I'm trying to come up with an interim solution for my ISP's DNS Recursive Resolver that is DNSSEC aware.
My thoughts so far:-
Use BIND 9.6.1-P3 (this is the latest version named that Gentoo Linux
gives me).
In order to fetch both iTAR and DLV signatures - use a patched version
of WGET that is dnssec aware.
Once a week (is this frequent enough?) fetch the DNSSEC signatures from
iTAR and ISC/DLV, convert the iTAR xml stuff into Signatures, append the
DLV signature and then include this file into my named.conf
configuration.
(named.conf: include "named.conf.trust-anchors"; )
In named.conf --> options, add:
dnssec-enable yes;
dnssec-validation yes;
dnssec-lookaside . trust-anchor dlv.isc.org.;
This appears to be working for me.
Questions are - how frequently should one fetch these trust-anchors? I'd
have though once a week was enough but have read of situations where
people using ISC's DLV have had past problems.
I'm hoping that by using both iTAR and DLV - that I won't have this
problem - have not noticed anything personally yet.
I call this an "interim" solution - interim until the root is signed
with live data and contains the data that ITAR is currently being used
to store. I don't see ISC's DLV disappearing overnight just because the
root is signed either...
I'm only doing the 'wget-ting' from one location, then distributing
internally from there - in order to reduce loads.
What other suggestions do people have to achieve something similar?
ps - I find the CZ "DNSSEC Validator" (addon) plugin to Firefox very
inspiring! Anyone aware of something similar for IE?
--
. . ___. .__ Posix Systems - Sth Africa. e.164 VOIP ready
/| /| / /__ m...@posix.co.za - Mark J Elkins, Cisco CCIE
/ |/ |ARK \_/ /__ LKINS Tel: +27 12 807 0590 Cell: +27 82 601 0496
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
