Example: Configuring Secure Domains and Trusted Keys for DNSSEC

Users can configure secure domains and assign trusted keys to the domains by using CLI commands. Both signed and unsigned responses can be validated when DNSSEC is enabled. The following example shows how to configure domain1.net and domain2.net as secure domains:

[edit]user@host# set system services dns dnssec secure-domain domain1.net user@host# set system services dns dnssec secure-domain domain2.net

When you configure a domain as a secure domain and if DNSSEC is enabled, all unsigned responses to that domain are ignored and the server returns a SERVFAIL error code to the client for the unsigned responses. If the domain is not configured as a secure domain, unsigned responses will be accepted.

The following example shows how to configure trusted keys to domain1.net:

[edit]user@host# set system services dns dnssec secure-domain domain1.net trusted-keys key “domain1.net 256 3 3 \”CJ+tJ5...\”; key ”dlv.isc.org.256 3 3 \”CPIfHBL...\“

When the server receives a signed response, it checks if the DNSKEY in the response matches any of the trusted keys configured above. If it finds a match, the server accepts the signed response.

You can also attach a trusted anchor to a secure domain to validate the signed responses. The following example shows how to attach a root zone dlv.isc.org as a trusted anchor to domain2.net:

[edit]user@host# set system services dns dnssec dlv domain domain2.net trusted-anchor dlv.isc.org

When the server receives a signed response, it queries the dlv.isc.org for a DS record. When it receives the DS record, it checks if the DNSKEY in the DS record matches the DNSKEY in the signed response. If it finds a match, the server accepts the signed response.

Example: Configuring Secure Domains and Trusted Keys for DNSSEC

Related Topics