DNSSEC

Island of trust

generate key pairs and some DS to share

mkdir ~/certs/
chmod 700 ~/certs/
cd ~/certs/

zone=DOMAIN.TLD
ldns-keygen -h
ldns-keygen -r /dev/urandom -k -a ECDSAP256SHA256 -b 256 $zone
ldns-keygen -r /dev/urandom -a ECDSAP256SHA256 -b 256 $zone

KSK=/path/to
ZSK=/path/to

sign the zone and do not forget to update the serial beforehand in case you got XFR friends

SALT=`head -c 512 /dev/urandom | sha1 | cut -b 1-16`
#SALT=`head -c 512 /dev/urandom | sha1sum | cut -b 1-16`

ldns-signzone -h
ldns-signzone -n -t 10 -s $SALT /var/chroot/nsd/$zone.db $KSK $ZSK
ll /var/chroot/nsd/$zone.db*

apply

vi /var/chroot/nsd/nsd.conf

    zonefile: "%s.db.signed"

nsd-control reconfig

Acceptance

dig dnskey $zone @localhost +short
dig $zone @localhost +short +dnssec

you need a validating resolver to validate the dnssec records and the entire chain of trust

resolver=x.x.x.x

Chain of trust

provide KSK/257 and its DS record to your parent

cat $KSK.key
cat $KSK.ds

check that the DS record has been populated

dig DS $zone

dig +dnssec . @$resolver | grep '^;; flags'
dig +dnssec su. @$resolver | grep '^;; flags'
dig +dnssec os3.su. @$resolver | grep '^;; flags'

you are now ready to go for https://dnsviz.net/ and http://dnssec-debugger.verisignlabs.com/

Automate signing

https://pub.nethence.com/bin/daemons/sign.ksh.sample.txt

Resources

LDNS Documentation https://www.nlnetlabs.nl/documentation/ldns/

DNSSEC Analyzer https://dnssec-debugger.verisignlabs.com/os3.su

DNSViz http://dnsviz.net/d/os3.su/dnssec/


HOME | GUIDES | BENCHMARKS | html