On Sat, Mar 27, 2021 at 12:51:36PM +0100, Francesc Peñalvez wrote:
> I have the dns of the domain managed externally, configured with
> dnssec, and another host running postfix. How could I integrate that
> postfix use the dnssec configuration? Would it be enough to add the
> dns of the external service to the postfix resolv.conf?
As written, the question makes no sense. You'll need to
explain your goals in more detail.
- If your domain is already signed, then clients
resolving data about your domain are able (when
suitably configured) to validate the integrity
of that data.
- If you're looking to use DNSSEC as a client, to
validate DNS records of remote domains, all you
need is a local (running on the Postfix server
itself, listening on 127.0.0.1:53) validating
resolver, such as unbound, Knot, BIND, ...
* The DNSSEC status of your own domain is irrelevant
for validating remote domains.
* Validating remote domains does not directly do anything
to ensure data integrity for your own domains when queried
by others.
See:
https://stats.dnssec-tools.org/explore/?almogavers.net
https://dnsviz.net/d/almogavers.net/YFjc3g/dnssec/
I would perhaps recommed either switching to algorithm 13 (ECDSA P256),
which has better security at a lower key size, or use a ZSK that is
shorter than 2048 bits (1280 bits is what .COM uses), which tends to be
a bit too large for unfragmented UDP when responses carry multiple
signatures (e.g. NSEC3 negative answers). Fragmented UDP is not
reliable these days over wide-area networks.
For small zones with no names to hide, just use NSEC.
--
Viktor.
