Enabling Signature Validation

When using a forwarder with DNSSEC validation, perform one of the following:

Let the upstream server respond with the correct DS/DNSKEY records for each of the intermediate domain names from query name to root name.

Or

Provide the explicitly trusted keys for all intermediate domain names, so that a recursive query to DNSKEYs can stop on those trusted anchors when querying DNSSEC records for those intermediate domain names.

To configure trust anchors and enable Infoblox Universal DDI name servers to validate responses, complete the following:

From the Infoblox Portal, click Configure > Networking > DNS, and click Global DNS Configuration.
In the Global DNS Configuration page, click DNSSEC and configure the following:
- Enable Signature Validation: If you allow the application to respond to recursive queries, you can select this check box to enable the application to validate responses to recursive queries for domains that you specify.
- Accept expired signature: Click this check box to enable the application to accept responses with signatures that have expired. Though enabling this feature might be necessary to work temporarily with zones that have not had their signatures updated in a timely fashion, note that it could also increase the vulnerability of your network to replay attacks.
- TRUST ANCHORS: Configure the DNSKEY record that holds the KSK as a trust anchor for each zone for which the application returns validated data. Click Add and complete the following:
- ZONE: Enter the FQDN of the domain for which the application validates responses to recursive queries.
  - SECURE ENTRY POINT (SEP): This check box is enabled by default to indicate that you are configuring a KSK.
  - ALGORITHM TYPE: Select the algorithm of the DNSKEY record:
    - RSAMD5
    - Diffie-Hellman (This is not supported by BIND and Infoblox Universal DDI .)
    - DSA
    - RSASHA1
    - DSA-NSEC3-SHA1
    - RSASHA1-NSEC3-SHA1
    - RSASHA-256
    - RSASHA-512
    - ECDSAP256SHA256
    - ECDSAP384SHA384
- PUBLIC KEY: Paste the key into this text box. You can use either of the following commands to retrieve the key:
- dig . dnskey +multiline: This command retrieves root zone keys and is the only public key you require for a full chain of trust validation.
  - dig [@server_address] <zone> dnskey +multiline +dnssec: This command retrieves public keys from the zone you specify on the server and can be used if the parent zone is not signed. Note that the aforementioned command provides you with a key you need to cross validate against other servers to ensure you have an identical key. As an alternative, you can use Index of /root-anchors to retrieve signed public keys. You can find the trust anchors in formats like XML and CSR. For more information, refer to https://data.iana.org/root-anchors/old/2015-04-03/draft-icann-dnssec-trust-anchor.txt.
Validation Exceptions: Configure the exception for DNSSEC Validation. For example, you can exclude an internal, unsigned zone from DNSSEC validation. Click Add and specify the zone for which you would like to exclude from DNSSEC validation.
Click Save & Close to save.

It’s not allowed to specify the same domain name for both DNSSEC trust anchor and validation exception.
DNSSEC Validation Exceptions is equivalent to DNSSEC Negative Trust Anchor in NIOS, but is named differently to avoid confusion with RFC 7646.

If you have enabled both DNS forwarding proxy and Universal DDI DNS services on the same NIOS-X Server, the DNSSEC configuration you specified here will not take effect even if you have enabled DNSSEC. For information about configuring DNS forwarding proxy and Universal DDI DNS, see Configuring DNS Forwarding Proxy and Universal DDI DNS.