Hello Jeronimo, "Jeronimo L. Cabral" <jelocab...@gmail.com> writes:
> Dear, we have several hosts in our LAN that ask our BIND DNS: Debian, > Windows 7, Red Hat and CentOS. > > If we implement DNSSEV validation support in our BIND9 server...how > can I know if our hosts' resolvers are compatible with DNSSEC queries > ??? > client host resolvers are usually not DNSSEC aware today. Certain applications (Browser with a DNSSEC validator plugin, postfix MTA ...) running on a client can be DNSSEC aware. You can enable DNSSEC validation support on a BIND 9 caching server that is used as a resolver by your clients. BIND 9 9.9.x already comes with DNSSEC validation enabled, for older versions you need to enable it manually in the configuration. Legacy (non DNSSEC aware) clients will send just regular DNS queries towards the BIND 9 caching resolver. BIND 9 will send queries with the "DO"-Flag (DNSSEC OK) towards the authoritative DNS server in the network. For DNSSEC signed zones, BIND 9 will validate the DNSSEC data. If the data is validating without issues, the data is returned to the client as normal DNS (no DNSSEC). If the data fails to validate, the bad data is not send to the clients, instead a "SERVFAIL" error message is send to the client. DNSSEC is backwards compatible in the sense that you can enable DNSSEC validation without the need to make changes to legacy clients. Windows 7 and Windows 8 clients can build a special trust relationship with an AD integrated Windows DNS Server to secure the "last mile" between the client and the resolving DNS cache. However to my knowledge this is not possible with Windows and a BIND 9 DNS. Best regards Carsten _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users