Reply
Highlighted

DNSSec for Newbie?

DDoshi
Techie
Posts: 16
7119     0

Hello Folks,

The request is secure forward and receive DNS queries of to and from the zone.
Can someone please confirm the requirement for secure the zone. It would be great if you can share the impact and implementation plan for the same.

DNSSEC is the only possibility or there is a way around?

Thank you,

Can someone please help?

DDoshi
Techie
Posts: 16
7120     0

Can someone please help?

Secure queries

Adviser
Posts: 213
7120     0

DNSSEC does not "secure" queries.  It provides a mechanism to identify whether a response to a query that comes back from a DNS server (to your DNS server...not the client) is signed by the owner of the data. This effectively means that if you were to look up www.infoblox.com, you would know if the answer that you got came from an authorized source or whether the data may have been compromized (man in the middle attack, spoofed response, etc).

What do you mean such that you want to "secure the query"?  What problem are you trying to solve?

 

Well basically, we need to

DDoshi
Techie
Posts: 16
7120     0

Well basically, we need to secure forward and receive DNS queries of to and from the zone. You answered how can we do that for receive DNS queries FROM the zone using DNSSEC. However any idea how can we do the forwarding DNS query securely?

Thanks,

Darshan

Secure queries

Adviser
Posts: 213
7120     0

I'm still not entirely sure what you're trying to be able to do.  Please provide an example use case that covers both what you want and what you're trying to avoid.

As per our client requirement

DDoshi
Techie
Posts: 16
7120     0

As per our client requirement, they wants to secure only one forward zone. Can you please help me explaining the impact after enabling DNSSEC for Forward Zone?

 

Thanks Don,

So after enabling DNSSEC for

DDoshi
Techie
Posts: 16
7120     0

So after enabling DNSSEC for Fowarding Zone, it can only accept replies from the servers which also DNSSEC implemented (or signed data), right? If the Forwarding Zone forwarding DNS query to non-DNSSEC servers, the forwarding would fail, right?

Hello Don,

DDoshi
Techie
Posts: 16
7120     0

Hello Don,

Seek for your comment. Smiley Wink

DNSSEC

Adviser
Posts: 213
7120     0

It depends on how you configure it. There are still a very large number of zones that are not signed so you can request checking signatures on those that are signed while ignoring validation on those that aren't...or you can reject everything that fails (including those not signed).

Sure,

DDoshi
Techie
Posts: 16
7120     0

Is there a way to configure unsigned response and also signed? The preferred should be the signed one of course, but in case if it fails, request / response should not fail.

I know that wouldn't add any value of using DNSSEC, but we cannot affect the DNS operation by stop receiving unsigned data. The major reason is, .AE TLD is not yet signed. Any comments?

Cheers!

Darshan

DNSSEC

Adviser
Posts: 213
7120     0

When you set up DNSSEC validation you can specify that all responses are okay rather than signed reponses only. The entire configuration is in the same place.

Showing results for 
Search instead for 
Do you mean 

Recommended for You