ON THIS PAGE
Example: Configuring Secure Domains and Trusted Keys for DNSSEC
This example shows how to configure secure domains and trusted keys for DNSSEC.
Requirements
Set the name server IP address so the DNS resolver forwards all DNS queries to DNSSEC instead of DNS. See Example: Configuring DNSSEC for more information.
Overview
You can configure secure domains and assign trusted keys to the domains. Both signed and unsigned responses can be validated when DNSSEC is enabled.
When you configure a domain as a secure domain and if DNSSEC is enabled, all unsigned responses to that domain are ignored and the server returns a SERVFAIL error code to the client for the unsigned responses. If the domain is not configured as a secure domain, unsigned responses will be accepted.
When the server receives a signed response, it checks if the DNSKEY in the response matches any of the trusted keys that are configured. If it finds a match, the server accepts the signed response.
You can also attach a DNS root zone as a trusted anchor to a secure domain to validate the signed responses. When the server receives a signed response, it queries the DNS root zone for a DS record. When it receives the DS record, it checks if the DNSKEY in the DS record matches the DNSKEY in the signed response. If it finds a match, the server accepts the signed response.
Topology
Configuration
Procedure
CLI Quick Configuration
To quickly configure this example, copy the
following commands, paste them into a text file, remove any line breaks,
change any details necessary to match your network configuration,
copy and paste the commands into the CLI at the [edit] hierarchy
level, and then enter commit from configuration mode.
set system services dns dnssec secure-domains domain1.net set system services dns dnssec secure-domains domain2.net set system services dns dnssec trusted-keys key domain1.net.ABC123ABCh set system services dns dnssec dlv domain domain2.net trusted-anchor dlv.isc.org
Step-by-Step Procedure
To configure secure domains and trusted keys for DNSSEC:
Configure domain1.net and domain2.net as secure domains.
[edit] user@host# set system services dns dnssec secure-domains domain1.net user@host# set system services dns dnssec secure-domains domain2.net
Configure trusted keys to domain1.net.
[edit] user@host# set system services dns dnssec trusted-keys key "domain1.net.ABC123ABCh"
Attach a root zone div.isc.org as a trusted anchor to a secure domain.
[edit] user@host# set system services dns dnssec dlv domain domain2.net trusted-anchor dlv.isc.org
Results
From configuration mode, confirm your configuration
by entering the show system services command. If the output
does not display the intended configuration, repeat the configuration
instructions in this example to correct it.
dns {
dnssec {
trusted-keys {
key domain1.net.ABC123ABCh; ## SECRET-DATA
}
dlv {
domain domain2.net trusted-anchor dlv.isc.org;
}
secure-domains {
domain1.net;
domain2.net;
}
}
}
If you are done configuring the device, enter commit from configuration mode.