Dnssec
- Thread starter ReN
- Start date
DNSSEC indeed
I second this question, in relation to the recent vulnerability warnings (http://www.isc.org/index.pl?/sw/bind/bind-security.php).
Any comment from DA about being "safe" with our currently updated DA setups?
Regards
I second this question, in relation to the recent vulnerability warnings (http://www.isc.org/index.pl?/sw/bind/bind-security.php).
Any comment from DA about being "safe" with our currently updated DA setups?
Regards
tillo
Verified User
DNSSEC has been officially implemented in some top level domains (see https://itar.iana.org/anchors/) and it will probably be mandatory or at least strongly suggested one day, therefore I suggest DA to implement it right away.
If you need specs, this is the place: http://www.dnssec.net/
It's fairly easy to implement and manage, many control panels already have it and it's an essential component for an "easy to use, easy to hack" panel like DA.
If you need specs, this is the place: http://www.dnssec.net/
It's fairly easy to implement and manage, many control panels already have it and it's an essential component for an "easy to use, easy to hack" panel like DA.
nobaloney
NoBaloney Internet Svcs - In Memoriam †
tillo
Verified User
Many have been able to modify the way DA works by scripting it, creating custom configs for CustomBuild and using the very versatile settings accordingly to their needs.
I love to customize my systems and I've never been stopped by any DA function... until today, the day I would like to easily enable DNSSEC
By easily I mean without creating a script that tries to parse the Bind config and zones outputted by DA, by creating a separated set including DNSSEC configurations, and keys, and zone records, and by running a separated Bind distribution. Because I can do that, but that's a workaround and I never needed a workaround before.
nobaloney
NoBaloney Internet Svcs - In Memoriam †
Thanks for the clarification; I misread your hack as crack because so many people misuse the word that way.
Jeff
Jeff
tillo
Verified User
I understand. Even my title, "ethical hacker", is not really correct 
for that reason I prefer "security auditor".
Anyway, back in topic, I have to contact John soon for other issues and I'll address him this one too.
for that reason I prefer "security auditor".Anyway, back in topic, I have to contact John soon for other issues and I'll address him this one too.
interfasys
Verified User
+1 to make this a simple thing to do in DA.
Root servers will be DNSSEC enabled on May 5th.
Root servers will be DNSSEC enabled on May 5th.
nobaloney
NoBaloney Internet Svcs - In Memoriam †
For all TLDs?
Jeff
Jeff
tillo
Verified User
Pretty much, yes: https://ns.iana.org/dnssec/root.zone.signed
I wonder when this problem will take developers from DirectAdmin support
Samotniq me too.
tillo
Verified User
Since the change is backwards compatible you should be forced to do nothing, but since some old and small routers do not support large DNS replies over UDP check that none of your servers are behind one of them and uses its nameserver. There are ways to check for that all over the web.
nobaloney
NoBaloney Internet Svcs - In Memoriam †
And make sure that your firewalls are open for multi-directional tcp/ip traffic on port 53.
Jeff
Jeff
you may also want to the DIY check and adjust the edns buffer size as mentioned in the below links.
DIY check:
http://labs.ripe.net/content/preparing-k-root-signed-root-zone#diy
edns buffer size (at the end of the page):
http://labs.ripe.net/content/testing-your-resolver-dns-reply-size-issues
DIY check:
http://labs.ripe.net/content/preparing-k-root-signed-root-zone#diy
edns buffer size (at the end of the page):
http://labs.ripe.net/content/testing-your-resolver-dns-reply-size-issues
floyd
Verified User
- Joined
- Mar 29, 2005
- Messages
- 6,255
So what does this mean:
Code:
dig txt test.rs.ripe.net +short
rst.x477.rs.ripe.net.
rst.x481.x477.rs.ripe.net.
rst.x486.x481.x477.rs.ripe.net.
"64.233.168.94 DNS reply size limit is at least 486 bytes"
"64.233.168.94 lacks EDNS, defaults to 512"
"64.233.168.94 summary bs=512,rs=486,edns=0,do=0"floyd
from what i understand you would need to make the following additions to your named.conf :
in the options section add;
edns-udp-size: 4096
restart your named service and run the test again and see what the results look like.
Basically the result should not come back saying "lacks edns" and in the summary bs should be more than rs by a margin of not more than 300
Update:
Also this requires a bind version 9.3.2 and higher
from what i understand you would need to make the following additions to your named.conf :
in the options section add;
edns-udp-size: 4096
restart your named service and run the test again and see what the results look like.
Basically the result should not come back saying "lacks edns" and in the summary bs should be more than rs by a margin of not more than 300
Update:
Also this requires a bind version 9.3.2 and higher
Last edited:
interfasys
Verified User
Try using a different resolver to see if it makes a difference