LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 06-21-2016, 10:39 AM   #1
DelMab
Member
 
Registered: Jun 2015
Posts: 30

Rep: Reputation: Disabled
DNSSEC Testing


Hi guys

What is the way we do tests of DNSSEC? I have got all the setup in place but would like to implement a test plan for it before going live as I do not want to risk screwing up our production DNS servers.

I would appreciate your help

Many thanks in advance

Del
 
Old 06-21-2016, 10:50 AM   #2
TB0ne
LQ Guru
 
Registered: Jul 2003
Location: Birmingham, Alabama
Distribution: SuSE, RedHat, Slack,CentOS
Posts: 26,836

Rep: Reputation: 8007Reputation: 8007Reputation: 8007Reputation: 8007Reputation: 8007Reputation: 8007Reputation: 8007Reputation: 8007Reputation: 8007Reputation: 8007Reputation: 8007
Quote:
Originally Posted by DelMab View Post
Hi guys
What is the way we do tests of DNSSEC? I have got all the setup in place but would like to implement a test plan for it before going live as I do not want to risk screwing up our production DNS servers.
...and the first three hits in Google for "how do you test DNSSEC" are:

http://dnssec-debugger.verisignlabs.com/
https://docs.menandmice.com/display/...SEC+validation
http://dnssec.vs.uni-due.de/

...among MANY others. Since you don't provide details, there isn't much we can tell you.
 
Old 06-21-2016, 11:20 AM   #3
DelMab
Member
 
Registered: Jun 2015
Posts: 30

Original Poster
Rep: Reputation: Disabled
Many thanks TB0ne
I was thinking the test by using a test DNS server in a lab or something like that using Ubuntu/Debian without having the touch the production DNS server
cheers
 
Old 06-21-2016, 11:41 AM   #4
Ellendhel
Member
 
Registered: Aug 2015
Location: Wilmington, NC
Distribution: Slackware
Posts: 64

Rep: Reputation: 51
Quote:
Originally Posted by DelMab View Post
I was thinking the test by using a test DNS server in a lab or something like that using Ubuntu/Debian without having the touch the production DNS server
Indeed, you can setup a couple of test DNS servers to try to sign your DNS records; and you can actually check the results with the dig command.

What I recommend it mostly to test how to maintain your DNS server alive: signatures need to be refreshed over time (depending on your policy) and that is a critical operation that must be tested in advance (you can search for "DNSSEC key roll-over" for more details about this). There is even some software dedicated to that task.

Then when you have a validated system, you can implement the same thing in production.
 
1 members found this post helpful.
Old 07-04-2016, 04:47 AM   #5
DelMab
Member
 
Registered: Jun 2015
Posts: 30

Original Poster
Rep: Reputation: Disabled
Thanks very much Ellendhel

We have our DNS server that is authoritative for internal requests and caching only for external requests. In other words, we do not get our DNS records queried from the outside we just use it for querying externally can we still configure DNSSEC?

Many thanks
 
Old 07-05-2016, 10:41 AM   #6
Ellendhel
Member
 
Registered: Aug 2015
Location: Wilmington, NC
Distribution: Slackware
Posts: 64

Rep: Reputation: 51
So, there is two different things:

- Having your DNS records on your authoritative server signed, to provide DNSSEC to everybody (not only your organization, but all people on the Internet as well). This what I was referring to in my previous message.

- Having an internal DNS server able to manage DNSSEC request for your clients, so you can check records from other domains.

I'm not sure what your request is, if it's for one or the other.

Signing your zone with DNSSEC requires preparation, planning, testing and training. BIND is probably the software that you will use for this.

Using a DNS resolver able to check signature validity is way more easier. You can use BIND or Unbound for that purpose (again, with some planning and testing in advance) and then configure all your clients to use that server (usually this is done with your DHCP server).

If you have only one DNS server doing everything (being the authority and acting as a resolver for the clients) I would recommend to split this between two different servers first, if possible.
 
Old 07-06-2016, 03:44 AM   #7
DelMab
Member
 
Registered: Jun 2015
Posts: 30

Original Poster
Rep: Reputation: Disabled
Thanks for your feedback Ellendhel

Our DNS server is authoritative only inside our organisation and our DNS records are not queried from the internet. It is not a public facing DNS server, however we use this DNS server to query externally. My question is can we still configure DNSSEC in this kind of configuration?
 
Old 07-06-2016, 11:24 AM   #8
Ellendhel
Member
 
Registered: Aug 2015
Location: Wilmington, NC
Distribution: Slackware
Posts: 64

Rep: Reputation: 51
Yes, as you are using your server for both the 'authoritative' and the 'resolver' functions, you can enable DNSSEC for the 'resolver' function only.

If you are using BIND, you can look at the page listed below:

Bind Authoritative Caching DNS with DNSSEC - Calomel.org

This is for an OpenBSD server, but except for the location of some files, things will be the same on a Linux server.
 
Old 07-07-2016, 03:12 AM   #9
DelMab
Member
 
Registered: Jun 2015
Posts: 30

Original Poster
Rep: Reputation: Disabled
Thank you very much for your help Ellendhel. I will keep doing research. Cheers
 
  


Reply

Tags
dns, dns changes


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
DNSSEC issues grzeslaw Linux - Networking 1 12-26-2014 06:27 AM
dnssec-keygen jittinan2 Linux - Software 1 12-20-2007 04:07 AM
dnssec-keygen jittinan2 Linux - Server 0 12-20-2007 03:53 AM
bind - dnssec jsheffie Linux - Networking 0 07-28-2005 10:22 AM
no dnssec for debian ruben0076 Linux - Networking 2 01-18-2005 06:07 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 10:48 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration