Versions Compared

Old Version 3

changes.mady.by.user Sri Raghu

Saved on

compared with

New Version Current

changes.mady.by.user Sri Raghu

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

About DNSSEC

DNSSEC (DNS Security Extensions) provides mechanisms for authenticating the source of DNS data and ensuring its integrity. It protects DNS data from certain attacks, such as man-in the middle attacks and cache poisoning. A man-in-the middle attack occurs when an attacker intercepts responses to queries and inserts false records. Cache poisoning can occur when a client accepts maliciously created data. DNSSEC helps you avoid such attacks on your networks.

Enabling Recursion and Validation for Zones

The following are the tasks to enable recursion and validate recursively derived data:

...

DNSSEC is enabled by default on the BloxOne DDI cloud portal. 

...

Enable recursion on BloxOne DDI. For more information, see Enabling Recursive Queries.

...

Configure global forwarders and custom root name servers, if needed. For more information, see Using Forwarders.

Enabling DNSSEC

DNSSEC is enabled by default on the BloxOne DDI cloud portal.

To disable DNSSEC, complete the following:

  1. From the Cloud Services Portal, click Manage -> DNS, and click Global DNS Configuration.
  2. In the Global DNS Configuration page, click DNSSEC. 
  3. Clear the Enable DNSSEC check box.
  4. Click Save & Close to save.

Enabling DNSSEC Validation

Warning
titleWarning

When using a forwarder with DNSSEC validation, perform one of the following:

  • Let the upstream server respond with the correct DS/DNSKEY records for each of the intermediate domain names from query name to root name.

Or

  • Provide the explicitly trusted keys for all intermediate domain names, so that a recursive query to DNSKEYs can stop on those trusted anchors when querying DNSSEC records for those intermediate domain names.

To configure trust anchors and enable Infoblox BloxOne DDI name servers to validate responses, complete the following:

...

Select the Enable DNSSEC check box and complete the following:

  • Enable Validation: If you allow the application to respond to recursive queries, you can select this check box to enable the application to validate responses to recursive queries for domains that you specify.

  • Accept expired signature: Click this check box to enable the application to accept responses with signatures that have expired. Though enabling this feature might be necessary to work temporarily with zones that have not had their signatures updated in a timely fashion, note that it could also increase the vulnerability of your network to replay attacks.

  • TRUST ANCHORS: Configure the DNSKEY record that holds the KSK as a trust anchor for each zone for which the application returns validated data. Click Add and complete the following:

    • ZONE: Enter the FQDN of the domain for which the application validates responses to recursive queries.
    • SECURE ENTRY POINT (SEP): This check box is enabled by default to indicate that you are configuring a KSK.
    • ALGORITHM TYPE: Select the algorithm of the DNSKEY record:
      • RSAMD5
      • Diffie-Hellman (This is not supported by BIND and Infoblox BloxOne DDI.)
      • DSA
      • RSASHA1
      • DSA-NSEC3-SHA1
      • RSASHA1-NSEC3-SHA1
      • RSASHA-256
      • RSASHA-512
      • ECDSAP256SHA256
      • ECDSAP384SHA384
    • PUBLIC KEY: Paste the key into this text box. You can use either of the following commands to retrieve the key:

...

4 Click Save & Close to save.

Warning
titleWarning

The Enable DNSSEC option must always be selected (set to true). 

...

titleNote

...

You can configure DNSSEC as follows:

Child pages (Children Display)