DNSSEC Howto?

> On Sat, Mar 27, 2021 at 12:51:36PM +0100, Francesc Peñalvez wrote:
>
>> I have the dns of the domain managed externally, configured with
>> dnssec, and another host running postfix. How could I integrate that
>> postfix use the dnssec configuration? Would it be enough to add the
>> dns of the external service to the postfix resolv.conf?
>
> As written, the question makes no sense.  You'll need to
> explain your goals in more detail.
>
>      - If your domain is already signed, then clients
>        resolving data about your domain are able (when
>        suitably configured) to validate the integrity
>        of that data.
>
>      - If you're looking to use DNSSEC as a client, to
>        validate DNS records of remote domains, all you
>        need is a local (running on the Postfix server
>        itself, listening on 127.0.0.1:53) validating
>        resolver, such as unbound, Knot, BIND, ...
>
> * The DNSSEC status of your own domain is irrelevant
>    for validating remote domains.
>
> * Validating remote domains does not directly do anything
>    to ensure data integrity for your own domains when queried
>    by others.
>
> See:
>
>      https://stats.dnssec-tools.org/explore/?almogavers.net
>      https://dnsviz.net/d/almogavers.net/YFjc3g/dnssec/
>
> I would perhaps recommed either switching to algorithm 13 (ECDSA P256),
> which has better security at a lower key size, or use a ZSK that is
> shorter than 2048 bits (1280 bits is what .COM uses), which tends to be
> a bit too large for unfragmented UDP when responses carry multiple
> signatures (e.g.  NSEC3 negative answers).  Fragmented UDP is not
> reliable these days over wide-area networks.
>
> For small zones with no names to hide, just use NSEC.
>

> On Sat, Mar 27, 2021 at 01:59:56PM +0100, Francesc Peñalvez wrote:
>
>> I have a connection of the domestic type, with 7 computers in an
>> internal network, in which I do not have access to make any changes to
>> the ip. I use external dns service to manage the bind9 service,
>> although I have another installed and running locally.
>
> OK, so you have an outsourced public authoritative server for your
> DNSSEC signed domain
>
>> Both in the external and internal services of bind I have the same
>> configuration of dmarc and dkim and of course I would like to know, I
>> am really a novice in system administration, if the external dnssec
>> configuration that manages the domain, zoneedit, is enough to use
>> dnssec correctly?
>
> You still have not explained what "use DNSSEC" means.  Your DNS
> works.  The RSA ZSK is larger than I'd recommend, but otherwise
> no issues.
>
> Are you looking to enable inbound or outbound DANE on your Postfix
> server?  What is the concrete Postfix-related goal for which you're
> seeking advice?
>

> On Sun, Mar 28, 2021 at 01:08:44AM +0100, Francesc Peñalvez wrote:
>
>> Right now dnssec is activated in the external manager zoneedit.com, in
>> which I cannot modify the type of encryption or the length of the key.
>
> If there are no key size or algorithm settings in zoneedit.com, then
> indeed you're set.  The largish ZSK is typically OK, just risks some
> trouble with UDP fragmentation for a small fraction of clients on
> networks that doesn't work well.
>
>> And if I am looking to activate inbound and outbound dnssec with my postfix
>
> There is no such thing as inbound DNSSEC specifically for Postfix.  If
> your domain is signed, then validating resolvers will check the
> signatures as a routine part of MX and A/AAAA lookups.
>
> For outbound DNSSEC, just turn on DNSSEC validation in your local
> resolver.  There again nothing Postfix-specific to be done.
>
> DNSSEC only comes into play if you're looking to do DANE.
>
>      http://www.postfix.org/TLS_README.html#client_tls_dane
>
> See also the resource links at:
>
>      https://stats.dnssec-tools.org/explore/?.
>