Setup DNSSEC with NSD

Island of trust

generate key pairs and some DS to share

zone=DOMAIN.TLD
ldns-keygen -a list

mkdir -p /etc/nsd/dnssec/
chmod 700 /etc/nsd/dnssec/
cd /etc/nsd/dnssec/

YOU NEED TO USE SAME ALGO FOR BOTH KSK AND ZSK (unless you want to double-sign every record)

# 257 (KSK)
#ldns-keygen -k -a ED25519 $zone
ldns-keygen -k -a ECDSAP256SHA256 -b 256 $zone > this_is_ksk_257-for-$zone
#ldns-keygen -k -a ECDSAP384SHA384 -b 384 $zone

# 256 (ZSK)
#ldns-keygen -a ED25519 $zone
ldns-keygen -a ECDSAP256SHA256 -b 256 $zone > this_is_zsk_256-for-$zone

# ED448
# -r /dev/urandom

chmod 400 *

sign the zone and do not forget to update the serial beforehand in case you got XFR friends

KSK=/etc/nsd/dnssec/`cat this_is_ksk_257`
ZSK=/etc/nsd/dnssec/`cat this_is_zsk_256`
SALT=`head -c 512 /dev/urandom | sha1sum | cut -b 1-16`
# sha1 on netbsd

ldns-signzone -h

ldns-signzone -n -t 10 -s $SALT /etc/nsd/$zone.db $KSK $ZSK
ls -lF /etc/nsd/$zone.db*

#ldns-signzone -n -t 10 -s $SALT /var/chroot/nsd/$zone.db $KSK $ZSK
#ls -lF /var/chroot/nsd/etc/$zone.db*

apply

#vi /var/chroot/nsd/nsd.conf
vi /etc/nsd/nsd.conf

    zonefile: "%s.db.signed"

nsd-control reconfig

Chain of trust

provide 257 (KSK) AND 256 (ZSK) with their respective DS records to the parent nameserver

cat $KSK.key
cat $KSK.ds

check that the two DS records have been populated

dig DS $zone

dig +dnssec . @$resolver | grep '^;; flags'
dig +dnssec su. @$resolver | grep '^;; flags'
dig +dnssec os3.su. @$resolver | grep '^;; flags'

Acceptance

you need a validating resolver to validate the dnssec records and the entire chain of trust

resolver=x.x.x.x

island-of-trust acceptance

check for public keys

host -t dnskey $zone $resolver
dig dnskey $zone @$resolver +short

attempt to verify an RRSIG

host -v $zone $resolver
dig $zone @$resolver +dnssec

chain-of-trust

finally proceed with online checking

https://dnssec-analyzer.verisignlabs.com/

https://dnsviz.net/

Automated signatures

Place the following script in /etc/nsd/

https://pub.nethence.com/bin/daemons/sign.ksh

and define confdir or chroot

RRSIGs are valid one month… do not forget to put this auto-sign script in a weekly cron job. Note BIND and Knot have a tool built-in to do that.

Resources

LDNS Documentation https://www.nlnetlabs.nl/documentation/ldns/

DNSSEC Analyzer https://dnssec-debugger.verisignlabs.com/nethence.com

DNSViz http://dnsviz.net/d/nethence.com/dnssec/

Domain Name System Security Extensions https://en.wikipedia.org/wiki/Domain_Name_System_Security_Extensions

tutorials

Dnssec howto with NSD and ldns https://www.whyscream.net/wiki/Dnssec_howto_with_NSD_and_ldns.md

How To Set Up DNSSEC on an NSD Nameserver on Ubuntu 14.04 https://www.digitalocean.com/community/tutorials/how-to-set-up-dnssec-on-an-nsd-nameserver-on-ubuntu-14-04

A Minimum Complete Tutorial of DNSSEC https://metebalci.com/blog/a-minimum-complete-tutorial-of-dnssec/

algos

ldns 1.7.1 released https://www.nlnetlabs.nl/news/2019/Jul/26/ldns-1.7.1-released/

EdDSA https://en.wikipedia.org/wiki/EdDSA

Curve448 https://en.wikipedia.org/wiki/Curve448

Curve25519 https://en.wikipedia.org/wiki/Curve25519

choosing safe curves for elliptic-curve cryptography https://safecurves.cr.yp.to/

How To Secure And Sign Your Domain With DNSSEC Using Domain Registrars https://www.internetsociety.org/deploy360/dnssec/registrars/

Step-By-Step: How To Use a DNSSEC DS Record to Link a Registar To A DNS Hosting Provider https://www.internetsociety.org/resources/deploy360/2012/step-by-step-how-to-use-a-dnssec-ds-record-to-link-a-registar-to-a-dns-hosting-provider-4/

hook gandi

https://codeberg.org/jthvai/dehydrated-gandi

https://github.com/jthvai/dehydrated-gandi

https://github.com/jthvai/dehydrated-gandi/blob/master/hook.sh