On 2019/09/23 23:00, John W. Blue wrote:
Jukka,
Some odds n ends in no particular order:
1. DNSSEC was designed for external zones
1) I'd also suggest using Algorithm 13 - Elliptical Curve - for any new
key creations....
dnssec-keygen -a ECDSAP256SHA256 ( -f KSK) Zone.being.signed
This way - DNSKEY's are shorter (query responses are shorter, save data)
so in a DNS Amplification attack - you are less lightly to be the source
of the amplification.
In your DNSSEC Authoritative Nameserver, add into your BIND config
(named.conf) :-
|options { directory "/var/named"; ... rate-limit { responses-per-second
10; }; }; |
The "rate-limit" should also help dissuade people from using you as a
source of amplification.
(@BIND) This perhaps should be the default behaviour for an
authoritative only config.
2) When a Zone is signed, you will be given some DS Records - which need
to be passed on for inclusion into the Parent Zone. Currently, BIND
creates two DS keys.
You'll find them inside "dsset-Zone.being.signed". Use just the "13 2"
version - SHA256.... (this needs to become the minimum default
behaviour by DNSSEC operators)
SHA384 Digests may break DNSSEC in some resolvers (unbound) - so perhaps
avoid for now. Not everyone has upgraded.
3) Adding "CDS" (Child versions of the DS record) into your zone is also
a useful thing to do (I *think* BIND may do this automagically?)
4) Keeping DNSSEC aware resolvers and DNSSEC authoritative Nameservers
separate is best practise - follow that. Configs will then be more simple.
--
Mark James ELKINS - Posix Systems - (South) Africa
m...@posix.co.za Tel: +27.128070590 Cell: +27.826010496
For fast, reliable, low cost Internet in ZA: https://ftth.posix.co.za
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
