babu dheen <babudh...@yahoo.co.in> wrote: > > All users in our company using internal DNS server for name resolution. > All internal DNS server are pointed to our gateway recursive BIND name > server which is responsible for getting DNS queries from authoritative > internet DNS server. > > Now we would like to configure DNSSEC on my gateway DNS and internal DNS > server.
For recursive DNSSEC, I recommend BIND 9.8 or newer, since then you don't have to mess around with getting the root trust anchor. Once you have a recent version of the software, check your network isn't broken using a DNS reply size tester such as https://www.dns-oarc.net/oarc/services/replysizetest/ If large UDP packets and TCP/53 get through OK, then you can go ahead and add the following to the options section of your nameserver configuration: dnssec-validation auto; dnssec-lookaside auto; And that's it. Tony. -- f.anthony.n.finch <d...@dotat.at> http://dotat.at/ Forties, Cromarty: East, veering southeast, 4 or 5, occasionally 6 at first. Rough, becoming slight or moderate. Showers, rain at first. Moderate or good, occasionally poor at first. _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
