DNSSec: Difference between revisions
Jump to navigation
Jump to search
No edit summary |
No edit summary |
||
| Line 16: | Line 16: | ||
Upload public KSK ZSK [https://www.gandi.net/admin/domain/dnssec/5104640] | Upload public KSK ZSK [https://www.gandi.net/admin/domain/dnssec/5104640] | ||
host -tDNSKEY $ZONE | host -tDNSKEY $ZONE | ||
Or alternatively use: | |||
pdnssec show-zone -v $ZONE | |||
Zone is not presigned | |||
Zone has hashed NSEC3 semantics, configuration: 1 0 10 db7fcd8a | |||
keys: | |||
ID = 9 (KSK), tag = 28394, algo = 8, bits = 2048 Active: 1 ( RSASHA256 ) | |||
KSK DNSKEY = jan-riechers.de IN DNSKEY 257 3 8 AwEAAeEIULkj4vOsQ9nIaY4CR752p/OoCeBcdTcuNS2oUSWoKeQqMMmdFpqbPN3hc/ujEPa+SpbtN5ETNPECBac9udTwMVqjwkkh6ICrvq2tbsZT5ZgJUm1RRy7QF8Tr6LRiO/D2t/BkagfJbWN14AexjZJI6COxMF11/9WDtYDWd7cKMeEDBMrIvmzX2n/jRG3KURVgeOWIMWs3o+AkQvDF04yQmvkY/mmJMagXnvlUnplh8HOwbcAg0f6FfWtGtX3te/wztW8faUzEfuTez++xizZGv3zngIi6M9XFkebfuPIieHTv7AcoZXA2xSteX+Ddr8+mxvCSyXx5k8j4IUSXnY8= ; ( RSASHA256 ) | |||
DS = jan-riechers.de IN DS 28394 8 1 dfa8d8c35c5af1dbb192aba146d3274f756213e9 ; ( SHA1 digest ) | |||
DS = jan-riechers.de IN DS 28394 8 2 fa266f2dd3ff5f62712e9b44409b118662437d45e35bb1eb479cc47ca15dee3e ; ( SHA256 digest ) | |||
DS = jan-riechers.de IN DS 28394 8 3 8b830659d1b26dd0daadba31e60ec4dc4a897bc6509261829739282543e9a302 ; ( GOST R 34.11-94 digest ) | |||
DS = jan-riechers.de IN DS 28394 8 4 fffa309489dbc02dd7bfa8778b052140231555f0e4878f6c0f42e87abfa107b8649454bbad6f8f63c7e1a756ce8ccb0e ; ( SHA-384 digest ) | |||
ID = 8 (ZSK), tag = 51729, algo = 8, bits = 1024 Active: 1 ( RSASHA256 ) | |||
ZSK DNSKEY = jan-riechers.de IN DNSKEY 256 3 8 AwEAAaXGpzGDhUeFLH5xsVoswIsIfY7+ulz9xPLGkk3Eb9aBDtOE2eom7SPYLVnOy6ERrO7xokn3jEbZazkkYFGAdK+vVCP/cniphbLHZ9lOOYcQEJAO/BXq6becX23Vf4sgGNJTuooLQOLrf9gEpq45cC8Ql+S4ik2AGh2rTqAMpqPt ; ( RSASHA256 ) | |||
DS = jan-riechers.de IN DS 51729 8 1 2eb7292556df740fc6c54b85e91d23a782f207b9 ; ( SHA1 digest ) | |||
DS = jan-riechers.de IN DS 51729 8 2 8fb689fb906d70540acb7684c1fc3f1315820e88fe0f5738a342773faf887aff ; ( SHA256 digest ) | |||
DS = jan-riechers.de IN DS 51729 8 3 3eedef52bc7fd2407b0a9ea3d21c81694b693c24a3500f60f1940869e11d83f6 ; ( GOST R 34.11-94 digest ) | |||
DS = jan-riechers.de IN DS 51729 8 4 a435e93d78ce0312dfedef29df3f9380780bb3aa5c101eaf01034f11269ca319238aecdd017cb156c366229621e0ab17 ; ( SHA-384 digest ) | |||
Check if it worked [http://dnsviz.net/d/conti.work/analyze/] or here [http://dnssec-debugger.verisignlabs.com/conti.work] | Check if it worked [http://dnsviz.net/d/conti.work/analyze/] or here [http://dnssec-debugger.verisignlabs.com/conti.work] | ||
Revision as of 10:18, 8 January 2016
How to setup DNSSEC with powerdns:
- Add dnssec to pdns.conf:
gpgsql-dnssec=yes
export ZONE=conti.work sudo pdnssec add-zone-key $ZONE zsk 1024 active rsasha256 sudo pdnssec add-zone-key $ZONE ksk 2048 active rsasha256
Set nsec3 parameter [1]
sudo pdnssec set-nsec3 $ZONE '1 0 10 db7fcd8a'
sudo pdnssec secure-zone $ZONE sudo pdnssec rectify-zone $ZONE
Upload public KSK ZSK [2]
host -tDNSKEY $ZONE
Or alternatively use:
pdnssec show-zone -v $ZONE
Zone is not presigned
Zone has hashed NSEC3 semantics, configuration: 1 0 10 db7fcd8a
keys:
ID = 9 (KSK), tag = 28394, algo = 8, bits = 2048 Active: 1 ( RSASHA256 )
KSK DNSKEY = jan-riechers.de IN DNSKEY 257 3 8 AwEAAeEIULkj4vOsQ9nIaY4CR752p/OoCeBcdTcuNS2oUSWoKeQqMMmdFpqbPN3hc/ujEPa+SpbtN5ETNPECBac9udTwMVqjwkkh6ICrvq2tbsZT5ZgJUm1RRy7QF8Tr6LRiO/D2t/BkagfJbWN14AexjZJI6COxMF11/9WDtYDWd7cKMeEDBMrIvmzX2n/jRG3KURVgeOWIMWs3o+AkQvDF04yQmvkY/mmJMagXnvlUnplh8HOwbcAg0f6FfWtGtX3te/wztW8faUzEfuTez++xizZGv3zngIi6M9XFkebfuPIieHTv7AcoZXA2xSteX+Ddr8+mxvCSyXx5k8j4IUSXnY8= ; ( RSASHA256 )
DS = jan-riechers.de IN DS 28394 8 1 dfa8d8c35c5af1dbb192aba146d3274f756213e9 ; ( SHA1 digest )
DS = jan-riechers.de IN DS 28394 8 2 fa266f2dd3ff5f62712e9b44409b118662437d45e35bb1eb479cc47ca15dee3e ; ( SHA256 digest )
DS = jan-riechers.de IN DS 28394 8 3 8b830659d1b26dd0daadba31e60ec4dc4a897bc6509261829739282543e9a302 ; ( GOST R 34.11-94 digest )
DS = jan-riechers.de IN DS 28394 8 4 fffa309489dbc02dd7bfa8778b052140231555f0e4878f6c0f42e87abfa107b8649454bbad6f8f63c7e1a756ce8ccb0e ; ( SHA-384 digest )
ID = 8 (ZSK), tag = 51729, algo = 8, bits = 1024 Active: 1 ( RSASHA256 ) ZSK DNSKEY = jan-riechers.de IN DNSKEY 256 3 8 AwEAAaXGpzGDhUeFLH5xsVoswIsIfY7+ulz9xPLGkk3Eb9aBDtOE2eom7SPYLVnOy6ERrO7xokn3jEbZazkkYFGAdK+vVCP/cniphbLHZ9lOOYcQEJAO/BXq6becX23Vf4sgGNJTuooLQOLrf9gEpq45cC8Ql+S4ik2AGh2rTqAMpqPt ; ( RSASHA256 ) DS = jan-riechers.de IN DS 51729 8 1 2eb7292556df740fc6c54b85e91d23a782f207b9 ; ( SHA1 digest ) DS = jan-riechers.de IN DS 51729 8 2 8fb689fb906d70540acb7684c1fc3f1315820e88fe0f5738a342773faf887aff ; ( SHA256 digest ) DS = jan-riechers.de IN DS 51729 8 3 3eedef52bc7fd2407b0a9ea3d21c81694b693c24a3500f60f1940869e11d83f6 ; ( GOST R 34.11-94 digest ) DS = jan-riechers.de IN DS 51729 8 4 a435e93d78ce0312dfedef29df3f9380780bb3aa5c101eaf01034f11269ca319238aecdd017cb156c366229621e0ab17 ; ( SHA-384 digest )
Check if it worked [3] or here [4]
Adding DANE/TLSA record for mail server certificate verification or use this instead [6]
openssl x509 -in /etc/ssl/certs/ssl-mail.pem -outform DER | openssl sha256
Add TLSA record to DNS:
_25._tcp.conti.work. IN TLSA 3 0 1 9bcd8c83d61e414bd5d935545637a2a98d3f38aaaf5ff9af415ddc574e28ae80
Verify with [9]