Re: Value of a DNSSEC validating resolver

2024-02-09 Thread Mark Andrews
-- Mark Andrews > On 10 Feb 2024, at 04:18, Randy Bush wrote: > >  >> >> I admit here we most often work with internal only forwarders, which >> are not accessible from outer internet. So those won't be under attack > > i am always impressed by security optiism > > randy -- Visit https:

Re: DNSSEC setup for stealth master and multi slave/recursive - Multiple DS keys?

2024-02-09 Thread Björn Persson
Jordan Larson via bind-users wrote: > All the dnssec configuration(s) only need to reside on the master then, > correct? Correct. Björn Persson pgpkzz0Ht2jQu.pgp Description: OpenPGP digital signatur -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list IS

Re: Value of a DNSSEC validating resolver

2024-02-09 Thread Randy Bush
> I admit here we most often work with internal only forwarders, which > are not accessible from outer internet. So those won't be under attack i am always impressed by security optiism randy -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the

Re: DNSSEC setup for stealth master and multi slave/recursive - Multiple DS keys?

2024-02-09 Thread Jordan Larson via bind-users
Thank you for the detailed explanation! This is what I was wondering. All the dnssec configuration(s) only need to reside on the master then, correct? Looks like it a got a little clean-up to do. Appreciate everyones insight with this! ~Jordan On 2/9/24, 8:44 AM, "Björn Persson" wrote: Jord

Re: Value of a DNSSEC validating resolver

2024-02-09 Thread Petr Menšík
On 2/9/24 12:39, Mark Andrews wrote: Do the analysis where the resolver is under attack or the auth server with the best rtt is stale. I admit here we most often work with internal only forwarders, which are not accessible from outer internet. So those won't be under attack, at least directed

Re: Value of a DNSSEC validating resolver

2024-02-09 Thread Mark Andrews
Do the analysis where the resolver is under attack or the auth server with the best rtt is stale. -- Mark Andrews > On 9 Feb 2024, at 21:40, Petr Menšík wrote: > > Hello Mark, > > allow me here to correct your statement. We spent in Red Hat some time > thinking and testing validating clien

Re: Value of a DNSSEC validating resolver

2024-02-09 Thread Petr Menšík
Hello Mark, allow me here to correct your statement. We spent in Red Hat some time thinking and testing validating clients. Validating resolver is *not* necessary for validating clients to work. They are better and recommended, but not always necessary. What is required is dnssec (security)

Re: DNSSEC setup for stealth master and multi slave/recursive - Multiple DS keys?

2024-02-09 Thread Mark Elkins via bind-users
Couple of things... Use the words Primary and Secondary... don't use Master and Slave - as it upsets many people. (I teach DNS/DNSSEC and still say dumb things at times, and I live in South Africa) The Secondary Nameservers should not have any additional DNSSEC configurations if the Primary