Difference between revisions of "Linux: Domain Name System Security Extensions (DNSSEC)"
Lukas Dzunko (talk | contribs) (Created page with ".") |
Lukas Dzunko (talk | contribs) |
||
| Line 1: | Line 1: | ||
| − | . | + | DNSSEC is extension to DNS protocol to securely retrieve information from the domain name system. This extension validate response from DNS server and provide higher level of security. I'll focus here only on configuration (resolver) and testing. If you are interested and would like to get more details then try this Debian article [https://wiki.debian.org/DNSSEC DNSSEC]. |
| + | |||
| + | == Resolver == | ||
| + | I am using BIND v9 as resolver because most of the time DNS provided by ISP is not configured well or it is injecting additional records (custom error pages with advertisements). | ||
| + | === Installation === | ||
| + | Use your package manager provided with Linux distribution and install "bind" package. | ||
| + | |||
| + | * Gentoo: | ||
| + | <pre> | ||
| + | emerge net-dns/bind net-dns/bind-tools | ||
| + | </pre> | ||
| + | |||
| + | * Ubuntu: | ||
| + | <pre> | ||
| + | apt-get install bind9 bind9utils | ||
| + | </pre> | ||
| + | === Configuration === | ||
| + | Configuration is simple. In <code>/etc/bind/named.conf</code> set following in <code>options</code> section: | ||
| + | <pre> | ||
| + | dnssec-enable yes; | ||
| + | dnssec-validation auto; | ||
| + | dnssec-lookaside auto; | ||
| + | </pre> | ||
| + | If you would like to use custom location for keys then set also <code>bindkeys-file</code>. By default BIND listen on loop-back only. If necessary then modify also <code>listen-on</code> or <code>listen-on-v6</code> directive. | ||
| + | === Set system resolver to use BIND === | ||
| + | Edit <code>/etc/resolv.conf</code> and set b | ||
| + | <pre> | ||
| + | nameserver 127.0.0.1 | ||
| + | </pre> | ||
| + | |||
| + | |||
| + | test.dnssec-or-not.net TXT | ||
| + | |||
| + | |||
| + | http://dnssectest.sidn.nl/test.php | ||
| + | |||
| + | http://test.dnssec-or-not.org/ | ||
Revision as of 14:21, 8 November 2013
DNSSEC is extension to DNS protocol to securely retrieve information from the domain name system. This extension validate response from DNS server and provide higher level of security. I'll focus here only on configuration (resolver) and testing. If you are interested and would like to get more details then try this Debian article DNSSEC.
Resolver
I am using BIND v9 as resolver because most of the time DNS provided by ISP is not configured well or it is injecting additional records (custom error pages with advertisements).
Installation
Use your package manager provided with Linux distribution and install "bind" package.
- Gentoo:
emerge net-dns/bind net-dns/bind-tools
- Ubuntu:
apt-get install bind9 bind9utils
Configuration
Configuration is simple. In /etc/bind/named.conf set following in options section:
dnssec-enable yes; dnssec-validation auto; dnssec-lookaside auto;
If you would like to use custom location for keys then set also bindkeys-file. By default BIND listen on loop-back only. If necessary then modify also listen-on or listen-on-v6 directive.
Set system resolver to use BIND
Edit /etc/resolv.conf and set b
nameserver 127.0.0.1
test.dnssec-or-not.net TXT
