DNSSec

From Jan's Wiki
Revision as of 21:58, 12 February 2015 by Der Jan (talk | contribs)
Jump to navigation Jump to search

How to setup DNSSEC with powerdns:

  • Add dnssec to pdns.conf:
gpgsql-dnssec=yes

sudo pdnssec add-zone-key conti.work zsk 1024 active rsasha256
sudo pdnssec add-zone-key conti.work ksk 2048 active rsasha256
sudo pdnssec secure-zone conti.work
sudo pdnssec rectify-zone conti.work

Upload public KSK ZSK [1] 

dig  DNSKEY conti.work

Check if it worked [2] or here [3]

Set nsec3 parameter [4] 

sudo pdnssec set-nsec3 conti.work '1 0 10 db7fcd8a'

[5]


Adding DANE/TLSA record for mail server certificate verification 

openssl x509 -in /etc/ssl/certs/ssl-mail.pem -outform DER | openssl sha256

Add TLSA record to DNS: 

_25._tcp.conti.work.  IN TLSA 3 0 1 9bcd8c83d61e414bd5d935545637a2a98d3f38aaaf5ff9af415ddc574e28ae80

Howto [6] and [7]

Verify with [8]

Retrieved from "https://wiki.jans.space//index.php?title=DNSSec&oldid=85"