Skip to main content

Enable DNSSEC Validation in My DNS Resolver

Comments

5 comments

  • cPRex Jurassic Moderator

    Hey hey!

    1 - You should just be able to enable it through cPanel as outlined here: https://docs.cpanel.net/knowledge-base/dns/dnssec/#enable-dnssec

    2 - Not unless you have an incredibly busy nameserver

    3 - We recommend using a tool like https://dnssec-analyzer.verisignlabs.com/ to ensure the validation is working.

    0
  • vatra

    That's not what I'm talking about. I'm not talking about adding DNSSEC to my own domains, I want my own DNS resolver on my server to be able to validate other servers' domains for some internal needs, like:

    • Outgoing mail delivery: when Exim resolves MX and A records for destination domains.
    • cPanel services: like AutoSSL, updaters, and monitoring that need DNS lookups.
    • Any software doing lookups: yum/dnf, curl, cron jobs, etc.
    • When PHP scripts, cron jobs, or WordPress plugins on my sites do outbound DNS lookups.

    My server currently doesn't do this validation, it only quiries for the state of the DNSSEC, whether a hostname is protected, it doesn't do it's own investigation whether it is true (valid). I want it to do that.

    0
  • vatra

    I read this is a good security measure because if a domain has a valid DNSSEC, my server cooperates with it; if it doesn't have DNSSEC at all, it also cooperates with it, but if it has a misconfigured DNSSEC, it then drops cooperation.

    0
  • cPRex Jurassic Moderator

    Thanks for that - that does make more sense.

    At this time, cPanel doesn't have an officially supported way to get this working.  You're welcome to try things directly in the configuration, but you're in uncharted territory so I can't say what will work or what would cause unintended behavior.

    0
  • vatra

    Putting this in /etc/named.conf enabled DNSSEC validation:

    dnssec-enable yes;
    dnssec-validation auto;

    You can check it with these commands of public hosts:

    delv sigok.verteiltesysteme.net @127.0.0.1
    delv sigfail.verteiltesysteme.net @127.0.0.1

    The first one is a valid DNSSEC host, and the other one is invalid.

    Explanation: dnssec-validation yes; didn't work because a trust anchor must be manually defined using either a trusted-keys or managed-keys statement. This is why the dnssec-validation auto; is generally recommended, because it uses built-in root trust anchor (managed automatically), unless you are managing custom trust anchors.

    More information here:
    https://www.dns-school.org/Documentation/bind-arm/Bv9ARM.ch06.html

    0

Please sign in to leave a comment.