Cisco Cisco Prime IP Express 8.3 Technical References
in the DNS Caching server. Creating the cdnssec object does not
enable DNSSEC in the server. In order to enable DNSSEC, the dnssec
attribute must be explicitly enabled and the DNS Caching server
must be reloaded.
enable DNSSEC in the server. In order to enable DNSSEC, the dnssec
attribute must be explicitly enabled and the DNS Caching server
must be reloaded.
Examples
nrcmd> cdnssec create
nrcmd> cdnssec enable dnssec
nrcmd> cdnssec set trust-anchor-file=example.com.anchor
nrcmd> cdnssec enable dnssec
nrcmd> cdnssec set trust-anchor-file=example.com.anchor
Status
See Also
Attributes
Attributes
auto-trust-anchor-file
(obj(0)) default = root.anchor
Defines files with a trust anchor for one zone each, which is
tracked with RFC5011 probes. The probes are several times per
month, thus the machine must be online frequently. The initial
file can be one with contents as described in trust-anchor-file.
The file is written to when the anchor is updated, so the
server must have write permission. The files must be in the
data/cdns directory.
tracked with RFC5011 probes. The probes are several times per
month, thus the machine must be online frequently. The initial
file can be one with contents as described in trust-anchor-file.
The file is written to when the anchor is updated, so the
server must have write permission. The files must be in the
data/cdns directory.
default = disabled
Enables validation of DNS information using DNSSEC.
(obj(0))
Defines domain names to be insecure, DNSSEC chain of trust is
ignored towards the domain names. So a trust anchor above the
domain name can not make the domain secure with a DS record,
such a DS record is then ignored. Also keys from DLV are
ignored for the domain. If you set trust anchors for the domain
they override this setting (and the domain is secured).
This can be useful if you want to make sure a trust anchor for
external lookups does not affect an (unsigned) internal domain.
A DS record externally can create validation failures for that
internal domain.
ignored towards the domain names. So a trust anchor above the
domain name can not make the domain secure with a DS record,
such a DS record is then ignored. Also keys from DLV are
ignored for the domain. If you set trust anchors for the domain
they override this setting (and the domain is secured).
This can be useful if you want to make sure a trust anchor for
external lookups does not affect an (unsigned) internal domain.
A DS record externally can create validation failures for that
internal domain.
default = 4194304
Sets the size of the key cache in bytes.
prefetch-key
default = off
Sets whether the DNS caching server should fetch the DNSKEYs
earlier in the validation process, when a DS record is encountered.
This lowers the latency of requests. It does use a little more CPU.
Also if the cache is set to 0, it is no use.
earlier in the validation process, when a DS record is encountered.
This lowers the latency of requests. It does use a little more CPU.
Also if the cache is set to 0, it is no use.
(obj(0))
Defines a file with trusted keys for validation. Both DS and DNSKEY
entries can appear in the file. The format of the file is the
standard DNS Zone file format. Default is no trust anchor file. The
files must be in the data/cdns directory.
entries can appear in the file. The format of the file is the
standard DNS Zone file format. Default is no trust anchor file. The
files must be in the data/cdns directory.
cdns-interface
cdns-interface - Configures the DNS Caching server's network interfaces