Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

TechLibrary
Navigation
Table of Contents
Guide That Contains This Content
[+] Expand All
[-] Collapse All

    Example: Configuring Secure Domains and Trusted Keys for DNSSEC

    This example shows how to configure secure domains and trusted keys for DNSSEC.

    Requirements

    Set the name server IP address so the DNS resolver forwards all DNS queries to DNSSEC instead of DNS. See Example: Configuring DNSSEC for more information.

    Overview

    You can configure secure domains and assign trusted keys to the domains. Both signed and unsigned responses can be validated when DNSSEC is enabled.

    When you configure a domain as a secure domain and if DNSSEC is enabled, all unsigned responses to that domain are ignored and the server returns a SERVFAIL error code to the client for the unsigned responses. If the domain is not configured as a secure domain, unsigned responses will be accepted.

    When the server receives a signed response, it checks if the DNSKEY in the response matches any of the trusted keys that are configured. If it finds a match, the server accepts the signed response.

    You can also attach a DNS root zone as a trusted anchor to a secure domain to validate the signed responses. When the server receives a signed response, it queries the DNS root zone for a DS record. When it receives the DS record, it checks if the DNSKEY in the DS record matches the DNSKEY in the signed response. If it finds a match, the server accepts the signed response.

    Configuration

    CLI Quick Configuration

    To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, and then copy and paste the commands into the CLI at the [edit] hierarchy level.

    set system services dns dnssec secure-domains domain1.netset system services dns dnssec secure-domains domain2.net set system services dns dnssec trusted-keys key domain1.net.25633CJ5K3hset system services dns dnssec dlv domain domain2.net trusted-anchor dlv.isc.org

    Step-by-Step Procedure

    To configure secure domains and trusted keys for DNSSEC:

    1. Configure domain1.net and domain2.net as secure domains.
      [edit]user@host# set system services dns dnssec secure-domains domain1.netuser@host# set system services dns dnssec secure-domains domain2.net
    2. Configure trusted keys to domain1.net.
      [edit]user@host# set system services dns dnssec trusted-keys key "domain1.net.25633CJ5K3h"
    3. Attach a root zone div.isc.org as a trusted anchor to a secure domain.
      [edit]user@host# set system services dns dnssec dlv domain domain2.net trusted-anchor dlv.isc.org

    Results

    From configuration mode, confirm your configuration by entering the show system services command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

    dns {dnssec {trusted-keys {key domain1.net.25633CJ5K3h; ## SECRET-DATA}dlv {domain domain2.net trusted-anchor dlv.isc.org;}secure-domains {domain1.net;domain2.net;}}}

    If you are done configuring the device, enter commit from configuration mode.

    Verification

    To confirm that the configuration is working properly, perform this task:

    Verifying Secure Domains and Trusted Keys for DNSSEC Configuration

    Purpose

    Verify information about secure domains and trusted keys for the DNSSEC configuration.

    Action

    From operational mode, enter the show ... command.

     

    Related Documentation

     

    Published: 2012-06-29

    Previous Page Next Page