{"id":4761,"date":"2009-05-27T13:54:57","date_gmt":"2009-05-27T20:54:57","guid":{"rendered":"https:\/\/blogs.infoblox.com\/?p=4761"},"modified":"2020-05-06T10:31:48","modified_gmt":"2020-05-06T17:31:48","slug":"implementing-dnssec-validation","status":"publish","type":"post","link":"https:\/\/www.infoblox.com\/blog\/security\/implementing-dnssec-validation\/","title":{"rendered":"Implementing DNSSEC Validation"},"content":{"rendered":"<p>This may be obvious to some of you, but implementing DNSSEC validation is\u00a0<em>easy<\/em>\u00a0if you use a forwarding architecture (that is, if you resolve Internet domain names using forwarders). Only your forwarders need special configuration, and that configuration is simple.<\/p>\n<p>First, you need to make sure those forwarders are running the latest code. The\u00a0<em>gov<\/em>\u00a0zone is signed using something called NSEC3 records, so you&#8217;ll want a name server that groks those. If you&#8217;re running BIND, that&#8217;s BIND 9.6.0 or better.<\/p>\n<p>Next, you need to enable DNSSEC on those forwarders. Add these two substatements to your\u00a0<em>options<\/em>\u00a0statement:<\/p>\n<p><code>options {<br \/>\ndnssec-enable yes;<br \/>\ndnssec-validation yes;<br \/>\n};<\/code><\/p>\n<p>Finally, configure trust anchors for the signed zones you&#8217;d like to validate. You can retrieve a list of the TLDs that are signed from\u00a0<a href=\"https:\/\/itar.iana.org\/\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">IANA&#8217;s Interim Trust Anchor Respository, or ITAR<\/a>. IANA helpfully provides a script, called\u00a0<a href=\"https:\/\/itar.iana.org\/instructions\/\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">anchors2keys<\/a>, that you can use to convert the DS records published in the ITAR to the format BIND expects.<\/p>\n<p>Done? Just reload your name server and you&#8217;re validating signed records!<\/p>\n","protected":false},"excerpt":{"rendered":"<p>This may be obvious to some of you, but implementing DNSSEC validation is\u00a0easy\u00a0if you use a forwarding architecture (that is, if you resolve Internet domain names using forwarders). Only your forwarders need special configuration, and that configuration is simple. First, you need to make sure those forwarders are running the latest code. The\u00a0gov\u00a0zone is signed [&hellip;]<\/p>\n","protected":false},"author":178,"featured_media":2519,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"inline_featured_image":false,"_genesis_hide_title":false,"_genesis_hide_breadcrumbs":false,"_genesis_hide_singular_image":false,"_genesis_hide_footer_widgets":false,"_genesis_custom_body_class":"","_genesis_custom_post_class":"","_genesis_layout":"","footnotes":""},"categories":[2],"tags":[30,229,16,15],"class_list":{"0":"post-4761","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-security","8":"tag-dns","9":"tag-dnssec","10":"tag-infoblox","11":"tag-security","12":"entry"},"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO Premium plugin v27.3 (Yoast SEO v27.3) - https:\/\/yoast.com\/product\/yoast-seo-premium-wordpress\/ -->\n<title>Implementing DNSSEC Validation<\/title>\n<meta name=\"description\" content=\"This may be obvious to some of you, but implementing DNSSEC validation is easy if you use a forwarding architecture (that is, if you resolve Internet domain names using forwarders).\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.infoblox.com\/blog\/security\/implementing-dnssec-validation\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Implementing DNSSEC Validation\" \/>\n<meta property=\"og:description\" content=\"This may be obvious to some of you, but implementing DNSSEC validation is easy if you use a forwarding architecture (that is, if you resolve Internet domain names using forwarders).\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.infoblox.com\/blog\/security\/implementing-dnssec-validation\/\" \/>\n<meta property=\"og:site_name\" content=\"Infoblox Blog\" \/>\n<meta property=\"article:published_time\" content=\"2009-05-27T20:54:57+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2020-05-06T17:31:48+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/142079357-660x454-1-1.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"660\" \/>\n\t<meta property=\"og:image:height\" content=\"454\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Cricket Liu\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Cricket Liu\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"1 minute\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/security\\\/implementing-dnssec-validation\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/security\\\/implementing-dnssec-validation\\\/\"},\"author\":{\"name\":\"Cricket Liu\",\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/#\\\/schema\\\/person\\\/bb6b62b1b99a7cbcd7c528d5763778d5\"},\"headline\":\"Implementing DNSSEC Validation\",\"datePublished\":\"2009-05-27T20:54:57+00:00\",\"dateModified\":\"2020-05-06T17:31:48+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/security\\\/implementing-dnssec-validation\\\/\"},\"wordCount\":175,\"publisher\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/security\\\/implementing-dnssec-validation\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/wp-content\\\/uploads\\\/142079357-660x454-1-1.jpg\",\"keywords\":[\"DNS\",\"DNSSEC\",\"Infoblox\",\"Security\"],\"articleSection\":[\"Security\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/security\\\/implementing-dnssec-validation\\\/\",\"url\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/security\\\/implementing-dnssec-validation\\\/\",\"name\":\"Implementing DNSSEC Validation\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/security\\\/implementing-dnssec-validation\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/security\\\/implementing-dnssec-validation\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/wp-content\\\/uploads\\\/142079357-660x454-1-1.jpg\",\"datePublished\":\"2009-05-27T20:54:57+00:00\",\"dateModified\":\"2020-05-06T17:31:48+00:00\",\"description\":\"This may be obvious to some of you, but implementing DNSSEC validation is easy if you use a forwarding architecture (that is, if you resolve Internet domain names using forwarders).\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/security\\\/implementing-dnssec-validation\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/security\\\/implementing-dnssec-validation\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/security\\\/implementing-dnssec-validation\\\/#primaryimage\",\"url\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/wp-content\\\/uploads\\\/142079357-660x454-1-1.jpg\",\"contentUrl\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/wp-content\\\/uploads\\\/142079357-660x454-1-1.jpg\",\"width\":660,\"height\":454,\"caption\":\"Qualitative Justifications for Training: Compliance and Availability\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/security\\\/implementing-dnssec-validation\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Security\",\"item\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/category\\\/security\\\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Implementing DNSSEC Validation\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/\",\"name\":\"infoblox.com\\\/blog\\\/\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/#organization\",\"name\":\"Infoblox\",\"url\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/wp-content\\\/uploads\\\/infoblox-logo-2.svg\",\"contentUrl\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/wp-content\\\/uploads\\\/infoblox-logo-2.svg\",\"width\":137,\"height\":30,\"caption\":\"Infoblox\"},\"image\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/#\\\/schema\\\/person\\\/bb6b62b1b99a7cbcd7c528d5763778d5\",\"name\":\"Cricket Liu\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/blogs.infoblox.com\\\/wp-content\\\/uploads\\\/cricket-new-96x96.jpg\",\"url\":\"https:\\\/\\\/blogs.infoblox.com\\\/wp-content\\\/uploads\\\/cricket-new-96x96.jpg\",\"contentUrl\":\"https:\\\/\\\/blogs.infoblox.com\\\/wp-content\\\/uploads\\\/cricket-new-96x96.jpg\",\"caption\":\"Cricket Liu\"},\"description\":\"Cricket is one of the world\u2019s leading experts on the Domain Name System (DNS) and serves as the liaison between Infoblox and the DNS community. Before joining Infoblox, he founded an internet consulting and training company, Acme Byte &amp; Wire, after running the hp.com domain at Hewlett-Packard. Cricket is a prolific speaker and author, having written a number of books including \u201cDNS and BIND,\u201d one of the most widely used references in the field, now in its fifth edition.\",\"url\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/author\\\/cricket-liu\\\/\"}]}<\/script>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"Implementing DNSSEC Validation","description":"This may be obvious to some of you, but implementing DNSSEC validation is easy if you use a forwarding architecture (that is, if you resolve Internet domain names using forwarders).","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.infoblox.com\/blog\/security\/implementing-dnssec-validation\/","og_locale":"en_US","og_type":"article","og_title":"Implementing DNSSEC Validation","og_description":"This may be obvious to some of you, but implementing DNSSEC validation is easy if you use a forwarding architecture (that is, if you resolve Internet domain names using forwarders).","og_url":"https:\/\/www.infoblox.com\/blog\/security\/implementing-dnssec-validation\/","og_site_name":"Infoblox Blog","article_published_time":"2009-05-27T20:54:57+00:00","article_modified_time":"2020-05-06T17:31:48+00:00","og_image":[{"width":660,"height":454,"url":"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/142079357-660x454-1-1.jpg","type":"image\/jpeg"}],"author":"Cricket Liu","twitter_card":"summary_large_image","twitter_misc":{"Written by":"Cricket Liu","Est. reading time":"1 minute"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.infoblox.com\/blog\/security\/implementing-dnssec-validation\/#article","isPartOf":{"@id":"https:\/\/www.infoblox.com\/blog\/security\/implementing-dnssec-validation\/"},"author":{"name":"Cricket Liu","@id":"https:\/\/www.infoblox.com\/blog\/#\/schema\/person\/bb6b62b1b99a7cbcd7c528d5763778d5"},"headline":"Implementing DNSSEC Validation","datePublished":"2009-05-27T20:54:57+00:00","dateModified":"2020-05-06T17:31:48+00:00","mainEntityOfPage":{"@id":"https:\/\/www.infoblox.com\/blog\/security\/implementing-dnssec-validation\/"},"wordCount":175,"publisher":{"@id":"https:\/\/www.infoblox.com\/blog\/#organization"},"image":{"@id":"https:\/\/www.infoblox.com\/blog\/security\/implementing-dnssec-validation\/#primaryimage"},"thumbnailUrl":"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/142079357-660x454-1-1.jpg","keywords":["DNS","DNSSEC","Infoblox","Security"],"articleSection":["Security"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.infoblox.com\/blog\/security\/implementing-dnssec-validation\/","url":"https:\/\/www.infoblox.com\/blog\/security\/implementing-dnssec-validation\/","name":"Implementing DNSSEC Validation","isPartOf":{"@id":"https:\/\/www.infoblox.com\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.infoblox.com\/blog\/security\/implementing-dnssec-validation\/#primaryimage"},"image":{"@id":"https:\/\/www.infoblox.com\/blog\/security\/implementing-dnssec-validation\/#primaryimage"},"thumbnailUrl":"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/142079357-660x454-1-1.jpg","datePublished":"2009-05-27T20:54:57+00:00","dateModified":"2020-05-06T17:31:48+00:00","description":"This may be obvious to some of you, but implementing DNSSEC validation is easy if you use a forwarding architecture (that is, if you resolve Internet domain names using forwarders).","breadcrumb":{"@id":"https:\/\/www.infoblox.com\/blog\/security\/implementing-dnssec-validation\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.infoblox.com\/blog\/security\/implementing-dnssec-validation\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.infoblox.com\/blog\/security\/implementing-dnssec-validation\/#primaryimage","url":"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/142079357-660x454-1-1.jpg","contentUrl":"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/142079357-660x454-1-1.jpg","width":660,"height":454,"caption":"Qualitative Justifications for Training: Compliance and Availability"},{"@type":"BreadcrumbList","@id":"https:\/\/www.infoblox.com\/blog\/security\/implementing-dnssec-validation\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.infoblox.com\/blog\/"},{"@type":"ListItem","position":2,"name":"Security","item":"https:\/\/www.infoblox.com\/blog\/category\/security\/"},{"@type":"ListItem","position":3,"name":"Implementing DNSSEC Validation"}]},{"@type":"WebSite","@id":"https:\/\/www.infoblox.com\/blog\/#website","url":"https:\/\/www.infoblox.com\/blog\/","name":"infoblox.com\/blog\/","description":"","publisher":{"@id":"https:\/\/www.infoblox.com\/blog\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.infoblox.com\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.infoblox.com\/blog\/#organization","name":"Infoblox","url":"https:\/\/www.infoblox.com\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.infoblox.com\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/infoblox-logo-2.svg","contentUrl":"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/infoblox-logo-2.svg","width":137,"height":30,"caption":"Infoblox"},"image":{"@id":"https:\/\/www.infoblox.com\/blog\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/www.infoblox.com\/blog\/#\/schema\/person\/bb6b62b1b99a7cbcd7c528d5763778d5","name":"Cricket Liu","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/blogs.infoblox.com\/wp-content\/uploads\/cricket-new-96x96.jpg","url":"https:\/\/blogs.infoblox.com\/wp-content\/uploads\/cricket-new-96x96.jpg","contentUrl":"https:\/\/blogs.infoblox.com\/wp-content\/uploads\/cricket-new-96x96.jpg","caption":"Cricket Liu"},"description":"Cricket is one of the world\u2019s leading experts on the Domain Name System (DNS) and serves as the liaison between Infoblox and the DNS community. Before joining Infoblox, he founded an internet consulting and training company, Acme Byte &amp; Wire, after running the hp.com domain at Hewlett-Packard. Cricket is a prolific speaker and author, having written a number of books including \u201cDNS and BIND,\u201d one of the most widely used references in the field, now in its fifth edition.","url":"https:\/\/www.infoblox.com\/blog\/author\/cricket-liu\/"}]}},"_links":{"self":[{"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/posts\/4761","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/users\/178"}],"replies":[{"embeddable":true,"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/comments?post=4761"}],"version-history":[{"count":1,"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/posts\/4761\/revisions"}],"predecessor-version":[{"id":4762,"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/posts\/4761\/revisions\/4762"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/media\/2519"}],"wp:attachment":[{"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/media?parent=4761"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/categories?post=4761"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/tags?post=4761"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}