Versions Compared

Version Old Version 6 New Version Current
Changes made by

Aliaksei Shautsou

Ryan Kulek

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

When you enable recursion on a Grid member and it receives a recursive query for DNS data it does not have, it queries remote name servers that you specified in the Grid DNS Properties or Member DNS Properties editor. It then includes the DNSSEC data it retrieved through recursion in its responses to clients that requested DNSSEC RRs. You can enable the appliance to validate the responses of these servers for certain zones. On the appliance, you specify the zones to validate and configure their DNSKEY records as trust anchors. When the appliance validates a response for a zone configured with a trust anchor or for any of its child zones, the appliance starts with the DNSKEY that you configured and proceeds recursively down the DNS tree.
In the example shown in Figure 22.5, the following was configured on the NIOS appliance:

  • Forwarder with the following IP address: 10.2.2.1
  • Recursion was enabled
  • DNSSEC and validation were enabled
  • The corpxyz.com zone and its DNSKEY record were configured

Figure 22.5

Anchor
bookmark2080
bookmark2080


Drawio
border1
baseUrlhttps://infoblox-docs.atlassian.net/wiki
diagramName22.5
zoom1
pageId22252170
custContentId7935714
lbox1
contentVer1
revision1

Anchor
Enabling Recursion and Validation for Si
Enabling Recursion and Validation for Si
Anchor
bookmark2081
bookmark2081
Enabling Recursion and Validation for Signed Zones

...

  1. Enable DNSSEC on the appliance. For information, see Enabling DNSSEC.
  2. Enable validation and configure the trust anchor of each signed zone. For information, see Enabling DNSSEC Validation. You must configure at least one trusted DNSKEY RR.
  3. Enable recursion on the appliance. For information, see Enabling Recursive Queries.
  4. Complete any of the following:

...

  1. Grid: From the Data Management tab, select the DNS tab. Expand the Toolbar and click Grid DNS Properties
    Member: From the Data Management tab, select the Members tab -> member check box and click the Edit icon. 
    DNS View: From the Data Management tab, select the Zones tab -> dns_view check box and click the Edit icon. To override an inherited property, click Override next to the property to enable the configuration.
  2. In the editor, click Toggle Expert Mode.
  3. When the additional tabs appear, click DNSSEC.
  4. In the DNSSEC tab, complete the following:
    • Enable DNSSEC validation: If you allow the appliance to respond to recursive queries, you can select this check box to enable the appliance to validate responses to recursive queries for domains that you specify. You must configure the DNSKEY RR of each domain that you specify.
    • Accept expired signatures: Click this check box to enable the appliance to accept responses with signatures that have expired. Though enabling this feature might be necessary to work temporarily with zones that have not had their signatures updated in a timely fashion, note that it could also increase the vulnerability of your network to replay attacks.
    • TrustAnchors: Configure the DNSKEY record that holds the KSK as a trust anchor for each zone for which the Grid member returns validated data. Click the Add icon and complete the following:
      • Zone: Enter the FQDN of the domain for which the member validates responses to recursive queries.
      • Secure Entry Point (SEP): This check box is enabled by default to indicate that you are configuring a KSK.
      • Algorithm: Select the algorithm of the DNSKEY record: RSA/SHA1(5), DSA (3), DSA/NSEC3 (6), RSA/MD5 (1), RSA/SHA1/NSEC3 (7), RSA/SHA-256 (8), or RSA-SHA-512 (10). This must be the same algorithm that was used to generate the keys that were used to sign the zones.
      • PublicKey: Paste the key into this text box. You can use either of the following commands to retrieve the key:

        • dig . dnskey +multiline

          The above command retrieves root zone keys and is the only public key you require for full chain of trust validation.

        • dig \[@server_address\] <zone> dnskey +multiline +dnssec

          The above command retrieves public keys from the zone you specify on the server and can be used if the parent zone is not signed.
          Note that the aforementioned command provides you with a key you need to cross validate against other servers to ensure you have an identical key.
          As an alternative, you can use http://data.iana.org/root-anchors/ to retrieve signed public keys. You can find the trust anchors in formats like XML and CSR. For more information, refer to http://data.iana.org/root-anchors/draft-icann-dnssec-trust-anchor.txt.

    • Negative Trust Anchors: Configure negative trust anchors to suppress DNSSEC validation for certain domains. Click the Add icon to add the domain name to the list. You can define negative trust anchors at the Grid level and override them at the member and DNS view levels. For more information about negative trust anchors, see Defining Negative Trust Anchors.
      To delete a negative trust anchor, select the check box adjacent to the Zone column and click the Delete icon.

...