Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
What is the way we do tests of DNSSEC? I have got all the setup in place but would like to implement a test plan for it before going live as I do not want to risk screwing up our production DNS servers.
Hi guys
What is the way we do tests of DNSSEC? I have got all the setup in place but would like to implement a test plan for it before going live as I do not want to risk screwing up our production DNS servers.
...and the first three hits in Google for "how do you test DNSSEC" are:
Many thanks TB0ne
I was thinking the test by using a test DNS server in a lab or something like that using Ubuntu/Debian without having the touch the production DNS server
cheers
I was thinking the test by using a test DNS server in a lab or something like that using Ubuntu/Debian without having the touch the production DNS server
Indeed, you can setup a couple of test DNS servers to try to sign your DNS records; and you can actually check the results with the dig command.
What I recommend it mostly to test how to maintain your DNS server alive: signatures need to be refreshed over time (depending on your policy) and that is a critical operation that must be tested in advance (you can search for "DNSSEC key roll-over" for more details about this). There is even some software dedicated to that task.
Then when you have a validated system, you can implement the same thing in production.
We have our DNS server that is authoritative for internal requests and caching only for external requests. In other words, we do not get our DNS records queried from the outside we just use it for querying externally can we still configure DNSSEC?
- Having your DNS records on your authoritative server signed, to provide DNSSEC to everybody (not only your organization, but all people on the Internet as well). This what I was referring to in my previous message.
- Having an internal DNS server able to manage DNSSEC request for your clients, so you can check records from other domains.
I'm not sure what your request is, if it's for one or the other.
Signing your zone with DNSSEC requires preparation, planning, testing and training. BIND is probably the software that you will use for this.
Using a DNS resolver able to check signature validity is way more easier. You can use BIND or Unbound for that purpose (again, with some planning and testing in advance) and then configure all your clients to use that server (usually this is done with your DHCP server).
If you have only one DNS server doing everything (being the authority and acting as a resolver for the clients) I would recommend to split this between two different servers first, if possible.
Our DNS server is authoritative only inside our organisation and our DNS records are not queried from the internet. It is not a public facing DNS server, however we use this DNS server to query externally. My question is can we still configure DNSSEC in this kind of configuration?
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.