DNSSEC

Domain Name System Security Extension, or DNSSEC, ensures the DNS record returned to a client is not being modified by intermediate resolvers.

On Saturday, 27 March 2021, DNSSEC was enabled for the wisc.edu zone.  DNSSEC signing for additional DNS zones is available upon request for DNS zones for which campus is authoritative.

Please visit https://kb.wisc.edu/ddi/110236 or email infoblox@lists.wisc.edu if you have questions or are interested in enabling DNSSEC for your own DNS zone.

For more information about DNSSEC:

ICANN has a brief DNSSEC introduction: https://www.icann.org/resources/pages/dnssec-what-is-it-why-important-2019-03-05-en

ISC has a multi-part tutorial on youtube: https://www.youtube.com/watch?v=L-IXvfp7BdY



wisc.edu 3rd level zones:

Where UW-Madison campus Infoblox is authoritative:

For DNS zones hosted on UW-Madison campus authoritative DNS servers, email infoblox@lists.wisc.edu with a list of your zones to sign and suggestions, if any, for a time to implement the change.  No additional work on your part is typically necessary.

Where the zone is delegated:

If zone authority is delegated to your own DNS servers, you will need to additionally maintain your own RRSIG and NSEC/NSEC3 records. To complete signing the signing process, your DS record will need to be added to campus DNS servers.  Please contact hostmaster@doit.wisc.edu as far in advance as possible for additional coordination.  

non-wisc.edu zones:

If you have a 2nd-level non-wisc.edu zone (e.g. various .org and .net zones) hosted in campus infoblox, your zone can be signed and DS records can be generated which you will be responsible to upload to your registrar.  You will need to update the DS records with your registrar every 51 weeks or your records will stop functioning as expected.





Keywords:DNSSEC   Doc ID:110236
Owner:Tim C.Group:DNS, DHCP, and IPAM
Created:2021-04-13 15:21 CDTUpdated:2021-04-13 15:35 CDT
Sites:DNS, DHCP, and IPAM
Feedback:  0   0