DNSSec: Difference between revisions

From Jan's Wiki
Jump to navigation Jump to search
No edit summary
No edit summary
 
Line 5: Line 5:


  export ZONE=conti.work
  export ZONE=conti.work
  sudo pdnsutil add-zone-key $ZONE zsk 1024 active rsasha256
  sudo pdnsutil add-zone-key $ZONE zsk 1024 active rsasha256 #not really necessary
  sudo pdnsutil add-zone-key $ZONE ksk 2048 active rsasha256
  sudo pdnsutil add-zone-key $ZONE ksk 2048 active rsasha256 #not really necessary


Set nsec3 parameter [https://deepthought.isc.org/article/AA-00711/0/In-line-Signing-With-NSEC3-in-BIND-9.9-A-Walk-through.html]
Set nsec3 parameter [https://deepthought.isc.org/article/AA-00711/0/In-line-Signing-With-NSEC3-in-BIND-9.9-A-Walk-through.html]
  sudo pdnsutil set-nsec3 $ZONE '1 0 10 db7fcd8a'
  sudo pdnsutil set-nsec3 $ZONE '1 0 10 db7fcd8a' #random 32bit number


  sudo pdnsutil secure-zone $ZONE
  sudo pdnsutil secure-zone $ZONE

Latest revision as of 07:45, 9 January 2026

How to setup DNSSEC with powerdns:

  • Add dnssec to pdns.conf:
gpgsql-dnssec=yes

export ZONE=conti.work
sudo pdnsutil add-zone-key $ZONE zsk 1024 active rsasha256 #not really necessary
sudo pdnsutil add-zone-key $ZONE ksk 2048 active rsasha256 #not really necessary

Set nsec3 parameter [1] 

sudo pdnsutil set-nsec3 $ZONE '1 0 10 db7fcd8a' #random 32bit number

sudo pdnsutil secure-zone $ZONE
sudo pdnsutil rectify-zone $ZONE

Upload public KSK ZSK [2] 

host -tDNSKEY $ZONE

Or alternatively use: 

pdnsutil show-zone -v $ZONE
    Zone is not presigned
   Zone has hashed NSEC3 semantics, configuration: 1 0 10 db7fcd8a
   keys:
   ID = 9 (KSK), tag = 28394, algo = 8, bits = 2048        Active: 1 ( RSASHA256 )
   KSK DNSKEY = jan-riechers.de IN DNSKEY 257 3 8 AwEAAeEIULkj4vOsQ9nIaY4CR752p/OoCeBcdTcuNS2oUSWoKeQqMMmdFpqbPN3hc/ujEPa+SpbtN5ETNPECBac9udTwMVqjwkkh6ICrvq2tbsZT5ZgJUm1RRy7QF8Tr6LRiO/D2t/BkagfJbWN14AexjZJI6COxMF11/9WDtYDWd7cKMeEDBMrIvmzX2n/jRG3KURVgeOWIMWs3o+AkQvDF04yQmvkY/mmJMagXnvlUnplh8HOwbcAg0f6FfWtGtX3te/wztW8faUzEfuTez++xizZGv3zngIi6M9XFkebfuPIieHTv7AcoZXA2xSteX+Ddr8+mxvCSyXx5k8j4IUSXnY8= ; ( RSASHA256 )
   DS = jan-riechers.de IN DS 28394 8 1 dfa8d8c35c5af1dbb192aba146d3274f756213e9 ; ( SHA1 digest )
   DS = jan-riechers.de IN DS 28394 8 2 fa266f2dd3ff5f62712e9b44409b118662437d45e35bb1eb479cc47ca15dee3e ; ( SHA256 digest )
   DS = jan-riechers.de IN DS 28394 8 3 8b830659d1b26dd0daadba31e60ec4dc4a897bc6509261829739282543e9a302 ; ( GOST R 34.11-94 digest )
   DS = jan-riechers.de IN DS 28394 8 4 fffa309489dbc02dd7bfa8778b052140231555f0e4878f6c0f42e87abfa107b8649454bbad6f8f63c7e1a756ce8ccb0e ; ( SHA-384 digest )

   ID = 8 (ZSK), tag = 51729, algo = 8, bits = 1024        Active: 1 ( RSASHA256 )
   ZSK DNSKEY = jan-riechers.de IN DNSKEY 256 3 8 AwEAAaXGpzGDhUeFLH5xsVoswIsIfY7+ulz9xPLGkk3Eb9aBDtOE2eom7SPYLVnOy6ERrO7xokn3jEbZazkkYFGAdK+vVCP/cniphbLHZ9lOOYcQEJAO/BXq6becX23Vf4sgGNJTuooLQOLrf9gEpq45cC8Ql+S4ik2AGh2rTqAMpqPt ; ( RSASHA256 )
   DS = jan-riechers.de IN DS 51729 8 1 2eb7292556df740fc6c54b85e91d23a782f207b9 ; ( SHA1 digest )
   DS = jan-riechers.de IN DS 51729 8 2 8fb689fb906d70540acb7684c1fc3f1315820e88fe0f5738a342773faf887aff ; ( SHA256 digest )
   DS = jan-riechers.de IN DS 51729 8 3 3eedef52bc7fd2407b0a9ea3d21c81694b693c24a3500f60f1940869e11d83f6 ; ( GOST R 34.11-94 digest )
   DS = jan-riechers.de IN DS 51729 8 4 a435e93d78ce0312dfedef29df3f9380780bb3aa5c101eaf01034f11269ca319238aecdd017cb156c366229621e0ab17 ; ( SHA-384 digest )



Check if it worked [3] or here [4]


[5]

To renew the certificate run on mail: 

 certbot --dns-rfc2136  --dns-rfc2136-credentials /etc/letsencrypt/dns-rfc2136.ini renew


Adding DANE/TLSA record for mail server certificate verification or use this instead [6] 

openssl x509 -in /etc/letsencrypt/live/mail3.conti.work/cert.pem -outform DER | openssl sha256

Add TLSA record to DNS: 

_25._tcp.conti.work.  IN TLSA 3 0 1 9bcd8c83d61e414bd5d935545637a2a98d3f38aaaf5ff9af415ddc574e28ae80

pdnsutil edit-zone jans.space

Alternative with just public key: 

openssl s_client -showcerts -servername mail3.r-jan.de -connect mail3.r-jan.de:443 </dev/null 2>/dev/null | \
awk 'BEGIN { x=0;} /-----BEGIN CERTIFICATE-----/ { x++; } (x==1) {print;} /-----END CERTIFICATE-----/ {x++;}' | \
openssl x509 -noout -pubkey | openssl pkey -pubin -outform DER | openssl sha256
_25._tcp.mail3 IN TLSA 3 1 1 0bbc34a70d015e83306ed3cdb6534e5e570cbdb4eec6af5585399ea499ab7c3a


Howto [7] and [8]

Verify with [9]


For dynamic update setup zone with ALLOW-DNSUPDATE-FROM 

 pdnsutil set-meta $ZONE ALLOW-DNSUPDATE-FROM 172.16.0.0/15
 pdnsutil set-meta $ZONE TSIG-ALLOW-DNSUPDATE dyndns

or 

 select id from domains where name='conti.work';
         8
 insert into domainmetadata (domain_id, kind, content) values(8, 'ALLOW-DNSUPDATE-FROM','172.16.0.0/16');
 insert into domainmetadata (domain_id, kind, content) values (8, 'TSIG-ALLOW-DNSUPDATE', 'dyndns');

[10]

To notify slaves use: 

 sudo pdnsutil set-meta r-jan.de ALSO-NOTIFY 185.181.104.96
Retrieved from "https://wiki.jans.space//index.php?title=DNSSec&oldid=205"