avigail-oron · April 25, 2018 07:50
diff --git a/DNSSEC conf in BIND and dig b/DNSSEC conf in BIND and dig
 #DNSSEC conf for BIND
 #---------------------
 #Add the following conf to BIND conf file
 #IMPORTANT - dnssec-validation has to be set to 'auto', setting to 'yes' doesn't work
 sudo nano /etc/bind/named.conf.options
        dnssec-enable yes; 
        dnssec-validation auto; 
        dnssec-lookaside auto;
 // if you want to dynamically add zones add the following as well:
       allow-new-zones yes;
 #restart bind service
 sudo /etc/init.d/bind9 restart

 #DIG options for BIND
 #---------------------
 # note that nameserver is optional, if not specified the value will be taken from resolv.conf
 # 1) Resolving a DNSSEC valid domain:
 dig [@<nameserver>] www.pir.org
 # you should receive the 'ad' flag in the response 
 # signal the nameserver you want to recoeve dnssec records as well (dosn't affect validation!) actually sets the 'DO' bit
 dig @<nameserver> +dnssec www.pir.org
 # 2) Resolving a DNSSEC invalid domain
 dig [@<nameserver>] www.dnssec-failed.org
 # ad bit should not be set, SERVERFAIL code
 # 3) Signal the nameserver to not validate the DNSSEC via the CD bit:
 dig [@<nameserver>] +cdflag www.dnssec-failed.org
 # you should get an A record with NOERROR code
 # If you do teh same for www.pir.org you will not get the 'ad' flag!

 # 4) validation
 # To perform signature validation, you can ask dig to chase the signatures for you. This can be done bottom up 
 # (and thus calling the exact servers that were queried bu the resolver) 
 # or top down and then you might go down a different route.
 # Note you need to have the trust enchor keys and point dig to them. 
 # Also note that you need to have a dig version that was compiled with this option
 a full description of both approaches is here: http://backreference.org/2010/11/17/dnssec-verification-with-dig/
	#DNSSEC conf for BIND
	#---------------------
	#Add the following conf to BIND conf file
	#IMPORTANT - dnssec-validation has to be set to 'auto', setting to 'yes' doesn't work
	sudo nano /etc/bind/named.conf.options
	dnssec-enable yes;
	dnssec-validation auto;
	dnssec-lookaside auto;
	// if you want to dynamically add zones add the following as well:
	allow-new-zones yes;
	#restart bind service
	sudo /etc/init.d/bind9 restart

	#DIG options for BIND
	#---------------------
	# note that nameserver is optional, if not specified the value will be taken from resolv.conf
	# 1) Resolving a DNSSEC valid domain:
	dig [@<nameserver>] www.pir.org
	# you should receive the 'ad' flag in the response
	# signal the nameserver you want to recoeve dnssec records as well (dosn't affect validation!) actually sets the 'DO' bit
	dig @<nameserver> +dnssec www.pir.org
	# 2) Resolving a DNSSEC invalid domain
	dig [@<nameserver>] www.dnssec-failed.org
	# ad bit should not be set, SERVERFAIL code
	# 3) Signal the nameserver to not validate the DNSSEC via the CD bit:
	dig [@<nameserver>] +cdflag www.dnssec-failed.org
	# you should get an A record with NOERROR code
	# If you do teh same for www.pir.org you will not get the 'ad' flag!

	# 4) validation
	# To perform signature validation, you can ask dig to chase the signatures for you. This can be done bottom up
	# (and thus calling the exact servers that were queried bu the resolver)
	# or top down and then you might go down a different route.
	# Note you need to have the trust enchor keys and point dig to them.
	# Also note that you need to have a dig version that was compiled with this option
	a full description of both approaches is here: http://backreference.org/2010/11/17/dnssec-verification-with-dig/