That I understand. Use me (Posix) then, full DNSSEC support.
https://vweb.co.za. If you like, run your DNS wherever you want, just
use me at the Registrar.
Unfortunately, very few Registrars in ZA-Land have implemented DNSSEC
support - despite ZA having a very high percentage of DNSSEC resolver
support (about 50% of all queries hit a DNSSEC aware recursive resolver!)
On 2019/07/19 01:57, p...@vspace.co.za wrote:
By all means, not a difficult process at all. I have DNSSEC enabled and fully
operational on .com domains.
Problem being, no options exist as to export the DS record of co.za, com.au or
net.au domains to the respective registrars, being namecheap.com and
axxess.co.za.
Noted that namecheap.com does accept the DS records for .com domains, yet not
for .au domains.
-----Original Message-----
From: bind-users [mailto:bind-users-boun...@lists.isc.org] On Behalf Of Mal via
bind-users
Sent: Thursday, 18 July 2019 10:22 PM
To: m...@posix.co.za; bind-users@lists.isc.org
Subject: Re: DNSSEC validation via DLV
Not a difficult process really..
-Configure a DNSSEC enabled name server
-Create a some zone keys (dnssec-keygen) -Sign your zone (dnssec-signzone)
-Update your nameserver configuration to point to the signed zone file -Export
your DS records (dsset) to the domain registration company (EPP).
Confirm the chain.. http://dnsviz.net/d/apnic.com.au/dnssec/
Mal
On 18/07/2019 4:46 pm, Mark Elkins wrote:
I can't comment on com.au (but looking up the Nameservers, I see the
AD bit set - so DNSSEC appears to be in use..
However, co.za (and net.oza, org.za & web.za) which are managed by the
ZACR (and DNS) - they are all signed and I personally have domains
under these second levels - all running DNSSEC. The DS records are
added to the parents using EPP - and it works perfectly. I used to
present free (to the community) DNS classes to the community (the ZACR
paid me) and this (DNSSEC) was taught to attendees. Unfortunately, no
more classes for now.
DNSSEC in CO.ZA became live at about the time DLV stopped running. The
other SLD's had already been running for about a year.
For the record, EDU.ZA is also signed and can accept DS records -
albeit via a Web interface.
@peek - you are most welcome to chat to me.
On 2019/07/18 04:34, p...@vspace.co.za wrote:
With DLV (DNSSEC Lookaside Validation) having been decommissioned,
though zones still exists that does not provide a fully signed path
from root to zone, i.e. .com.au , co.za etc, how would an
administrator enable / implement DNSSEC validation for these zones ?
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to
unsubscribe from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to
unsubscribe from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
--
Mark James ELKINS - Posix Systems - (South) Africa
m...@posix.co.za Tel: +27.128070590 Cell: +27.826010496
For fast, reliable, low cost Internet in ZA: https://ftth.posix.co.za
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
