Configuring DNSSEC

DRAFT - working on this and will be adding some images/visuals...

Enabling DNSSEC for a zone via ProVision GUI

How to enable DNSSEC (per zone) via the ProVision GUI

  • Make sure DNSSEC is enabled on the DNS server(s) you will be pushing zones to (see below)
  • run configTest.php to make sure that your directories/permissions are correct
  • Set external server for Authenticated Data verification (DNS Admin setting)
  • Create/Edit a zone like usual
  • Link the zone to a DNS server(s) as needed
  • Enable DNSSEC for the zone (image)
  • Push zone successfully
  • You will now have a “DS Records” section on the zone page (image)
  • Upload these values to your Zone Registrar (image - label fields)
    • DS Record #, Key Tag, Algorithm, Digest Type, Digest
  • Confirm values are saved at the Zone Registrar
  • Check DNSSEC status of zone
    • ProVision GUI (image)
      • DNSSEC column
        • Means that DNSSEC has been enabled for the zone
      • DS column
        • Red X means DS keys have been generated only
        • Green AD means DS keys have been generated AND the Authenticated Data has been verified by the external server (DNS Admin setting)
    • External sites

For BIND server(s)

To enable DNSSEC on BIND9 you need to modify named.conf.options with following parameters in the options { } section:

dnssec-enable yes:
dnssec-validation yes:
dnssec-lookaside auto;

These parameters may already be enabled in some Linux distributions by default, so please confirm before making changes.

Your DNSSEC implementation may need other options for your environment - please contact support@6connect.com if you have ny

Please note that you will need to restart the BIND service after these changes.

For DynECT

Coming soon

For Secure64 and PowerDNS

DNSSEC Signatures

In this scenario, 6connect ProVision uses the DNSSEC signing functions of the respective environment we write the zones to. We are evaluating how to properly integrate DNSSEC functions to ProVision for these platforms. Please contact support@6connect.com if you have feedback or specific questions.

  • No labels