DNSSEC closed environment
Hi, I want test dnssec in the closed environment and controled to get some information. it's possible configure dnssec only between 2 name servers, first is the authoritative and second is the recurisve? The authoritative name server would have zones signed and the recursive will do querys and validation. It's enough put in my named.conf of the recursive name server the public key (trusted keys) of a zone signed in authoritative name server? And using dig (properly compiled and configured) makes requests to recursive and validation occurs correctly? Any reference? Thanks in advance, -- Eduardo Júnior GNU/Linux user #423272 :wq ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNSSEC closed environment
In message , =?ISO -8859-1?Q?Eduardo_J=FAnior?= writes: > Hi, > > > I want test dnssec in the closed environment and controled to get some > information. > > it's possible configure dnssec only between 2 name servers, first is > the authoritative and second is the recurisve? The authoritative name > server would have zones signed and the recursive will do querys and > validation. Yes. > It's enough put in my named.conf of the recursive name server the > public key (trusted keys) of a zone signed in authoritative name > server? And using dig (properly compiled and configured) makes > requests to recursive and validation occurs correctly? > > Any reference? Just do it. This is a basic island of trust setup. > Thanks in advance, > > -- = > > Eduardo J=FAnior > GNU/Linux user #423272 > > :wq > ___ > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNSSEC closed environment
Eduardo Júnior wrote: > it's possible configure dnssec only between 2 name servers, first is > the authoritative and second is the recurisve? The authoritative name > server would have zones signed and the recursive will do querys and > validation. Sure, why not? I personally prefer my setup whereby I have included the IANA testbed: https://ns.iana.org/dnssec/status.html. In other words, I use their root hints and zonefiles in my test-environment. In fact, I even managed to get an appearantly valid chain of trust all the way up to my 'home.forfunsec.org' testdomain with it. Quite instructive and fun to play with. :-) > And using dig (properly compiled and configured) makes > requests to recursive and validation occurs correctly? Yep, that sounds like it should work. But you might like 'drill', from NlNetlabs: http://www.nlnetlabs.nl/projects/ldns/ (sorry, for being a bit off-topic here) Regards, -- Marco Davids SIDN ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
