Raspbian 9.13. For some - probably hardware - reasons still to be discovered, my Raspberry pi-based router crashed and could not restart.…
David Verdin
  • 213
  • 1
  • 7
6
votes
1 answer

can't generate key via dnssec-keygen

$ dnssec-keygen -a HMAC-MD5 -b 512 -n HOST {host} above results in blank line and endless waiting $ dnssec-keygen -T DNSKEY -a HMAC-MD5 -b 512 -n HOST {host} the same entropy: $ cat /proc/sys/kernel/random/entropy_avail 890 ps. I was…
ceph3us
  • 557
  • 2
  • 8
  • 22
4
votes
1 answer

What does the Bind bindkeys-file directive do?

Just trying to understand the bindkeys-file directive related to the DNSSEC extension in the Bind configuration. Is that a public key? Does it sign the response in the same way as digital signatures?
Ask and Learn
  • 1,865
  • 4
  • 25
  • 34
3
votes
2 answers

Problem migrating named/bind config to dnssec-policy

I have a working DNSSEC name server. It runs on the BIND 9.18 on recent Fedora. I have two keys (KSK, ZSK), my parent (DNS-wise) got a valid DS record and everything is fine. Really. The DNSSEC analyzers are happy with the setup too. But then came…
VPfB
  • 781
  • 5
  • 13
3
votes
1 answer

DNSSEC: how are DS records supposed to be transferred and end up in parent zone?

My notes say that the hash is supposed to securely sent and stored in parent zone so what do I do after: dnssec-keygen -a RSASHA256 -b 1024 -n ZONE mydomain.net dnssec-keygen -a RSASHA256 -b 2048 -n ZONE -f KSK mydomain.net dnssec-signzone -g -o…
James Sterling
  • 33
  • 4
3
votes
2 answers

How to locally validate DNSSEC?

I want to simulate the process of chain of trust validation locally , I do the following :- 1) signed my zone. 2) unbound installed , but i can not configure it for DNSSEC validation could you help ? How can i set unbound to see and validate my…
Eng .. Abdalmonem
  • 67
  • 5
2
votes
1 answer

dnscrypt-proxy - not getting dnssec results

I have installed dnscrypt-proxy and am using and dnssec enabled provider; however, when testing my configuration, I'm not getting back dnssec information: dig @127.0.0.1 -p 5300 weather.com +dnssec +multi ; <<>> DiG 9.11.0-P3 <<>> @127.0.0.1 -p…
Walter
  • 1,204
  • 4
  • 13
  • 36
2
votes
1 answer

Is it possible to mix zones with DNSSEC enabled and disabled in BIND?

I have a dozen domains configured in a set of zones in BIND and I need to add a new one with DNSSEC enabled. If I enable DNSSEC: options { dnssec-enable yes; dnssec-validation yes; }; Will it break the other domains? It looks like it won't,…
Adriano P
  • 153
  • 5
1
vote
1 answer

What does a resolver do if DNSSEC is properly configured on a server that isn't reporting to be authoritative

Does DNSSEC require that my NS1 and NS2 stored at the registrar be authoritative, or just that they answer for the domain? Can they be non-authoritative DNS servers answer the query? Does anything specify what happens at that point in time? From the…
Evan Carroll
  • 28,578
  • 45
  • 164
  • 290
1
vote
0 answers

How do I troubleshoot DDNS forwarding problem?

Running BIND 9.10.3-P4-RedHat-9.10.3-12.P4.fc23 and DHCP Server 4.3.3-P1. DNS Zones report no errors and appear to work (dig, nslookup, nsupdate, dnssec, rpz, etc.). DHCP starts up without complaint, assigns ip, but log file messages similar to:…
FlashL
  • 11
  • 3
0
votes
0 answers

How to validate server SSH key through DNSSEC?

I want to be able to connect to SSH servers that have their public keys fingerprints published in SSHFP DNSSEC records from a Debian 11, without validating the key manually. However, my SSH client keeps telling me: $ ssh -v -o VerifyHostKeyDNS=yes…
Étienne Miret
  • 131
  • 4
0
votes
1 answer

Bind Sync Unknown Command

Could anybody please, enlighten me on the following messages in my logs for Bind: sync 127.in-addr.arpa(unknown command): 2 Time(s) sync domain.com(unknown command): 2 Time(s) It's neither an error nor a warning. It's all up and running OK and I…
Dennis
  • 105
  • 1
  • 1
  • 8
-1
votes
1 answer

shell script if output equal any ip address

If $IP output equal to any ip address must print 1, else must print 0. #!/bin/sh IP=$(/usr/local/bin/dig ns.ripe.net. a +short) if [ $IP = "[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}" ]; then echo 1 elif [ $IP != $ANY_IP ]; then echo…
David
  • 359
  • 2
  • 13