DNSSec: Difference between revisions
Jump to navigation
Jump to search
No edit summary |
No edit summary |
||
| Line 4: | Line 4: | ||
gpgsql-dnssec=yes | gpgsql-dnssec=yes | ||
sudo pdnssec add-zone-key | export ZONE=conti.work | ||
sudo pdnssec add-zone-key | sudo pdnssec add-zone-key $ZONE zsk 1024 active rsasha256 | ||
sudo pdnssec secure-zone | sudo pdnssec add-zone-key $ZONE ksk 2048 active rsasha256 | ||
sudo pdnssec rectify-zone | |||
Set nsec3 parameter [https://deepthought.isc.org/article/AA-00711/0/In-line-Signing-With-NSEC3-in-BIND-9.9-A-Walk-through.html] | |||
sudo pdnssec set-nsec3 $ZONE '1 0 10 db7fcd8a' | |||
sudo pdnssec secure-zone $ZONE | |||
sudo pdnssec rectify-zone $ZONE | |||
Upload public KSK ZSK [https://www.gandi.net/admin/domain/dnssec/5104640] | Upload public KSK ZSK [https://www.gandi.net/admin/domain/dnssec/5104640] | ||
| Line 14: | Line 19: | ||
Check if it worked [http://dnsviz.net/d/conti.work/analyze/] or here [http://dnssec-debugger.verisignlabs.com/conti.work] | Check if it worked [http://dnsviz.net/d/conti.work/analyze/] or here [http://dnssec-debugger.verisignlabs.com/conti.work] | ||
[https://doc.powerdns.com/md/authoritative/dnssec/] | [https://doc.powerdns.com/md/authoritative/dnssec/] | ||
Revision as of 22:31, 13 February 2015
How to setup DNSSEC with powerdns:
- Add dnssec to pdns.conf:
gpgsql-dnssec=yes
export ZONE=conti.work sudo pdnssec add-zone-key $ZONE zsk 1024 active rsasha256 sudo pdnssec add-zone-key $ZONE ksk 2048 active rsasha256
Set nsec3 parameter [1]
sudo pdnssec set-nsec3 $ZONE '1 0 10 db7fcd8a'
sudo pdnssec secure-zone $ZONE sudo pdnssec rectify-zone $ZONE
Upload public KSK ZSK [2]
dig DNSKEY conti.work
Check if it worked [3] or here [4]
Adding DANE/TLSA record for mail server certificate verification or use this instead [6]
openssl x509 -in /etc/ssl/certs/ssl-mail.pem -outform DER | openssl sha256
Add TLSA record to DNS:
_25._tcp.conti.work. IN TLSA 3 0 1 9bcd8c83d61e414bd5d935545637a2a98d3f38aaaf5ff9af415ddc574e28ae80
Verify with [9]