babu dheen <[email protected]> wrote: > > All users in our company using internal DNS server for name resolution. > All internal DNS server are pointed to our gateway recursive BIND name > server which is responsible for getting DNS queries from authoritative > internet DNS server. > > Now we would like to configure DNSSEC on my gateway DNS and internal DNS > server.
For recursive DNSSEC, I recommend BIND 9.8 or newer, since then you don't have to mess around with getting the root trust anchor. Once you have a recent version of the software, check your network isn't broken using a DNS reply size tester such as https://www.dns-oarc.net/oarc/services/replysizetest/ If large UDP packets and TCP/53 get through OK, then you can go ahead and add the following to the options section of your nameserver configuration: dnssec-validation auto; dnssec-lookaside auto; And that's it. Tony. -- f.anthony.n.finch <[email protected]> http://dotat.at/ Forties, Cromarty: East, veering southeast, 4 or 5, occasionally 6 at first. Rough, becoming slight or moderate. Showers, rain at first. Moderate or good, occasionally poor at first. _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list [email protected] https://lists.isc.org/mailman/listinfo/bind-users
