On 10/11/13 7:32 AM, Vishal Gandhi wrote: > We are planning to sign local zone (fdu.local). Is it required to sign > the parent zone (fdu.edu <http://fdu.edu>) as well or we can live with > it unsigned? > What are pros and cons of signing parent zone (fdu.edu <http://fdu.edu>)?
DNSSEC is based on a chain of trust, where a subdomain is trusted only if the parent domain vouches for it. So, "." validates "edu" and so on. It is possible to create an "island of trust" for a local zone. This works OK, but only if there's never a requirement for nonlocal traffic to verify DNSSEC signatures. The major advantage of signing the parent zone is that Internet-facing hosts (and those NAT'd or proxied to face the Internet) won't be vulnerable to most hijacking and spoofing attacks we have with DNS today. There are also some neat DNSSEC tricks possible, such as distributing SSH keys and even self-signed certs once a chain of trust is established. The downsides are (1) DNSSEC is still a little involved to configure and manage and (2) a configuration mistake can make your zone disappear from the global Internet. On point 1, you'll probably want to upgrade to Bind 9.9 for better automatic key management. You'll also need to verify that your network is DNSSEC-ready, and that your registrar supports loading of DS keys. For the former, there's a good check here: https://www.dns-oarc.net/oarc/services/replysizetest On point 2, of course it's also possible to screw up a regular DNS configuration. DNSSEC just gives you more opportunities. . . If you haven't got it already, I'd strongly recommend "DNSSEC Mastery" by Michael W. Lucas. It's very readable and covers both regular and islands-of-trust configuration with Bind 9.9. dn > > We've found information on signing zones on AD at least. Can some one > provide us steps to enable and configure DNSSEC for our domains. > > Thanks in advance. > OIRT Signature > fdu logo > Vishal K. Gandhi > Systems Analyst/E-Mail Specialist > University Systems and Security > *1000 River Road, Teaneck NJ 07666* > Mail Stop: T-BH1-01 > phone: 201-692-2414 | fax: 201-692-2494 | email: vgan...@fdu.edu > <mailto:vgan...@fdu.edu> > "Fairleigh Dickinson University will never > ask for your password. Please do not > share it with others!" > > > > > _______________________________________________ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users > _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
