DNSSEC

island of trust

generate key pairs and some DS to share

mkdir ~/certs/
chmod 700 ~/certs/
cd ~/certs/

ldns-keygen -h
ldns-keygen -r /dev/urandom -k -a ECDSAP256SHA256 -b 256 os3.su
ldns-keygen -r /dev/urandom -a ECDSAP256SHA256 -b 256 os3.su

KSK=...
ZSK=...

sign the zone and do not forget to update the serial beforehand in case you got XFR friends

SALT=`head -c 512 /dev/urandom | sha1 | cut -b 1-16`
#SALT=`head -c 512 /dev/urandom | sha1sum | cut -b 1-16`

ldns-signzone -h
ldns-signzone -n -t 10 -s $SALT /var/chroot/nsd/os3.su.db $KSK $ZSK
ll /var/chroot/nsd/os3.su.db*

apply

vi /var/chroot/nsd/nsd.conf

    zonefile: "%s.db.signed"

nsd-control reconfig

now check

dig dnskey os3.su. @localhost +short
dig os3.su. @localhost +short +dnssec

automate signing

#!/bin/ksh
set -e

KSK=/root/certs/Kos3.su.+013+04589
ZSK=/root/certs/Kos3.su.+013+58232

date=`date +%s`

echo -n checking conf...
nsd-checkconf /etc/nsd/nsd.conf && echo ok

echo -n updating serial...
mv /var/chroot/nsd/os3.su.db /var/chroot/nsd/os3.su.db.$date
sed -r "s/[[:space:]]*[[:digit:]]+[[:space:]]*; serial number$/                        $date ; serial number/" \
        /var/chroot/nsd/os3.su.db.$date > /var/chroot/nsd/os3.su.db && echo done
grep 'serial number' /var/chroot/nsd/os3.su.db

echo -n checking unsigned zone...
nsd-checkzone os3.su /var/chroot/nsd/os3.su.db

echo -n signing os3.su...
SALT=`head -c 512 /dev/urandom | sha1 | cut -b 1-16`
#SALT=`head -c 512 /dev/urandom | sha1sum | cut -b 1-16`
ldns-signzone -n -t 10 -s $SALT /var/chroot/nsd/os3.su.db $KSK $ZSK && echo ok

echo -n reloading zone...
nsd-control reload os3.su

chain of trust

provide KSK/257 and its DS record to your parent

cat $KSK.key
cat $KSK.ds

check that the DS record has been populated (this may actually force your forwarder to cache the newly appearing record)

dig DS os3.su

eventually check for subdomains you delegate to students

dig DS std6.os3.su

check the chain of trust using our own validating resolver (SNE LAN)

dig +dnssec . @VALIDATINGRES | grep '^;; flags'
dig +dnssec su. @VALIDATINGRES | grep '^;; flags'
dig +dnssec os3.su. @VALIDATINGRES | grep '^;; flags'
dig +dnssec std6.os3.site. @VALIDATINGRES | grep '^;; flags'

or google’s validating resolver

dig +dnssec . @8.8.8.8 | grep '^;; flags'
dig +dnssec su. @8.8.8.8 | grep '^;; flags'
dig +dnssec os3.su. @8.8.8.8 | grep '^;; flags'
dig +dnssec std6.os3.site. @8.8.8.8 | grep '^;; flags'

or eventually a lot more with those

DNSSEC Analyzer https://dnssec-debugger.verisignlabs.com/os3.su

DNSViz http://dnsviz.net/d/os3.su/dnssec/

resources

LDNS Documentation https://www.nlnetlabs.nl/documentation/ldns/


Nethence | Pub | Lab | Pbraun | SNE Russia | xhtml