Versions Compared

Old Version 1

changes.mady.by.user Sri Raghu

Saved on

compared with

New Version 2

changes.mady.by.user Sri Raghu

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  1. From the Cloud Services Portal, click Manage -> DNS, and click Global DNS Configuration.

  2. In the Global DNS Configuration page, click DNSSEC Select the Enable DNSSEC check box and complete and configure the following:

    • Enable Signature Validation: If you allow the application to respond to recursive queries, you can select this check box to enable the application to validate responses to recursive queries for domains that you specify.

    • Accept expired signature: Click this check box to enable the application to accept responses with signatures that have expired. Though enabling this feature might be necessary to work temporarily with zones that have not had their signatures updated in a timely fashion, note that it could also increase the vulnerability of your network to replay attacks.

    • TRUST ANCHORS: Configure the DNSKEY record that holds the KSK as a trust anchor for each zone for which the application returns validated data. Click Add and complete the following:

    • ZONE: Enter the FQDN of the domain for which the application validates responses to recursive queries.

      • SECURE ENTRY POINT (SEP): This check box is enabled by default to indicate that you are configuring a KSK.

      • ALGORITHM TYPE: Select the algorithm of the DNSKEY record:

        • RSAMD5

        • Diffie-Hellman (This is not supported by BIND and Infoblox BloxOne DDI.)

        • DSA

        • RSASHA1

        • DSA-NSEC3-SHA1

        • RSASHA1-NSEC3-SHA1

        • RSASHA-256

        • RSASHA-512

        • ECDSAP256SHA256

        • ECDSAP384SHA384

    • PUBLIC KEY: Paste the key into this text box. You can use either of the following commands to retrieve the key:

    • dig . dnskey +multiline: This command retrieves root zone keys and is the only public key you require for a full chain of trust validation.

      • dig [@server_address] <zone> dnskey +multiline +dnssec: This command retrieves public keys from the zone you specify on the server and can be used if the parent zone is not signed. Note that the aforementioned command provides you with a key you need to cross validate against other servers to ensure you have an identical key. As an alternative, you can use http://data.iana.org/root-anchors/ to retrieve signed public keys. You can find the trust anchors in formats like XML and CSR. For more information, refer to https://data.iana.org/root-anchors/old/2015-04-03/draft-icann-dnssec-trust-anchor.txt.

...