The domain is now completely functionally it is time to sign the zone so we can start using DNSSEC. Continue reading
Now that our DNS servers are setup to at least answer non DNSSEC queries it is time to setup the domain.
Since we are moving to new name servers this will walk through setting up a master (ns1.1metric.com) and slave (ns2.1metric.com), if you are looking at implementing it on already existing name servers most of these steps can be skipped. Just do a skim below to make sure your new name servers are setup to support DNSSEC.
DNSSEC uses PKI and a train of trust to ensure that recursive name servers are getting the correct/unmodified records when doing a query for a domain name.
DNSSEC (Domain Name System Security Extensions) is an extension to DNS to close security holes left in the original implementation of DNS. It’s main purpose is to provide authenticated DNS records from the authoritative name servers of a domain and therfore prevent mand in the middle and cache poisoning attacks.
The following instructions walk through getting Postfix to perform checking of SPF records on incoming mail. If a domain is properly configured it will have an SPF record and by configuring checking of SPF records Postfix won’t accept mail for the domain except from authorised servers.
I assume you already have postfix up and running how you need it