Search Knowledge Base Articles

Enabling DNSSEC on an external zone

Domain Name System Security Extensions (DNSSEC) is used to strengthen DNS protocol security.
It controls the integrity of all DNS answers and ensures that client queries are answered by the
proper server.
By providing origin authentication, it protects the DNS information exchanged between name
servers configured with DNSSEC. Within SOLIDserver, it can only be configured on EfficientIP
servers and smart architectures managed via SSL, you cannot configure it on other DNS vendors

Keep in mind that DNSSEC does not protect whole servers, it only protects the data exchanged
between signed zones.
Once DNSSEC is configured, the DNS packages sent and received often exceed 512 bytes, so
check the EDNS configurations from SmartArchitecture options to extend the size of your DNS messages.

edns-udp-size and max-udp-size The value should be the maximum 4096

Enabling DNSSEC on an External zone involves the following requirements and steps:

1. select the zone from SmartArchitecture >> Tools >> DNSSEC >> Sign Zones.

2. Two ZSK and one KSK will be created, select the Encryption algorithm and validity duration as below: " check with the registrar for specific recommendations"

ZSK Algorith RSASHA1
ZSK Encryption 1024
ZSK Validity unit Month
ZSK Validity 3

KSK Algorith RSASHA256
KSK Encryption 2048
KSK Validity unit Month
KSK Validity 12

3. configure your alert notification for KSK and ZSK rollover, send email to the zone owner.

4. After enabling DNSSEC for your zone, you must activate DNSSEC at your registrar. To activate DNSSEC, you create a DS record "(Delegation Signer) "for your domain in the parent zone so that resolvers know that your domain is DNSSEC-enabled and can validate its data. 

DS-records are used to secure delegations (DNSSEC).

A DS-record with the name of the sub-delegated zone is placed in the parent zone along with the delegating NS-records.

This DS-record references a DNSKEY-record in the sub-delegated zone.

DS-records have the following data elements:

* Key Tag: A short numeric value which can help quickly identify the referenced DNSKEY-record.

* Algorithm: The algorithm of the referenced DNSKEY-record.

* Digest Type: Cryptographic hash algorithm used to create the Digest value.

* Digest: A cryptographic hash value of the referenced DNSKEY-record.

* Domain name.

Did you find this article useful?


Related Articles

  • Measure QPS on BIND9

    BIND9 DNS engine was installed on Ubuntu server, the goal is to measure the QPS by enabling the statistics.Installing the BIND9 command: sudo apt inst...

  • Utilizing ioc2rpz.net as open source RPZ

    ioc2rpz community is a portal which provides open source DNS Firewall / RPZ feeds. The DNS Firewall feeds are based on publicly available threat intel...

  • Enable Guardian for nonsupported interfaces

    Broadcom interface is not supported by default, only intel interfaces are supported for the Guardian service. this workaround only for POC: 1. login...

  • Cascaded DNS

    EDNS: Port 53 is reserved for DNS usage, DNS uses both UDP and TCP for message transport.Conventional message exchanges are short, and thus well suit...

  • NXDomain Redirection

    What is NXDOMAIN Redirection? NXDOMAIN redirection provides the ability for a recursive server to replace an NXDOMAIN response to a query with a conf...