Difference between revisions of "Linux: Domain Name System Security Extensions (DNSSEC)"
Lukas Dzunko (talk | contribs) m (Lukas Dzunko moved page Software: Domain Name System Security Extensions (DNSSEC) to Linux: Domain Name System Security Extensions (DNSSEC) without leaving a redirect) |
Lukas Dzunko (talk | contribs) |
||
Line 22: | Line 22: | ||
dnssec-lookaside auto; | dnssec-lookaside auto; | ||
</pre> | </pre> | ||
− | If you would like to use custom location for keys then set also <code> | + | If you would like to use custom location for keys then set also <code>managed-keys-directory</code>. By default BIND listen on loop-back only. If necessary then modify also <code>listen-on</code> or <code>listen-on-v6</code> directive. |
=== Set system resolver to use BIND === | === Set system resolver to use BIND === | ||
Edit <code>/etc/resolv.conf</code> and set <code>nameserver</code> to loop-back IP or IP of server hosting BIND: | Edit <code>/etc/resolv.conf</code> and set <code>nameserver</code> to loop-back IP or IP of server hosting BIND: |
Latest revision as of 16:21, 29 November 2013
DNSSEC is extension to DNS protocol to securely retrieve information from the domain name system. This extension validate response from DNS server and provide higher level of security. I'll focus here only on configuration (resolver) and testing. If you are interested and would like to get more details then try this Debian article DNSSEC.
Contents
Resolver
I am using BIND v9 as resolver because most of the time DNS provided by ISP is not configured well or it is injecting additional records (custom error pages with advertisements).
Installation
Use your package manager provided with Linux distribution and install "bind" package.
- Gentoo:
emerge net-dns/bind net-dns/bind-tools
- Ubuntu:
apt-get install bind9 bind9utils
Configuration
Configuration is simple. In /etc/bind/named.conf
set following in options
section:
dnssec-enable yes; dnssec-validation auto; dnssec-lookaside auto;
If you would like to use custom location for keys then set also managed-keys-directory
. By default BIND listen on loop-back only. If necessary then modify also listen-on
or listen-on-v6
directive.
Set system resolver to use BIND
Edit /etc/resolv.conf
and set nameserver
to loop-back IP or IP of server hosting BIND:
nameserver 127.0.0.1
Note: of course if you are using more that one DNS server then each one should support DNSSEC.
Testing
Now is time to try if configuration work well:
Test in console
Issue host
or dig
to get "test.dnssec-or-not.net
" DNS record of type "TXT":
- host:
host -t TXT test.dnssec-or-not.net
- dig:
dig test.dnssec-or-not.net TXT
Note: There are two types of response Yes, you are using DNSSEC
or No, you are not using DNSSEC
.
Test via web page
- Test page with tech details: http://dnssectest.sidn.nl/test.php
- Test page with funny stuff: http://test.dnssec-or-not.org/