Editing
DNSSec
Jump to navigation
Jump to search
Warning:
You are not logged in. Your IP address will be publicly visible if you make any edits. If you
log in
or
create an account
, your edits will be attributed to your username, along with other benefits.
Anti-spam check. Do
not
fill this in!
How to setup DNSSEC with powerdns: * Add dnssec to pdns.conf: gpgsql-dnssec=yes export ZONE=conti.work sudo pdnsutil add-zone-key $ZONE zsk 1024 active rsasha256 #not really necessary sudo pdnsutil add-zone-key $ZONE ksk 2048 active rsasha256 #not really necessary Set nsec3 parameter [https://deepthought.isc.org/article/AA-00711/0/In-line-Signing-With-NSEC3-in-BIND-9.9-A-Walk-through.html] sudo pdnsutil set-nsec3 $ZONE '1 0 10 db7fcd8a' #random 32bit number sudo pdnsutil secure-zone $ZONE sudo pdnsutil rectify-zone $ZONE Upload public KSK ZSK [https://www.gandi.net/admin/domain/dnssec/5104640] host -tDNSKEY $ZONE Or alternatively use: pdnsutil show-zone -v $ZONE Zone is not presigned Zone has hashed NSEC3 semantics, configuration: 1 0 10 db7fcd8a keys: ID = 9 (KSK), tag = 28394, algo = 8, bits = 2048 Active: 1 ( RSASHA256 ) KSK DNSKEY = jan-riechers.de IN DNSKEY 257 3 8 AwEAAeEIULkj4vOsQ9nIaY4CR752p/OoCeBcdTcuNS2oUSWoKeQqMMmdFpqbPN3hc/ujEPa+SpbtN5ETNPECBac9udTwMVqjwkkh6ICrvq2tbsZT5ZgJUm1RRy7QF8Tr6LRiO/D2t/BkagfJbWN14AexjZJI6COxMF11/9WDtYDWd7cKMeEDBMrIvmzX2n/jRG3KURVgeOWIMWs3o+AkQvDF04yQmvkY/mmJMagXnvlUnplh8HOwbcAg0f6FfWtGtX3te/wztW8faUzEfuTez++xizZGv3zngIi6M9XFkebfuPIieHTv7AcoZXA2xSteX+Ddr8+mxvCSyXx5k8j4IUSXnY8= ; ( RSASHA256 ) DS = jan-riechers.de IN DS 28394 8 1 dfa8d8c35c5af1dbb192aba146d3274f756213e9 ; ( SHA1 digest ) DS = jan-riechers.de IN DS 28394 8 2 fa266f2dd3ff5f62712e9b44409b118662437d45e35bb1eb479cc47ca15dee3e ; ( SHA256 digest ) DS = jan-riechers.de IN DS 28394 8 3 8b830659d1b26dd0daadba31e60ec4dc4a897bc6509261829739282543e9a302 ; ( GOST R 34.11-94 digest ) DS = jan-riechers.de IN DS 28394 8 4 fffa309489dbc02dd7bfa8778b052140231555f0e4878f6c0f42e87abfa107b8649454bbad6f8f63c7e1a756ce8ccb0e ; ( SHA-384 digest ) ID = 8 (ZSK), tag = 51729, algo = 8, bits = 1024 Active: 1 ( RSASHA256 ) ZSK DNSKEY = jan-riechers.de IN DNSKEY 256 3 8 AwEAAaXGpzGDhUeFLH5xsVoswIsIfY7+ulz9xPLGkk3Eb9aBDtOE2eom7SPYLVnOy6ERrO7xokn3jEbZazkkYFGAdK+vVCP/cniphbLHZ9lOOYcQEJAO/BXq6becX23Vf4sgGNJTuooLQOLrf9gEpq45cC8Ql+S4ik2AGh2rTqAMpqPt ; ( RSASHA256 ) DS = jan-riechers.de IN DS 51729 8 1 2eb7292556df740fc6c54b85e91d23a782f207b9 ; ( SHA1 digest ) DS = jan-riechers.de IN DS 51729 8 2 8fb689fb906d70540acb7684c1fc3f1315820e88fe0f5738a342773faf887aff ; ( SHA256 digest ) DS = jan-riechers.de IN DS 51729 8 3 3eedef52bc7fd2407b0a9ea3d21c81694b693c24a3500f60f1940869e11d83f6 ; ( GOST R 34.11-94 digest ) DS = jan-riechers.de IN DS 51729 8 4 a435e93d78ce0312dfedef29df3f9380780bb3aa5c101eaf01034f11269ca319238aecdd017cb156c366229621e0ab17 ; ( SHA-384 digest ) Check if it worked [http://dnsviz.net/d/conti.work/analyze/] or here [http://dnssec-debugger.verisignlabs.com/conti.work] [https://doc.powerdns.com/md/authoritative/dnssec/] To renew the certificate run on mail: certbot --dns-rfc2136 --dns-rfc2136-credentials /etc/letsencrypt/dns-rfc2136.ini renew Adding DANE/TLSA record for mail server certificate verification or use this instead [https://www.huque.com/bin/gen_tlsa] openssl x509 -in /etc/letsencrypt/live/mail3.conti.work/cert.pem -outform DER | openssl sha256 Add TLSA record to DNS: _25._tcp.conti.work. IN TLSA 3 0 1 9bcd8c83d61e414bd5d935545637a2a98d3f38aaaf5ff9af415ddc574e28ae80 pdnsutil edit-zone jans.space Alternative with just public key: openssl s_client -showcerts -servername mail3.r-jan.de -connect mail3.r-jan.de:443 </dev/null 2>/dev/null | \ awk 'BEGIN { x=0;} /-----BEGIN CERTIFICATE-----/ { x++; } (x==1) {print;} /-----END CERTIFICATE-----/ {x++;}' | \ openssl x509 -noout -pubkey | openssl pkey -pubin -outform DER | openssl sha256 {| class="wikitable" |_25._tcp.mail3 IN TLSA 3 1 1 0bbc34a70d015e83306ed3cdb6534e5e570cbdb4eec6af5585399ea499ab7c3a |} Howto [https://sys4.de/de/blog/2014/05/24/einen-tlsa-record-fuer-dane-mit-bind-9-publizieren/#den-tlsa-record-erstellen] and [http://www.internetsociety.org/deploy360/resources/dane/] Verify with [http://www.internetsociety.org/deploy360/blog/2014/02/nist-offers-new-tool-to-verify-tlsa-records-for-dane-dnssec/] For dynamic update setup zone with ALLOW-DNSUPDATE-FROM pdnsutil set-meta $ZONE ALLOW-DNSUPDATE-FROM 172.16.0.0/15 pdnsutil set-meta $ZONE TSIG-ALLOW-DNSUPDATE dyndns or select id from domains where name='conti.work'; 8 insert into domainmetadata (domain_id, kind, content) values(8, 'ALLOW-DNSUPDATE-FROM','172.16.0.0/16'); insert into domainmetadata (domain_id, kind, content) values (8, 'TSIG-ALLOW-DNSUPDATE', 'dyndns'); [https://doc.powerdns.com/md/authoritative/dnsupdate/] To notify slaves use: sudo pdnsutil set-meta r-jan.de ALSO-NOTIFY 185.181.104.96
Summary:
Please note that all contributions to Jan's Wiki may be edited, altered, or removed by other contributors. If you do not want your writing to be edited mercilessly, then do not submit it here.
You are also promising us that you wrote this yourself, or copied it from a public domain or similar free resource (see
Jan's Wiki:Copyrights
for details).
Do not submit copyrighted work without permission!
Cancel
Editing help
(opens in new window)
Navigation menu
Personal tools
Not logged in
Talk
Contributions
Create account
Log in
Namespaces
Page
Discussion
English
Views
Read
Edit
Edit source
View history
More
Search
Navigation
Main page
Recent changes
Random page
Help about MediaWiki
Tools
What links here
Related changes
Special pages
Page information