Re: A beginner's guide to DNSSEC with BIND 9

Mon, 24 Oct 2022 08:53:21 -0700 

A Beginner's Guide to DNSSEC with BIND 9.


Well done! A few comments, if I may:

1. in your zone stanzas you use the term "master" (type: master, ... masters 
{}). BIND has been updated already a while ago to support the term primary, e.g. `type 
primary;' and `primaries {};' (likewise for 'secondary'). It might be a good time to 
switch to the new nomenclature, particularly as you rightly call the primary primary and 
secondary a secondary :)

2. I tend to use `rndc reconfig' for re-configuration (after adding a new zone, 
say) rather than `reload', which I used when I wish named to load a modified 
primary zone.


3. on your primary you have an allow-transfer{} ACL for your secondary using its IP address. You might wish to look into using TSIG for that. 


4. note that `inline-signing' might go away and be replaced by dnssec-policy 
which you may wish to look into at some point.

5. I'm not familiar with the paths used by your Ubuntu distro, but the command 
at #6 appears to be incorrect:

        sudo ./etc/bind/named-checkconf named.conf.local

   named-checkconf(8) is likely in /usr/sbin and it will use a compiled-in 
default configuration file.

6. just as a FYI: instead of "and if you quickly type tail var/log/syslog" I 
typically `tail -f' (follow) the log file in a second window/pane/console or even in the 
same session in order to have logs show up immediately. :)

7. Instead of querying for the SOA (dig ... SOA +dnssec), I like querying for 
the DNSKEY RRset so that I see the key tags (key IDs): `dig @::1 example.com 
DNSKEY +dnssec +multi' (the +multi flag shows me the key types and tags, or use 
+nocrypto to omit the base64-encdoded stuff)

8. in the section on externally validating, I'd love to recommend dnsviz.net: I 
cannot think of another testing site which I would *pay* to use. These chaps 
are grand!


Feel free to talk to me off-list if I've not made sense.

Best regards,

        -JP
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users






















					Reply via email to