I have the dns of the domain managed externally, configured with dnssec,
and another host running postfix. How could I integrate that postfix use the dnssec configuration? Would it be enough to add the dns of the external service to the postfix resolv.conf? -- |
On Sat, Mar 27, 2021 at 12:51:36PM +0100, Francesc Peñalvez wrote:
> I have the dns of the domain managed externally, configured with > dnssec, and another host running postfix. How could I integrate that > postfix use the dnssec configuration? Would it be enough to add the > dns of the external service to the postfix resolv.conf? As written, the question makes no sense. You'll need to explain your goals in more detail. - If your domain is already signed, then clients resolving data about your domain are able (when suitably configured) to validate the integrity of that data. - If you're looking to use DNSSEC as a client, to validate DNS records of remote domains, all you need is a local (running on the Postfix server itself, listening on 127.0.0.1:53) validating resolver, such as unbound, Knot, BIND, ... * The DNSSEC status of your own domain is irrelevant for validating remote domains. * Validating remote domains does not directly do anything to ensure data integrity for your own domains when queried by others. See: https://stats.dnssec-tools.org/explore/?almogavers.net https://dnsviz.net/d/almogavers.net/YFjc3g/dnssec/ I would perhaps recommed either switching to algorithm 13 (ECDSA P256), which has better security at a lower key size, or use a ZSK that is shorter than 2048 bits (1280 bits is what .COM uses), which tends to be a bit too large for unfragmented UDP when responses carry multiple signatures (e.g. NSEC3 negative answers). Fragmented UDP is not reliable these days over wide-area networks. For small zones with no names to hide, just use NSEC. -- Viktor. |
I have a connection of the domestic type, with 7 computers in an
internal network, in which I do not have access to make any changes to the ip. I use external dns service to manage the bind9 service, although I have another installed and running locally. Both in the external and internal services of bind I have the same configuration of dmarc and dkim and of course I would like to know, I am really a novice in system administration, if the external dnssec configuration that manages the domain, zoneedit, is enough to use dnssec correctly? El 27/03/2021 a las 13:34, Viktor Dukhovni escribió: > On Sat, Mar 27, 2021 at 12:51:36PM +0100, Francesc Peñalvez wrote: > >> I have the dns of the domain managed externally, configured with >> dnssec, and another host running postfix. How could I integrate that >> postfix use the dnssec configuration? Would it be enough to add the >> dns of the external service to the postfix resolv.conf? > > As written, the question makes no sense. You'll need to > explain your goals in more detail. > > - If your domain is already signed, then clients > resolving data about your domain are able (when > suitably configured) to validate the integrity > of that data. > > - If you're looking to use DNSSEC as a client, to > validate DNS records of remote domains, all you > need is a local (running on the Postfix server > itself, listening on 127.0.0.1:53) validating > resolver, such as unbound, Knot, BIND, ... > > * The DNSSEC status of your own domain is irrelevant > for validating remote domains. > > * Validating remote domains does not directly do anything > to ensure data integrity for your own domains when queried > by others. > > See: > > https://stats.dnssec-tools.org/explore/?almogavers.net > https://dnsviz.net/d/almogavers.net/YFjc3g/dnssec/ > > I would perhaps recommed either switching to algorithm 13 (ECDSA P256), > which has better security at a lower key size, or use a ZSK that is > shorter than 2048 bits (1280 bits is what .COM uses), which tends to be > a bit too large for unfragmented UDP when responses carry multiple > signatures (e.g. NSEC3 negative answers). Fragmented UDP is not > reliable these days over wide-area networks. > > For small zones with no names to hide, just use NSEC. > |
On Sat, Mar 27, 2021 at 01:59:56PM +0100, Francesc Peñalvez wrote:
> I have a connection of the domestic type, with 7 computers in an > internal network, in which I do not have access to make any changes to > the ip. I use external dns service to manage the bind9 service, > although I have another installed and running locally. OK, so you have an outsourced public authoritative server for your DNSSEC signed domain > Both in the external and internal services of bind I have the same > configuration of dmarc and dkim and of course I would like to know, I > am really a novice in system administration, if the external dnssec > configuration that manages the domain, zoneedit, is enough to use > dnssec correctly? You still have not explained what "use DNSSEC" means. Your DNS works. The RSA ZSK is larger than I'd recommend, but otherwise no issues. Are you looking to enable inbound or outbound DANE on your Postfix server? What is the concrete Postfix-related goal for which you're seeking advice? -- Viktor. |
Right now dnssec is activated in the external manager zoneedit.com, in
which I cannot modify the type of encryption or the length of the key. And if I am looking to activate inbound and outbound dnssec with my postfix El 28/03/2021 a las 1:03, Viktor Dukhovni escribió: > On Sat, Mar 27, 2021 at 01:59:56PM +0100, Francesc Peñalvez wrote: > >> I have a connection of the domestic type, with 7 computers in an >> internal network, in which I do not have access to make any changes to >> the ip. I use external dns service to manage the bind9 service, >> although I have another installed and running locally. > > OK, so you have an outsourced public authoritative server for your > DNSSEC signed domain > >> Both in the external and internal services of bind I have the same >> configuration of dmarc and dkim and of course I would like to know, I >> am really a novice in system administration, if the external dnssec >> configuration that manages the domain, zoneedit, is enough to use >> dnssec correctly? > > You still have not explained what "use DNSSEC" means. Your DNS > works. The RSA ZSK is larger than I'd recommend, but otherwise > no issues. > > Are you looking to enable inbound or outbound DANE on your Postfix > server? What is the concrete Postfix-related goal for which you're > seeking advice? > |
On Sun, Mar 28, 2021 at 01:08:44AM +0100, Francesc Peñalvez wrote:
> Right now dnssec is activated in the external manager zoneedit.com, in > which I cannot modify the type of encryption or the length of the key. If there are no key size or algorithm settings in zoneedit.com, then indeed you're set. The largish ZSK is typically OK, just risks some trouble with UDP fragmentation for a small fraction of clients on networks that doesn't work well. > And if I am looking to activate inbound and outbound dnssec with my postfix There is no such thing as inbound DNSSEC specifically for Postfix. If your domain is signed, then validating resolvers will check the signatures as a routine part of MX and A/AAAA lookups. For outbound DNSSEC, just turn on DNSSEC validation in your local resolver. There again nothing Postfix-specific to be done. DNSSEC only comes into play if you're looking to do DANE. http://www.postfix.org/TLS_README.html#client_tls_dane See also the resource links at: https://stats.dnssec-tools.org/explore/?. -- Viktor. |
thanks Viktor
El 28/03/2021 a las 1:21, Viktor Dukhovni escribió: > On Sun, Mar 28, 2021 at 01:08:44AM +0100, Francesc Peñalvez wrote: > >> Right now dnssec is activated in the external manager zoneedit.com, in >> which I cannot modify the type of encryption or the length of the key. > > If there are no key size or algorithm settings in zoneedit.com, then > indeed you're set. The largish ZSK is typically OK, just risks some > trouble with UDP fragmentation for a small fraction of clients on > networks that doesn't work well. > >> And if I am looking to activate inbound and outbound dnssec with my postfix > > There is no such thing as inbound DNSSEC specifically for Postfix. If > your domain is signed, then validating resolvers will check the > signatures as a routine part of MX and A/AAAA lookups. > > For outbound DNSSEC, just turn on DNSSEC validation in your local > resolver. There again nothing Postfix-specific to be done. > > DNSSEC only comes into play if you're looking to do DANE. > > http://www.postfix.org/TLS_README.html#client_tls_dane > > See also the resource links at: > > https://stats.dnssec-tools.org/explore/?. > |
Free forum by Nabble | Edit this page |