Re: Need guidance on configuring DNSSEC

2013-10-11 Thread David Newman
On 10/11/13 7:32 AM, Vishal Gandhi wrote:

> We are planning to sign local zone (fdu.local).  Is it required to sign
> the parent zone (fdu.edu ) as well or we can live with
> it unsigned?
> What are pros and cons of signing parent zone (fdu.edu )?

DNSSEC is based on a chain of trust, where a subdomain is trusted only
if the parent domain vouches for it. So, "." validates "edu" and so on.

It is possible to create an "island of trust" for a local zone. This
works OK, but only if there's never a requirement for nonlocal traffic
to verify DNSSEC signatures.

The major advantage of signing the parent zone is that Internet-facing
hosts (and those NAT'd or proxied to face the Internet) won't be
vulnerable to most hijacking and spoofing attacks we have with DNS
today. There are also some neat DNSSEC tricks possible, such as
distributing SSH keys and even self-signed certs once a chain of trust
is established.

The downsides are (1) DNSSEC is still a little involved to configure and
manage and (2) a configuration mistake can make your zone disappear from
the global Internet.

On point 1, you'll probably want to upgrade to Bind 9.9 for better
automatic key management. You'll also need to verify that your network
is DNSSEC-ready, and that your registrar supports loading of DS keys.
For the former, there's a good check here:

https://www.dns-oarc.net/oarc/services/replysizetest

On point 2, of course it's also possible to screw up a regular DNS
configuration. DNSSEC just gives you more opportunities. . .

If you haven't got it already, I'd strongly recommend "DNSSEC Mastery"
by Michael W. Lucas. It's very readable and covers both regular and
islands-of-trust configuration with Bind 9.9.

dn


> 
> We've found information on signing zones on AD at least.  Can some one
> provide us steps to enable and configure DNSSEC for our domains.
> 
> Thanks in advance.
> OIRT Signature
> fdu logo  
> Vishal K. Gandhi
> Systems Analyst/E-Mail Specialist
> University Systems and Security
> *1000 River Road, Teaneck NJ 07666*
> Mail Stop: T-BH1-01
> phone: 201-692-2414 | fax: 201-692-2494 | email: vgan...@fdu.edu
> 
> "Fairleigh Dickinson University will never
>  ask for your password. Please do not
> share it with others!"
> 
> 
> 
> 
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
> from this list
> 
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
> 
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Need guidance on configuring DNSSEC

2013-10-11 Thread Vishal Gandhi
Hi,

We are using BIND v9.8.2.

Currently, we are setting up AD infrastructure for internal/local network.  
We've configured one controller to be the primary for this local zone 
(fdu.local) for DNS queries.  Our primary DNS server (which indeed is a 
different server) is configured to hold this as a slave.  We would like 
configure DNSSEC and I am wondering where can we get this started from.

We are planning to sign local zone (fdu.local).  Is it required to sign the 
parent zone (fdu.edu) as well or we can live with it unsigned?
What are pros and cons of signing parent zone (fdu.edu)?

We've found information on signing zones on AD at least.  Can some one provide 
us steps to enable and configure DNSSEC for our domains.

Thanks in advance.

Vishal K. Gandhi
Systems Analyst/E-Mail Specialist
University Systems and Security
1000 River Road, Teaneck NJ 07666
Mail Stop: T-BH1-01
: 201-692-2414 |  : 201-692-2494 |  : vgan...@fdu.edu
"Fairleigh Dickinson University will never
 ask for your password. Please do not share it 
with others!"

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users