You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 5 Next »

Configuring DNSSEC

 

Enabling DNSSEC for a zone via ProVision GUI

How to enable DNSSEC (per zone) via the ProVision GUI

  • Make sure DNSSEC is enabled on the DNS server(s) you will be pushing zones to (see below)
  • Set external server for Authenticated Data verification (DNS Admin setting)
  • Create/Edit a zone like usual
  • Link the zone to a DNS server(s) as needed
  • Enable DNSSEC for the zone (image)
  • Push zone successfully
  • You will now have a “DS Records” section on the zone page (image)
  • Upload these values to your Zone Registrar (image - label fields)
    • DS Record #, Key Tag, Algorithm, Digest Type, Digest
  • Confirm values are saved at the Zone Registrar
  • Check DNSSEC status of zone
    • ProVision GUI (image)
      • DNSSEC column
        • Means that DNSSEC has been enabled for the zone
      • DS column
        • Red X means DS keys have been generated only
        • Green AD means DS keys have been generated AND the Authenticated Data has been verified by the external server (DNS Admin setting)
    • External sites

For BIND server(s)

To enable DNSSEC on BIND9 you need to modify named.conf.options with following parameters in the options { } section:

dnssec-enable yes:
dnssec-validation yes:
dnssec-lookaside auto;

These parameters may already be enabled in some Linux distributions by default, so please confirm before making changes.

For DynECT

Coming soon

For Secure64 and PowerDNS

DNSSEC Signatures

In this scenario, 6connect ProVision uses the DNSSEC signing functions of the respective environment we write the zones to.

  • No labels