DNSSec: Difference between revisions
Jump to navigation
Jump to search
No edit summary |
No edit summary |
||
| (13 intermediate revisions by 3 users not shown) | |||
| Line 5: | Line 5: | ||
export ZONE=conti.work | export ZONE=conti.work | ||
sudo | sudo pdnsutil add-zone-key $ZONE zsk 1024 active rsasha256 #not really necessary | ||
sudo | sudo pdnsutil add-zone-key $ZONE ksk 2048 active rsasha256 #not really necessary | ||
Set nsec3 parameter [https://deepthought.isc.org/article/AA-00711/0/In-line-Signing-With-NSEC3-in-BIND-9.9-A-Walk-through.html] | Set nsec3 parameter [https://deepthought.isc.org/article/AA-00711/0/In-line-Signing-With-NSEC3-in-BIND-9.9-A-Walk-through.html] | ||
sudo | sudo pdnsutil set-nsec3 $ZONE '1 0 10 db7fcd8a' #random 32bit number | ||
sudo | sudo pdnsutil secure-zone $ZONE | ||
sudo | sudo pdnsutil rectify-zone $ZONE | ||
Upload public KSK ZSK [https://www.gandi.net/admin/domain/dnssec/5104640] | Upload public KSK ZSK [https://www.gandi.net/admin/domain/dnssec/5104640] | ||
host -tDNSKEY $ZONE | host -tDNSKEY $ZONE | ||
Or alternatively use: | |||
pdnsutil show-zone -v $ZONE | |||
Zone is not presigned | |||
Zone has hashed NSEC3 semantics, configuration: 1 0 10 db7fcd8a | |||
keys: | |||
ID = 9 (KSK), tag = 28394, algo = 8, bits = 2048 Active: 1 ( RSASHA256 ) | |||
KSK DNSKEY = jan-riechers.de IN DNSKEY 257 3 8 AwEAAeEIULkj4vOsQ9nIaY4CR752p/OoCeBcdTcuNS2oUSWoKeQqMMmdFpqbPN3hc/ujEPa+SpbtN5ETNPECBac9udTwMVqjwkkh6ICrvq2tbsZT5ZgJUm1RRy7QF8Tr6LRiO/D2t/BkagfJbWN14AexjZJI6COxMF11/9WDtYDWd7cKMeEDBMrIvmzX2n/jRG3KURVgeOWIMWs3o+AkQvDF04yQmvkY/mmJMagXnvlUnplh8HOwbcAg0f6FfWtGtX3te/wztW8faUzEfuTez++xizZGv3zngIi6M9XFkebfuPIieHTv7AcoZXA2xSteX+Ddr8+mxvCSyXx5k8j4IUSXnY8= ; ( RSASHA256 ) | |||
DS = jan-riechers.de IN DS 28394 8 1 dfa8d8c35c5af1dbb192aba146d3274f756213e9 ; ( SHA1 digest ) | |||
DS = jan-riechers.de IN DS 28394 8 2 fa266f2dd3ff5f62712e9b44409b118662437d45e35bb1eb479cc47ca15dee3e ; ( SHA256 digest ) | |||
DS = jan-riechers.de IN DS 28394 8 3 8b830659d1b26dd0daadba31e60ec4dc4a897bc6509261829739282543e9a302 ; ( GOST R 34.11-94 digest ) | |||
DS = jan-riechers.de IN DS 28394 8 4 fffa309489dbc02dd7bfa8778b052140231555f0e4878f6c0f42e87abfa107b8649454bbad6f8f63c7e1a756ce8ccb0e ; ( SHA-384 digest ) | |||
ID = 8 (ZSK), tag = 51729, algo = 8, bits = 1024 Active: 1 ( RSASHA256 ) | |||
ZSK DNSKEY = jan-riechers.de IN DNSKEY 256 3 8 AwEAAaXGpzGDhUeFLH5xsVoswIsIfY7+ulz9xPLGkk3Eb9aBDtOE2eom7SPYLVnOy6ERrO7xokn3jEbZazkkYFGAdK+vVCP/cniphbLHZ9lOOYcQEJAO/BXq6becX23Vf4sgGNJTuooLQOLrf9gEpq45cC8Ql+S4ik2AGh2rTqAMpqPt ; ( RSASHA256 ) | |||
DS = jan-riechers.de IN DS 51729 8 1 2eb7292556df740fc6c54b85e91d23a782f207b9 ; ( SHA1 digest ) | |||
DS = jan-riechers.de IN DS 51729 8 2 8fb689fb906d70540acb7684c1fc3f1315820e88fe0f5738a342773faf887aff ; ( SHA256 digest ) | |||
DS = jan-riechers.de IN DS 51729 8 3 3eedef52bc7fd2407b0a9ea3d21c81694b693c24a3500f60f1940869e11d83f6 ; ( GOST R 34.11-94 digest ) | |||
DS = jan-riechers.de IN DS 51729 8 4 a435e93d78ce0312dfedef29df3f9380780bb3aa5c101eaf01034f11269ca319238aecdd017cb156c366229621e0ab17 ; ( SHA-384 digest ) | |||
Check if it worked [http://dnsviz.net/d/conti.work/analyze/] or here [http://dnssec-debugger.verisignlabs.com/conti.work] | Check if it worked [http://dnsviz.net/d/conti.work/analyze/] or here [http://dnssec-debugger.verisignlabs.com/conti.work] | ||
| Line 21: | Line 43: | ||
[https://doc.powerdns.com/md/authoritative/dnssec/] | [https://doc.powerdns.com/md/authoritative/dnssec/] | ||
To renew the certificate run on mail: | |||
certbot --dns-rfc2136 --dns-rfc2136-credentials /etc/letsencrypt/dns-rfc2136.ini renew | |||
Adding DANE/TLSA record for mail server certificate verification or use this instead [https://www.huque.com/bin/gen_tlsa] | Adding DANE/TLSA record for mail server certificate verification or use this instead [https://www.huque.com/bin/gen_tlsa] | ||
openssl x509 -in /etc/ | openssl x509 -in /etc/letsencrypt/live/mail3.conti.work/cert.pem -outform DER | openssl sha256 | ||
Add TLSA record to DNS: | Add TLSA record to DNS: | ||
_25._tcp.conti.work. IN TLSA 3 0 1 9bcd8c83d61e414bd5d935545637a2a98d3f38aaaf5ff9af415ddc574e28ae80 | _25._tcp.conti.work. IN TLSA 3 0 1 9bcd8c83d61e414bd5d935545637a2a98d3f38aaaf5ff9af415ddc574e28ae80 | ||
pdnsutil edit-zone jans.space | |||
Alternative with just public key: | |||
openssl s_client -showcerts -servername mail3.r-jan.de -connect mail3.r-jan.de:443 </dev/null 2>/dev/null | \ | |||
awk 'BEGIN { x=0;} /-----BEGIN CERTIFICATE-----/ { x++; } (x==1) {print;} /-----END CERTIFICATE-----/ {x++;}' | \ | |||
openssl x509 -noout -pubkey | openssl pkey -pubin -outform DER | openssl sha256 | |||
{| class="wikitable" | |||
|_25._tcp.mail3 IN TLSA 3 1 1 0bbc34a70d015e83306ed3cdb6534e5e570cbdb4eec6af5585399ea499ab7c3a | |||
|} | |||
Howto [https://sys4.de/de/blog/2014/05/24/einen-tlsa-record-fuer-dane-mit-bind-9-publizieren/#den-tlsa-record-erstellen] and [http://www.internetsociety.org/deploy360/resources/dane/] | Howto [https://sys4.de/de/blog/2014/05/24/einen-tlsa-record-fuer-dane-mit-bind-9-publizieren/#den-tlsa-record-erstellen] and [http://www.internetsociety.org/deploy360/resources/dane/] | ||
Verify with [http://www.internetsociety.org/deploy360/blog/2014/02/nist-offers-new-tool-to-verify-tlsa-records-for-dane-dnssec/] | Verify with [http://www.internetsociety.org/deploy360/blog/2014/02/nist-offers-new-tool-to-verify-tlsa-records-for-dane-dnssec/] | ||
For dynamic update setup zone with ALLOW-DNSUPDATE-FROM | |||
pdnsutil set-meta $ZONE ALLOW-DNSUPDATE-FROM 172.16.0.0/15 | |||
pdnsutil set-meta $ZONE TSIG-ALLOW-DNSUPDATE dyndns | |||
or | |||
select id from domains where name='conti.work'; | |||
8 | |||
insert into domainmetadata (domain_id, kind, content) values(8, 'ALLOW-DNSUPDATE-FROM','172.16.0.0/16'); | |||
insert into domainmetadata (domain_id, kind, content) values (8, 'TSIG-ALLOW-DNSUPDATE', 'dyndns'); | |||
[https://doc.powerdns.com/md/authoritative/dnsupdate/] | |||
To notify slaves use: | |||
sudo pdnsutil set-meta r-jan.de ALSO-NOTIFY 185.181.104.96 | |||
Latest revision as of 07:45, 9 January 2026
How to setup DNSSEC with powerdns:
- Add dnssec to pdns.conf:
gpgsql-dnssec=yes
export ZONE=conti.work sudo pdnsutil add-zone-key $ZONE zsk 1024 active rsasha256 #not really necessary sudo pdnsutil add-zone-key $ZONE ksk 2048 active rsasha256 #not really necessary
Set nsec3 parameter [1]
sudo pdnsutil set-nsec3 $ZONE '1 0 10 db7fcd8a' #random 32bit number
sudo pdnsutil secure-zone $ZONE sudo pdnsutil rectify-zone $ZONE
Upload public KSK ZSK [2]
host -tDNSKEY $ZONE
Or alternatively use:
pdnsutil show-zone -v $ZONE
Zone is not presigned
Zone has hashed NSEC3 semantics, configuration: 1 0 10 db7fcd8a
keys:
ID = 9 (KSK), tag = 28394, algo = 8, bits = 2048 Active: 1 ( RSASHA256 )
KSK DNSKEY = jan-riechers.de IN DNSKEY 257 3 8 AwEAAeEIULkj4vOsQ9nIaY4CR752p/OoCeBcdTcuNS2oUSWoKeQqMMmdFpqbPN3hc/ujEPa+SpbtN5ETNPECBac9udTwMVqjwkkh6ICrvq2tbsZT5ZgJUm1RRy7QF8Tr6LRiO/D2t/BkagfJbWN14AexjZJI6COxMF11/9WDtYDWd7cKMeEDBMrIvmzX2n/jRG3KURVgeOWIMWs3o+AkQvDF04yQmvkY/mmJMagXnvlUnplh8HOwbcAg0f6FfWtGtX3te/wztW8faUzEfuTez++xizZGv3zngIi6M9XFkebfuPIieHTv7AcoZXA2xSteX+Ddr8+mxvCSyXx5k8j4IUSXnY8= ; ( RSASHA256 )
DS = jan-riechers.de IN DS 28394 8 1 dfa8d8c35c5af1dbb192aba146d3274f756213e9 ; ( SHA1 digest )
DS = jan-riechers.de IN DS 28394 8 2 fa266f2dd3ff5f62712e9b44409b118662437d45e35bb1eb479cc47ca15dee3e ; ( SHA256 digest )
DS = jan-riechers.de IN DS 28394 8 3 8b830659d1b26dd0daadba31e60ec4dc4a897bc6509261829739282543e9a302 ; ( GOST R 34.11-94 digest )
DS = jan-riechers.de IN DS 28394 8 4 fffa309489dbc02dd7bfa8778b052140231555f0e4878f6c0f42e87abfa107b8649454bbad6f8f63c7e1a756ce8ccb0e ; ( SHA-384 digest )
ID = 8 (ZSK), tag = 51729, algo = 8, bits = 1024 Active: 1 ( RSASHA256 ) ZSK DNSKEY = jan-riechers.de IN DNSKEY 256 3 8 AwEAAaXGpzGDhUeFLH5xsVoswIsIfY7+ulz9xPLGkk3Eb9aBDtOE2eom7SPYLVnOy6ERrO7xokn3jEbZazkkYFGAdK+vVCP/cniphbLHZ9lOOYcQEJAO/BXq6becX23Vf4sgGNJTuooLQOLrf9gEpq45cC8Ql+S4ik2AGh2rTqAMpqPt ; ( RSASHA256 ) DS = jan-riechers.de IN DS 51729 8 1 2eb7292556df740fc6c54b85e91d23a782f207b9 ; ( SHA1 digest ) DS = jan-riechers.de IN DS 51729 8 2 8fb689fb906d70540acb7684c1fc3f1315820e88fe0f5738a342773faf887aff ; ( SHA256 digest ) DS = jan-riechers.de IN DS 51729 8 3 3eedef52bc7fd2407b0a9ea3d21c81694b693c24a3500f60f1940869e11d83f6 ; ( GOST R 34.11-94 digest ) DS = jan-riechers.de IN DS 51729 8 4 a435e93d78ce0312dfedef29df3f9380780bb3aa5c101eaf01034f11269ca319238aecdd017cb156c366229621e0ab17 ; ( SHA-384 digest )
Check if it worked [3] or here [4]
To renew the certificate run on mail:
certbot --dns-rfc2136 --dns-rfc2136-credentials /etc/letsencrypt/dns-rfc2136.ini renew
Adding DANE/TLSA record for mail server certificate verification or use this instead [6]
openssl x509 -in /etc/letsencrypt/live/mail3.conti.work/cert.pem -outform DER | openssl sha256
Add TLSA record to DNS:
_25._tcp.conti.work. IN TLSA 3 0 1 9bcd8c83d61e414bd5d935545637a2a98d3f38aaaf5ff9af415ddc574e28ae80
pdnsutil edit-zone jans.space
Alternative with just public key:
openssl s_client -showcerts -servername mail3.r-jan.de -connect mail3.r-jan.de:443 </dev/null 2>/dev/null | \
awk 'BEGIN { x=0;} /-----BEGIN CERTIFICATE-----/ { x++; } (x==1) {print;} /-----END CERTIFICATE-----/ {x++;}' | \
openssl x509 -noout -pubkey | openssl pkey -pubin -outform DER | openssl sha256
| _25._tcp.mail3 IN TLSA 3 1 1 0bbc34a70d015e83306ed3cdb6534e5e570cbdb4eec6af5585399ea499ab7c3a |
Verify with [9]
For dynamic update setup zone with ALLOW-DNSUPDATE-FROM
pdnsutil set-meta $ZONE ALLOW-DNSUPDATE-FROM 172.16.0.0/15 pdnsutil set-meta $ZONE TSIG-ALLOW-DNSUPDATE dyndns
or
select id from domains where name='conti.work';
8
insert into domainmetadata (domain_id, kind, content) values(8, 'ALLOW-DNSUPDATE-FROM','172.16.0.0/16');
insert into domainmetadata (domain_id, kind, content) values (8, 'TSIG-ALLOW-DNSUPDATE', 'dyndns');
To notify slaves use:
sudo pdnsutil set-meta r-jan.de ALSO-NOTIFY 185.181.104.96