Enable DNSSEC Validation in My DNS Resolver
Some suggest adding this code to the named.conf file:
dnssec-enable yes;
dnssec-validation yes;
But I'm not sure whether edits in named.conf are preserved.
-
Hey hey!
1 - You should just be able to enable it through cPanel as outlined here: https://docs.cpanel.net/knowledge-base/dns/dnssec/#enable-dnssec
2 - Not unless you have an incredibly busy nameserver
3 - We recommend using a tool like https://dnssec-analyzer.verisignlabs.com/ to ensure the validation is working.
0 -
That's not what I'm talking about. I'm not talking about adding DNSSEC to my own domains, I want my own DNS resolver on my server to be able to validate other servers' domains for some internal needs, like:
- Outgoing mail delivery: when Exim resolves MX and A records for destination domains.
- cPanel services: like AutoSSL, updaters, and monitoring that need DNS lookups.
- Any software doing lookups: yum/dnf, curl, cron jobs, etc.
- When PHP scripts, cron jobs, or WordPress plugins on my sites do outbound DNS lookups.
My server currently doesn't do this validation, it only quiries for the state of the DNSSEC, whether a hostname is protected, it doesn't do it's own investigation whether it is true (valid). I want it to do that.
0 -
I read this is a good security measure because if a domain has a valid DNSSEC, my server cooperates with it; if it doesn't have DNSSEC at all, it also cooperates with it, but if it has a misconfigured DNSSEC, it then drops cooperation.
0 -
Thanks for that - that does make more sense.
At this time, cPanel doesn't have an officially supported way to get this working. You're welcome to try things directly in the configuration, but you're in uncharted territory so I can't say what will work or what would cause unintended behavior.
0 -
Putting this in /etc/named.conf enabled DNSSEC validation:
dnssec-enable yes;
dnssec-validation auto;You can check it with these commands of public hosts:
delv sigok.verteiltesysteme.net @127.0.0.1
delv sigfail.verteiltesysteme.net @127.0.0.1The first one is a valid DNSSEC host, and the other one is invalid.
Explanation: dnssec-validation yes; didn't work because a trust anchor must be manually defined using either a trusted-keys or managed-keys statement. This is why the dnssec-validation auto; is generally recommended, because it uses built-in root trust anchor (managed automatically), unless you are managing custom trust anchors.
More information here:
https://www.dns-school.org/Documentation/bind-arm/Bv9ARM. ch06.html 0
Please sign in to leave a comment.
Comments
5 comments