DNSSEC validation via DLV

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

DNSSEC validation via DLV

peek

With DLV (DNSSEC Lookaside Validation) having been decommissioned, though zones still exists that does not provide a fully signed path from root to zone, i.e. .com.au , co.za etc, how would an administrator enable / implement DNSSEC validation for these zones ?


_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: DNSSEC validation via DLV

Mark Elkins

I  can't comment on com.au (but looking up the Nameservers, I see the AD bit set - so DNSSEC appears to be in use..

However, co.za (and net.oza, org.za & web.za) which are managed by the ZACR (and DNS) - they are all signed and I personally have domains under these second levels - all running DNSSEC. The DS records are added to the parents using EPP - and it works perfectly. I used to present free (to the community) DNS classes to the community (the ZACR paid me) and this (DNSSEC) was taught to attendees. Unfortunately, no more classes for now.

DNSSEC in CO.ZA became live at about the time DLV stopped running. The other SLD's had already been running for about a year.

For the record, EDU.ZA is also signed and can accept DS records - albeit via a Web interface.

@peek - you are most welcome to chat to me.


On 2019/07/18 04:34, [hidden email] wrote:

With DLV (DNSSEC Lookaside Validation) having been decommissioned, though zones still exists that does not provide a fully signed path from root to zone, i.e. .com.au , co.za etc, how would an administrator enable / implement DNSSEC validation for these zones ?


_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
-- 
Mark James ELKINS  -  Posix Systems - (South) Africa
[hidden email]       Tel: +27.128070590  Cell: +27.826010496
For fast, reliable, low cost Internet in ZA: https://ftth.posix.co.za

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: DNSSEC validation via DLV

Bind-Users forum mailing list

Not a difficult process really..

-Configure a DNSSEC enabled name server
-Create a some zone keys (dnssec-keygen)
-Sign your zone (dnssec-signzone)
-Update your nameserver configuration to point to the signed zone file
-Export your DS records (dsset) to the domain registration company (EPP).

Confirm the chain..   http://dnsviz.net/d/apnic.com.au/dnssec/

Mal



On 18/07/2019 4:46 pm, Mark Elkins wrote:

> I  can't comment on com.au (but looking up the Nameservers, I see the AD
> bit set - so DNSSEC appears to be in use..
>
> However, co.za (and net.oza, org.za & web.za) which are managed by the
> ZACR (and DNS) - they are all signed and I personally have domains under
> these second levels - all running DNSSEC. The DS records are added to
> the parents using EPP - and it works perfectly. I used to present free
> (to the community) DNS classes to the community (the ZACR paid me) and
> this (DNSSEC) was taught to attendees. Unfortunately, no more classes
> for now.
>
> DNSSEC in CO.ZA became live at about the time DLV stopped running. The
> other SLD's had already been running for about a year.
>
> For the record, EDU.ZA is also signed and can accept DS records - albeit
> via a Web interface.
>
> @peek - you are most welcome to chat to me.
>
>
> On 2019/07/18 04:34, [hidden email] wrote:
>
>> With DLV (DNSSEC Lookaside Validation) having been decommissioned,
>> though zones still exists that does not provide a fully signed path
>> from root to zone, i.e. .com.au , co.za etc, how would an
>> administrator enable / implement DNSSEC validation for these zones ?
>>
>>
>> _______________________________________________
>> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
>> unsubscribe from this list
>>
>> bind-users mailing list
>> [hidden email]
>> https://lists.isc.org/mailman/listinfo/bind-users
>
>
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>
> bind-users mailing list
> [hidden email]
> https://lists.isc.org/mailman/listinfo/bind-users
>
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

RE: DNSSEC validation via DLV

peek
By all means, not a difficult process at all. I have DNSSEC enabled and fully operational on .com domains.

Problem being, no options exist as to export the DS record of co.za, com.au or net.au domains to the respective registrars, being namecheap.com and axxess.co.za.

Noted that namecheap.com does accept the DS records for .com domains, yet not for .au domains.

-----Original Message-----
From: bind-users [mailto:[hidden email]] On Behalf Of Mal via bind-users
Sent: Thursday, 18 July 2019 10:22 PM
To: [hidden email]; [hidden email]
Subject: Re: DNSSEC validation via DLV


Not a difficult process really..

-Configure a DNSSEC enabled name server
-Create a some zone keys (dnssec-keygen) -Sign your zone (dnssec-signzone) -Update your nameserver configuration to point to the signed zone file -Export your DS records (dsset) to the domain registration company (EPP).

Confirm the chain..   http://dnsviz.net/d/apnic.com.au/dnssec/

Mal



On 18/07/2019 4:46 pm, Mark Elkins wrote:

> I  can't comment on com.au (but looking up the Nameservers, I see the
> AD bit set - so DNSSEC appears to be in use..
>
> However, co.za (and net.oza, org.za & web.za) which are managed by the
> ZACR (and DNS) - they are all signed and I personally have domains
> under these second levels - all running DNSSEC. The DS records are
> added to the parents using EPP - and it works perfectly. I used to
> present free (to the community) DNS classes to the community (the ZACR
> paid me) and this (DNSSEC) was taught to attendees. Unfortunately, no
> more classes for now.
>
> DNSSEC in CO.ZA became live at about the time DLV stopped running. The
> other SLD's had already been running for about a year.
>
> For the record, EDU.ZA is also signed and can accept DS records -
> albeit via a Web interface.
>
> @peek - you are most welcome to chat to me.
>
>
> On 2019/07/18 04:34, [hidden email] wrote:
>
>> With DLV (DNSSEC Lookaside Validation) having been decommissioned,
>> though zones still exists that does not provide a fully signed path
>> from root to zone, i.e. .com.au , co.za etc, how would an
>> administrator enable / implement DNSSEC validation for these zones ?
>>
>>
>> _______________________________________________
>> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
>> unsubscribe from this list
>>
>> bind-users mailing list
>> [hidden email]
>> https://lists.isc.org/mailman/listinfo/bind-users
>
>
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> [hidden email]
> https://lists.isc.org/mailman/listinfo/bind-users
>
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: DNSSEC validation via DLV

Bind-Users forum mailing list


On 19/07/2019 9:27 am, [hidden email] wrote:
>
> Problem being, no options exist as to export the DS record of co.za, com.au or net.au domains to the respective registrars, being namecheap.com and axxess.co.za.
>

Change registry right ?

Crazy domains supports them for the ".com.au" zone.


_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: DNSSEC validation via DLV

Mark Elkins
In reply to this post by peek
That I understand. Use me (Posix) then, full DNSSEC support.
https://vweb.co.za. If you like, run your DNS wherever you want, just
use me at the Registrar.
Unfortunately, very few Registrars in ZA-Land have implemented DNSSEC
support - despite ZA having a very high percentage of DNSSEC resolver
support (about 50% of all queries hit a DNSSEC aware recursive resolver!)

On 2019/07/19 01:57, [hidden email] wrote:

> By all means, not a difficult process at all. I have DNSSEC enabled and fully operational on .com domains.
>
> Problem being, no options exist as to export the DS record of co.za, com.au or net.au domains to the respective registrars, being namecheap.com and axxess.co.za.
>
> Noted that namecheap.com does accept the DS records for .com domains, yet not for .au domains.
>
> -----Original Message-----
> From: bind-users [mailto:[hidden email]] On Behalf Of Mal via bind-users
> Sent: Thursday, 18 July 2019 10:22 PM
> To: [hidden email]; [hidden email]
> Subject: Re: DNSSEC validation via DLV
>
>
> Not a difficult process really..
>
> -Configure a DNSSEC enabled name server
> -Create a some zone keys (dnssec-keygen) -Sign your zone (dnssec-signzone) -Update your nameserver configuration to point to the signed zone file -Export your DS records (dsset) to the domain registration company (EPP).
>
> Confirm the chain..   http://dnsviz.net/d/apnic.com.au/dnssec/
>
> Mal
>
>
>
> On 18/07/2019 4:46 pm, Mark Elkins wrote:
>> I  can't comment on com.au (but looking up the Nameservers, I see the
>> AD bit set - so DNSSEC appears to be in use..
>>
>> However, co.za (and net.oza, org.za & web.za) which are managed by the
>> ZACR (and DNS) - they are all signed and I personally have domains
>> under these second levels - all running DNSSEC. The DS records are
>> added to the parents using EPP - and it works perfectly. I used to
>> present free (to the community) DNS classes to the community (the ZACR
>> paid me) and this (DNSSEC) was taught to attendees. Unfortunately, no
>> more classes for now.
>>
>> DNSSEC in CO.ZA became live at about the time DLV stopped running. The
>> other SLD's had already been running for about a year.
>>
>> For the record, EDU.ZA is also signed and can accept DS records -
>> albeit via a Web interface.
>>
>> @peek - you are most welcome to chat to me.
>>
>>
>> On 2019/07/18 04:34, [hidden email] wrote:
>>
>>> With DLV (DNSSEC Lookaside Validation) having been decommissioned,
>>> though zones still exists that does not provide a fully signed path
>>> from root to zone, i.e. .com.au , co.za etc, how would an
>>> administrator enable / implement DNSSEC validation for these zones ?
>>>
>>>
>>> _______________________________________________
>>> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
>>> unsubscribe from this list
>>>
>>> bind-users mailing list
>>> [hidden email]
>>> https://lists.isc.org/mailman/listinfo/bind-users
>>
>> _______________________________________________
>> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
>> unsubscribe from this list
>>
>> bind-users mailing list
>> [hidden email]
>> https://lists.isc.org/mailman/listinfo/bind-users
>>
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>
> bind-users mailing list
> [hidden email]
> https://lists.isc.org/mailman/listinfo/bind-users
>
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>
> bind-users mailing list
> [hidden email]
> https://lists.isc.org/mailman/listinfo/bind-users

--
Mark James ELKINS  -  Posix Systems - (South) Africa
[hidden email]       Tel: +27.128070590  Cell: +27.826010496
For fast, reliable, low cost Internet in ZA: https://ftth.posix.co.za

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users