DNSSEC

Island of trust

generate key pairs and some DS to share

mkdir -p ~/certs/
chmod 700 ~/certs/
cd ~/certs/

zone=DOMAIN.TLD
ldns-keygen -a list
# KSK
ldns-keygen -a ED25519 -k $zone
#ldns-keygen -r /dev/urandom -a ECDSAP256SHA256 -b 256 -k $zone
#ldns-keygen -r /dev/urandom -a ECDSAP384SHA384 -b 384 -k $zone
# ED448

# ZSK
ldns-keygen -a ED25519 $zone
#ldns-keygen -r /dev/urandom -a ECDSAP256SHA256 -b 256 $zone
# ED25519

sign the zone and do not forget to update the serial beforehand in case you got XFR friends

KSK=/path/to/K...
ZSK=/path/to/K...
SALT=`head -c 512 /dev/urandom | sha1sum | cut -b 1-16`
# sha1 on netbsd

ldns-signzone -h
ldns-signzone -n -t 10 -s $SALT /var/chroot/nsd/$zone.db $KSK $ZSK
ls -lF /var/chroot/nsd/etc/$zone.db*

apply

vi /var/chroot/nsd/nsd.conf

    zonefile: "%s.db.signed"

nsd-control reconfig

Chain of trust

provide 257 (KSK) AND 256 (ZSK) with their respective DS records to the parent nameserver

cat $KSK.key
cat $KSK.ds

check that the two DS records have been populated

dig DS $zone

dig +dnssec . @$resolver | grep '^;; flags'
dig +dnssec su. @$resolver | grep '^;; flags'
dig +dnssec os3.su. @$resolver | grep '^;; flags'

Acceptance

you need a validating resolver to validate the dnssec records and the entire chain of trust

resolver=x.x.x.x

island-of-trust acceptance

check for public keys

host -t dnskey $zone $resolver
dig dnskey $zone @$resolver +short

attempt to verify an RRSIG

host -v $zone $resolver
dig $zone @$resolver +dnssec

chain-of-trust

finally proceed with online checking

https://dnssec-analyzer.verisignlabs.com/

https://dnsviz.net/

Automated signatures

https://pub.nethence.com/bin/daemons/sign.ksh.txt

and here is what sign.conf should look like.

if [[ $zone = nethence.com ]]; then
    KSK=Knethence.com.+xxx+xxxxx
    ZSK=Knethence.com.+xxx+xxxxx
elif [[ $zone = os3.su ]]; then
    KSK=Kos3.su.+xxx+xxxxx
    ZSK=Kos3.su.+xxx+xxxxx
else
    echo UNSUPPORTED ZONE: $zone
    exit 1
fi

RRSIGs are valid one month… do not forget to put this auto-sign script in a weekly cron job.

vi /etc/cron.weekly/WEEKLY

echo RE-SIGNING DNS ZONES
# CWD is already /root/
for zone in nethence.com os3.su; do
    ./sign.ksh $zone.db
done; unset zone
echo

Note Knot and BIND have some automated way to do this.

Resources

LDNS Documentation https://www.nlnetlabs.nl/documentation/ldns/

DNSSEC Analyzer https://dnssec-debugger.verisignlabs.com/os3.su

DNSViz http://dnsviz.net/d/os3.su/dnssec/

Domain Name System Security Extensions https://en.wikipedia.org/wiki/Domain_Name_System_Security_Extensions

tutorials

Dnssec howto with NSD and ldns https://www.whyscream.net/wiki/Dnssec_howto_with_NSD_and_ldns.md

How To Set Up DNSSEC on an NSD Nameserver on Ubuntu 14.04 https://www.digitalocean.com/community/tutorials/how-to-set-up-dnssec-on-an-nsd-nameserver-on-ubuntu-14-04

A Minimum Complete Tutorial of DNSSEC https://metebalci.com/blog/a-minimum-complete-tutorial-of-dnssec/

algos

ldns 1.7.1 released https://www.nlnetlabs.nl/news/2019/Jul/26/ldns-1.7.1-released/

EdDSA https://en.wikipedia.org/wiki/EdDSA

Curve448 https://en.wikipedia.org/wiki/Curve448

Curve25519 https://en.wikipedia.org/wiki/Curve25519

choosing safe curves for elliptic-curve cryptography https://safecurves.cr.yp.to/

one month valid RRSIGs

[Pdns-users] RRSIG expired? https://mailman.powerdns.com/pipermail/pdns-users/2017-April/024793.html

Is it required to keep DNSSEC zone fresh? https://serverfault.com/questions/662187/is-it-required-to-keep-dnssec-zone-fresh

Sign Your Zone https://dnssec-tools.org/wiki/Sign_Your_Zone.html

Deploying DNSSEC: what, how and where https://www.afnic.fr/medias/documents/DNSSEC/afnic-dnssec-howto-en-v3.pdf

key rollover

ZSK Rollover Recipe https://dnsinstitute.com/documentation/dnssec-guide/ch07s02.html#recipes-zsk-rollover

KSK Rollover Recipe https://dnsinstitute.com/documentation/dnssec-guide/ch07s02.html#recipes-ksk-rollover

ZSK Rollover Methods https://dnsinstitute.com/documentation/dnssec-guide/ch06s04.html#zsk-rollover-methods

KSK Rollover Methods https://dnsinstitute.com/documentation/dnssec-guide/ch06s04.html#ksk-rollover-methods

DNSSEC Guide : Chapter 6. Advanced Discussions https://dnsinstitute.com/documentation/dnssec-guide/ch06.html

ds record

Delegation Signer (DS) Resource Record (RR) https://tools.ietf.org/html/rfc3658#section-2.1

How To Secure And Sign Your Domain With DNSSEC Using Domain Registrars https://www.internetsociety.org/deploy360/dnssec/registrars/

Step-By-Step: How To Use a DNSSEC DS Record to Link a Registar To A DNS Hosting Provider https://www.internetsociety.org/resources/deploy360/2012/step-by-step-how-to-use-a-dnssec-ds-record-to-link-a-registar-to-a-dns-hosting-provider-4/


GUIDES | LECTURES | BENCHMARKS | SMTP HEALTH