DNSSEC and Unix clients

A company  has requested that DNSSEC be implemented in the environment.  The environment is a Windows 2008 R2 Active Directory with the DC's running DNS.  Setting up DNSSEC in DNS is relatively straightforward.  Most likely the company will also want to use IPSec with DNSSEC.   However, most of the client computers are Linux servers, so group policies are of no value here.

Would the Linux client be able to use DNSSEC?  If this is supported what are the commands on the Linux side to enable DNSSEC with IPSec?  How is this verified on the client?

I don't know if this matters but there are A records in DNS for all the Linux servers.
BigmacMcAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

gheistCommented:
BIND v9 implemented DNSSEC in year 2000, and support is still there.

It has nothing to do if you use IPSEC or SSL or DSL or WPA2 or none, those are just communication channels

DNSSEC validation should be enabled in DNS servers(read first line), clients are deaf and blind unless you use special DNS parsing libraries.
Part of named.conf (taken from CentOS 6)
        dnssec-enable yes;
        dnssec-validation yes;
        dnssec-lookaside auto;
        /* Path to ISC DLV key */
        bindkeys-file "/etc/named.iscdlv.key";
        managed-keys-directory "/var/named/dynamic";
that enables DNSSEC validation on BIND name server by default.
0
Jan SpringerCommented:
If the linux box is a DNS client, then it doesn't need BIND (a DNS server).

It needs its servers specified in /etc/resolv.conf to return DNSSEC answers and it needs to not block those answers from TCP port 53.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
gheistCommented:
Most network impact is not "port" number, but various firealls blocking large DNS packets (4K) used by DNSSEC
0
What were the top attacks of Q1 2018?

The Threat Lab team analyzes data from WatchGuard’s Firebox Feed, internal and partner threat intelligence, and a research honeynet, to provide insightful analysis about the top threats on the Internet. Check out our Q1 2018 report for smart, practical security advice today!

Jan SpringerCommented:
And that's why I explicitly stated that traffic from TCP 53 needed to be allowed back in.

It's not just a DNSSEC thing.
0
gheistCommented:
e.g cisco inspect will drop 4K response packet that adds 5s wait to retry with 512 byte EDNS0 request
0
Jan SpringerCommented:
i haven't configured a cisco firewall with 512 in  years.  that may be the default configuration but i've always changed it to 4096.
0
BigmacMcAuthor Commented:
Thanks everyone for your responses.

It is my understanding all the Linux servers are DNS clients pointing to Microsoft DNS servers, there are no Bind servers.  So my take away is etc/resolv.conf must be configured on the linux client servers to allow DNSSEC over port tcp 53.
0
BigmacMcAuthor Commented:
Is it safe to say that DNSSEC introduces sizable increase in DNS traffic?  That slow WAN/LAN links could possibly be impacted?
0
Jan SpringerCommented:
If your /etc/resolv.conf points to a server that cannot handle DNSSEC, then you need to consider installing a server that does or upgrade the server configuration to do so.

Regardless of the size of the traffic, if you do allow for it, then you may be blocking traffic to some zones.
0
gheistCommented:
The traffic should have been accomodated 10 years ago.
Either way DNS does not use significant traffic.
0
BigmacMcAuthor Commented:
Thanks for the assistance
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft Legacy OS

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.