Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

Version 1 Next »

When using a forwarder with DNSSEC validation, perform one of the following:

  • Let the upstream server respond with the correct DS/DNSKEY records for each of the intermediate domain names from query name to root name.

Or

  • Provide the explicitly trusted keys for all intermediate domain names, so that a recursive query to DNSKEYs can stop on those trusted anchors when querying DNSSEC records for those intermediate domain names.

To configure trust anchors and enable Infoblox BloxOne DDI name servers to validate responses, complete the following:

  1. From the Cloud Services Portal, click Manage -> DNS, and click Global DNS Configuration.

  2. In the Global DNS Configuration page, click DNSSEC. 

  3. Select the Enable DNSSEC check box and complete the following:

    • Enable Validation: If you allow the application to respond to recursive queries, you can select this check box to enable the application to validate responses to recursive queries for domains that you specify.

    • Accept expired signature: Click this check box to enable the application to accept responses with signatures that have expired. Though enabling this feature might be necessary to work temporarily with zones that have not had their signatures updated in a timely fashion, note that it could also increase the vulnerability of your network to replay attacks.

    • TRUST ANCHORS: Configure the DNSKEY record that holds the KSK as a trust anchor for each zone for which the application returns validated data. Click Add and complete the following:

    • ZONE: Enter the FQDN of the domain for which the application validates responses to recursive queries.

      • SECURE ENTRY POINT (SEP): This check box is enabled by default to indicate that you are configuring a KSK.

      • ALGORITHM TYPE: Select the algorithm of the DNSKEY record:

        • RSAMD5

        • Diffie-Hellman (This is not supported by BIND and Infoblox BloxOne DDI.)

        • DSA

        • RSASHA1

        • DSA-NSEC3-SHA1

        • RSASHA1-NSEC3-SHA1

        • RSASHA-256

        • RSASHA-512

        • ECDSAP256SHA256

        • ECDSAP384SHA384

    • PUBLIC KEY: Paste the key into this text box. You can use either of the following commands to retrieve the key:

    • dig . dnskey +multiline: This command retrieves root zone keys and is the only public key you require for a full chain of trust validation.

      • dig [@server_address] <zone> dnskey +multiline +dnssec: This command retrieves public keys from the zone you specify on the server and can be used if the parent zone is not signed. Note that the aforementioned command provides you with a key you need to cross validate against other servers to ensure you have an identical key. As an alternative, you can use http://data.iana.org/root-anchors/ to retrieve signed public keys. You can find the trust anchors in formats like XML and CSR. For more information, refer to https://data.iana.org/root-anchors/old/2015-04-03/draft-icann-dnssec-trust-anchor.txt.

4 Click Save & Close to save.

The Enable DNSSEC option must always be selected (set to true). 

If you have enabled both DNS forwarding proxy and BloxOne DDI DNS services on the same host, the DNSSEC configuration you specified here will not take effect even if you have enabled DNSSEC. For information about configuring DNS forwarding proxy and BloxOne DDI DNS, see Configuring DNS Forwarding Proxy and BloxOne DDI DNS.

  • No labels