Saucepan

User Tools

Site Tools

Trace: misc ping response_pages vmware_workstation traffic_generator userid zone_rename install_gitolite grid_join wireshark
dns:dnssec

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
dns:dnssec [2025/01/19 10:09] – [DNSSEC Flags] bstafforddns:dnssec [2025/05/09 13:18] (current) – [Internal DNSSEC] bstafford
Line 89: Line 89:
 <code>{ echo -en '\x00\x01\x01\x03\x08'; echo ‘put_the_public_ksk_here' | openssl base64 -d; } | openssl sha256</code> <code>{ echo -en '\x00\x01\x01\x03\x08'; echo ‘put_the_public_ksk_here' | openssl base64 -d; } | openssl sha256</code>
 ===== DNSSEC Flags ===== ===== DNSSEC Flags =====
-Flags in DNS Query Packets+Flags in DNS Query Packets ([[https://learn.microsoft.com/en-us/windows-server/networking/dns/validate-dnssec-responses|from Microsoft's page]])
  
   * **DO**: The DO bit is included in a DNS query and is an abbreviation for "**DNSSEC OK**". If the DO bit is set (DO=1), then the client is **DNSSEC-aware**, and it's safe for the DNS server to return DNSSEC data in a response. If the DO bit isn't set (DO=0), then the client isn't DNSSEC-aware, and the DNS server can't include any DNSSEC data in a DNS response. DNS clients can still be protected using DNSSEC even if they're not DNSSEC-aware. In this context, a DNS client is any computer that sends a DNS query. When a recursive DNS server sends a query to the authoritative DNS server, the recursive DNS server must indicate that it's DNSSEC-aware so that the authoritative DNS server sends DNSSEC data in the response.   * **DO**: The DO bit is included in a DNS query and is an abbreviation for "**DNSSEC OK**". If the DO bit is set (DO=1), then the client is **DNSSEC-aware**, and it's safe for the DNS server to return DNSSEC data in a response. If the DO bit isn't set (DO=0), then the client isn't DNSSEC-aware, and the DNS server can't include any DNSSEC data in a DNS response. DNS clients can still be protected using DNSSEC even if they're not DNSSEC-aware. In this context, a DNS client is any computer that sends a DNS query. When a recursive DNS server sends a query to the authoritative DNS server, the recursive DNS server must indicate that it's DNSSEC-aware so that the authoritative DNS server sends DNSSEC data in the response.
Line 106: Line 106:
  
 ===== Internal DNSSEC ===== ===== Internal DNSSEC =====
 +[[https://csrc.nist.gov/pubs/sp/800/81/r3/ipd|NIST SP-800-81r3]] and [[https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-81r3.ipd.pdf|PDF]]. DNSSEC for Internal zones is covered in section 3.8.5.
 +
 Internal domains should not be DNSSEC signed. If they are truly internal domains, connecting into the chain of trust would be challenging if not impossible. However, there is another concern if the internal domains are receiving DDNS updates, then they will constantly need to re-sign the domain, which could end up being a major performance impact. DNSSEC validation is done by DNS servers, not clients, so if the clients are going to be querying servers that have the authoritative data, there is absolutely nothing to validate. Internal domains should not be DNSSEC signed. If they are truly internal domains, connecting into the chain of trust would be challenging if not impossible. However, there is another concern if the internal domains are receiving DDNS updates, then they will constantly need to re-sign the domain, which could end up being a major performance impact. DNSSEC validation is done by DNS servers, not clients, so if the clients are going to be querying servers that have the authoritative data, there is absolutely nothing to validate.
  
dns/dnssec.1737281366.txt.gz · Last modified: by bstafford