DNSSEC: Difference between revisions

From Braindump
Jump to navigation Jump to search
← Older edit
VisualWikitext
No edit summary
 
Line 1: Line 1:
https://zytrax.com/books/dns/
https://zytrax.com/books/dns/
https://www.iana.org/domains/root/servers
https://root-servers.org/
  whois islief.com
  whois islief.com
  dig +short NS islief.com
  dig +short NS islief.com
Line 11: Line 15:


  dig +short MX islief.com
  dig +short MX islief.com
https://www.iana.org/domains/root/servers


https://root-servers.org/
  dig +trace +all www.islief.com
  dig +trace +all www.islief.com
  dig com @f.root-servers.net
  dig com @f.root-servers.net
Line 57: Line 59:
  dig A janmg.com. +noadditional +dnssec +multiline
  dig A janmg.com. +noadditional +dnssec +multiline
https://dnssec-debugger.verisignlabs.com/janmg.com
https://dnssec-debugger.verisignlabs.com/janmg.com


https://www.cloudflare.com/dns/dnssec/how-dnssec-works/
https://www.cloudflare.com/dns/dnssec/how-dnssec-works/
Line 92: Line 93:
=== KSK ===
=== KSK ===
Key Signing Keys are used for signing the zone keys, their DS'es are registered in the dns hierarchy above.
Key Signing Keys are used for signing the zone keys, their DS'es are registered in the dns hierarchy above.
cd /var/bind/
KSK=$(dnssec-keygen -f KSK -a NSEC3RSASHA1 -b 4096 -n ZONE janmg.com)
dnssec-settime -I +12mo -D +13mo ${KSK}


# KSK
=== ZSK ===
ZSK1=$(dnssec-keygen -a NSEC3RSASHA1 -b 4096 -n ZONE janmg.com)
dnssec-settime -I +4mo -D +5mo ${ZSK1}.key
ZSK2=$(dnssec-keygen -a NSEC3RSASHA1 -b 4096 -n ZONE janmg.com)
dnssec-settime -A +3mo -I +7mo -D +8mo ${ZSK2}.key
rm -rf /etc/bind/zone/janmg.com.signed*
dnssec-signzone -A -3 $(head -c 64 /dev/urandom | sha256sum | cut -b 1-64) -N date -o janmg.com -t -S -K /var/bind/ /etc/bind/zone/janmg.com
service bind9 reload
tail -20f /var/log/named/janmg.log


cd /var/bind/
=== Update KSK on DYN ===
 
dnssec-dsfromkey -2 -f /etc/bind/zone/janmg.com.signed janmg.com
KSK=$(dnssec-keygen -f KSK -a NSEC3RSASHA1 -b 4096 -n ZONE janmg.com)
cd /var/bind/
 
KSK=$(dnssec-keygen -f KSK -a NSEC3RSASHA1 -b 4096 -n ZONE janmg.com 2> /dev/null)
dnssec-settime -I +12mo -D +13mo ${KSK}
dnssec-settime -I +5y -D +10y ${KSK}.key
 
dnssec-dsfromkey -2 -f /etc/bind/zone/janmg.com.signed janmg.com
# ZSK
ZSK1=$(dnssec-keygen -f KSK -a NSEC3RSASHA1 -b 4096 -n ZONE janmg.com 2> /dev/null)
 
dnssec-settime -I +4mo -D +5mo ${ZSK1}.key
ZSK1=$(dnssec-keygen -a NSEC3RSASHA1 -b 4096 -n ZONE janmg.com)
ZSK2=$(dnssec-keygen -a NSEC3RSASHA1 -b 4096 -n ZONE janmg.com 2> /dev/null)
 
dnssec-settime -A +3mo -I +7mo -D +8mo ${ZSK2}.key
dnssec-settime -I +4mo -D +5mo ${ZSK1}.key
 
ZSK2=$(dnssec-keygen -a NSEC3RSASHA1 -b 4096 -n ZONE janmg.com)
 
dnssec-settime -A +3mo -I +7mo -D +8mo ${ZSK2}.key
 
rm -rf /etc/bind/zone/janmg.com.signed*
 
dnssec-signzone -A -3 $(head -c 64 /dev/urandom | sha256sum | cut -b 1-64) -N date -o janmg.com -t -S -K /var/bind/ /etc/bind/zone/janmg.com
 
service bind9 reload
 
tail -20f /var/log/named/janmg.log
 
# Update KSK on DYN
 
dnssec-dsfromkey -2 -f /etc/bind/zone/janmg.com.signed janmg.com
 
cd /var/bind/
 
KSK=$(dnssec-keygen -f KSK -a NSEC3RSASHA1 -b 4096 -n ZONE janmg.com 2> /dev/null)
 
dnssec-settime -I +5y -D +10y ${KSK}.key
 
dnssec-dsfromkey -2 -f /etc/bind/zone/janmg.com.signed janmg.com
 
ZSK1=$(dnssec-keygen -f KSK -a NSEC3RSASHA1 -b 4096 -n ZONE janmg.com 2> /dev/null)
 
dnssec-settime -I +4mo -D +5mo ${ZSK1}.key
 
ZSK2=$(dnssec-keygen -a NSEC3RSASHA1 -b 4096 -n ZONE janmg.com 2> /dev/null)
 
dnssec-settime -A +3mo -I +7mo -D +8mo ${ZSK2}.key


=== ZSK ===
=== ZSK ===
dig A janmg.com. @localhost +noadditional +dnssec +multiline
dig A janmg.com. @localhost +noadditional +dnssec +multiline


=== Sign Zone ===
=== Sign Zone ===
/usr/sbin/zonesigner.sh
/usr/sbin/zonesigner.sh
 
dnssec-keygen -a NSEC3RSASHA1 -b 4096 -n ZONE janmg.com
dnssec-keygen -a NSEC3RSASHA1 -b 4096 -n ZONE janmg.com
sudo vi /etc/bind/zone/janmg.com
 
sudo service named restart
sudo vi /etc/bind/zone/janmg.com
dnssec-signzone -A -3 $(head -c 1000 /dev/urandom | sha256sum | cut -b 1-16) -N INCREMENT -o janmg.com -t /etc/bind/zone/janmg.com
 
sudo dnssec-signzone -A -3 $(head -c 1000 /dev/urandom | sha256sum | cut -b 1-16) -N INCREMENT -o janmg.com -z -t /etc/bind/zone/janmg.com
sudo service named restart
cat /etc/bind/zone/janmg.com
 
SERIAL=$(/usr/sbin/named-checkzone janmg.com /etc/bind/zone/janmg.com | egrep -ho '[0-9]{10}')
dnssec-signzone -A -3 $(head -c 1000 /dev/urandom | sha256sum | cut -b 1-16) -N INCREMENT -o janmg.com -t /etc/bind/zone/janmg.com
DATE=$(date -u +"%Y%m%d")
 
if [[ "${SERIAL}" =~ "${DATE}".* ]];
sudo dnssec-signzone -A -3 $(head -c 1000 /dev/urandom | sha256sum | cut -b 1-16) -N INCREMENT -o janmg.com -z -t /etc/bind/zone/janmg.com
then
 
  sed -i 's/'$SERIAL'/'$(($SERIAL+1))'/' /etc/bind/zone/janmg.com
cat /etc/bind/zone/janmg.com
else
 
  sed -i 's/'$SERIAL'/'${DATE}01'/' /etc/bind/zone/janmg.com
SERIAL=$(/usr/sbin/named-checkzone janmg.com /etc/bind/zone/janmg.com | egrep -ho '[0-9]{10}')
fi
 
dnssec-signzone -A -3 $(head -c 1000 /dev/urandom | sha256sum | cut -b 1-16) -N INCREMENT -o janmg.com -z -t /etc/bind/zone/janmg.com
DATE=$(date -u +"%Y%m%d")
 
if [[ "${SERIAL}" =~ "${DATE}".* ]];
 
then
 
  sed -i 's/'$SERIAL'/'$(($SERIAL+1))'/' /etc/bind/zone/janmg.com
 
else
 
  sed -i 's/'$SERIAL'/'${DATE}01'/' /etc/bind/zone/janmg.com
 
fi
 
dnssec-signzone -A -3 $(head -c 1000 /dev/urandom | sha256sum | cut -b 1-16) -N INCREMENT -o janmg.com -z -t /etc/bind/zone/janmg.com
 
service named reload
 
dig DNSKEY janmg.com. @localhost +multiline
 
dig A janmg.com. @localhost +noadditional +dnssec +multiline
 
dig A janmg.com. +noadditional +dnssec +multiline


service named reload
dig DNSKEY janmg.com. @localhost +multiline
dig A janmg.com. @localhost +noadditional +dnssec +multiline
dig A janmg.com. +noadditional +dnssec +multiline
https://dnssec-debugger.verisignlabs.com/janmg.com
https://dnssec-debugger.verisignlabs.com/janmg.com
 
dig janmg.com soa
dig janmg.com soa
cd /var/bind/
 
DNSKEY=$(dnssec-keygen -f KSK -a NSEC3RSASHA1 -b 4096 -n ZONE janmg.com 2> /dev/null)
cd /var/bind/
dig DNSKEY janmg.com. @localhost +multiline
 
DNSKEY=$(dnssec-keygen -f KSK -a NSEC3RSASHA1 -b 4096 -n ZONE janmg.com 2> /dev/null)
 
dig DNSKEY janmg.com. @localhost +multiline


= Systemd resolved =
= Systemd resolved =

Latest revision as of 13:46, 27 December 2025

https://zytrax.com/books/dns/

https://www.iana.org/domains/root/servers

https://root-servers.org/ 

whois islief.com
dig +short NS islief.com
dig +short SOA islief.com

dig +short DS islief.com
dig +short DNSKEY islief.com

dig +short A islief.com
dig +short AAAA islief.com

dig +short MX islief.com

dig +trace +all www.islief.com
dig com @f.root-servers.net
dig islief.com @g.gtld-servers.net

dnssec-settime -I +172800 -D +345600 Kjanmg.com.+005+12332.key
dnssec-keygen -a NSEC3RSASHA1 -b 2048 -n ZONE janmg.com
dig A janmg.com. @localhost +noadditional +dnssec +multiline

https://www.digitalocean.com/community/tutorials/how-to-setup-dnssec-on-an-authoritative-bind-dns-server--2

https://manager.linode.com/dns/domain%5Fslave/janmg%2Ecom 

cd /var/bind/
dnssec-keygen -a NSEC3RSASHA1 -b 4096 -n ZONE janmg.com
dnssec-settime -I +172800 -D +345600 Kjanmg.com.+005+12332.key
dig A janmg.com. @localhost +noadditional +dnssec +multiline
dnssec-keygen -f KSK -a NSEC3RSASHA1 -b 4096 -n ZONE janmg.com
sudo vi /etc/bind/zone/janmg.com
sudo service named restart
dnssec-signzone -A -3 $(head -c 1000 /dev/urandom | sha256sum | cut -b 1-16) -N INCREMENT -o janmg.com -t /etc/bind/zone/janmg.com
sudo dnssec-signzone -A -3 $(head -c 1000 /dev/urandom | sha256sum | cut -b 1-16) -N INCREMENT -o janmg.com -z -t /etc/bind/zone/janmg.com

cat /etc/bind/zone/janmg.com

SERIAL=$(/usr/sbin/named-checkzone janmg.com /etc/bind/zone/janmg.com | egrep -ho '[0-9]{10}')
DATE=$(date -u +"%Y%m%d")
if [[ "${SERIAL}" =~ "${DATE}".* ]];
then 
 sed -i 's/'$SERIAL'/'$(($SERIAL+1))'/' /etc/bind/zone/janmg.com
else
 sed -i 's/'$SERIAL'/'${DATE}01'/' /etc/bind/zone/janmg.com
fi

chown named:named /var/bind/K*
chown named:named /etc/bind/zone
tail -f /var/log/named/janmg.log 

sudo dnssec-dsfromkey -2 -f /etc/bind/zone/janmg.com.signed janmg.com

https://account.dyn.com/dns/domain-registration/dnssec.html?name=janmg.com 

dig A janmg.com. +noadditional +dnssec +multiline

https://dnssec-debugger.verisignlabs.com/janmg.com

https://www.cloudflare.com/dns/dnssec/how-dnssec-works/

https://www.digitalocean.com/community/tutorials/how-to-setup-dnssec-on-an-authoritative-bind-dns-server--2

https://blog.webernetz.net/dnssec-zsk-key-rollover/

https://account.dyn.com/dns/domain-registration/dnssec.html?name=janmg.com

https://manager.linode.com/dns/domain%5Fslave/janmg%2Ecom

https://dnssec-debugger.verisignlabs.com/janmg.com

http://dnsviz.net/d/janmg.com/dnssec/

DNS Key

DNSKEY - Contains a public signing key (KSK)

DS - Contains the hash of a DNSKEY record

KSK Key-Signing Keys

ZSK Zone-Signing Keys

RRSIG - Contains a cryptographic signature

RRset - Same resource type

NSEC and NSEC3 - For explicit denial-of-existence of a DNS record

Ubuntu: AppArmor

KSK

Key Signing Keys are used for signing the zone keys, their DS'es are registered in the dns hierarchy above. 

cd /var/bind/
KSK=$(dnssec-keygen -f KSK -a NSEC3RSASHA1 -b 4096 -n ZONE janmg.com)
dnssec-settime -I +12mo -D +13mo ${KSK}

ZSK

ZSK1=$(dnssec-keygen -a NSEC3RSASHA1 -b 4096 -n ZONE janmg.com)
dnssec-settime -I +4mo -D +5mo ${ZSK1}.key
ZSK2=$(dnssec-keygen -a NSEC3RSASHA1 -b 4096 -n ZONE janmg.com)
dnssec-settime -A +3mo -I +7mo -D +8mo ${ZSK2}.key
rm -rf /etc/bind/zone/janmg.com.signed*
dnssec-signzone -A -3 $(head -c 64 /dev/urandom | sha256sum | cut -b 1-64) -N date -o janmg.com -t -S -K /var/bind/ /etc/bind/zone/janmg.com
service bind9 reload
tail -20f /var/log/named/janmg.log

Update KSK on DYN

dnssec-dsfromkey -2 -f /etc/bind/zone/janmg.com.signed janmg.com
cd /var/bind/
KSK=$(dnssec-keygen -f KSK -a NSEC3RSASHA1 -b 4096 -n ZONE janmg.com 2> /dev/null)
dnssec-settime -I +5y -D +10y ${KSK}.key
dnssec-dsfromkey -2 -f /etc/bind/zone/janmg.com.signed janmg.com
ZSK1=$(dnssec-keygen -f KSK -a NSEC3RSASHA1 -b 4096 -n ZONE janmg.com 2> /dev/null)
dnssec-settime -I +4mo -D +5mo ${ZSK1}.key
ZSK2=$(dnssec-keygen -a NSEC3RSASHA1 -b 4096 -n ZONE janmg.com 2> /dev/null)
dnssec-settime -A +3mo -I +7mo -D +8mo ${ZSK2}.key

ZSK

dig A janmg.com. @localhost +noadditional +dnssec +multiline

Sign Zone

/usr/sbin/zonesigner.sh
dnssec-keygen -a NSEC3RSASHA1 -b 4096 -n ZONE janmg.com
sudo vi /etc/bind/zone/janmg.com
sudo service named restart
dnssec-signzone -A -3 $(head -c 1000 /dev/urandom | sha256sum | cut -b 1-16) -N INCREMENT -o janmg.com -t /etc/bind/zone/janmg.com
sudo dnssec-signzone -A -3 $(head -c 1000 /dev/urandom | sha256sum | cut -b 1-16) -N INCREMENT -o janmg.com -z -t /etc/bind/zone/janmg.com
cat /etc/bind/zone/janmg.com
SERIAL=$(/usr/sbin/named-checkzone janmg.com /etc/bind/zone/janmg.com | egrep -ho '[0-9]{10}')
DATE=$(date -u +"%Y%m%d")
if [[ "${SERIAL}" =~ "${DATE}".* ]];
then
  sed -i 's/'$SERIAL'/'$(($SERIAL+1))'/' /etc/bind/zone/janmg.com
else
  sed -i 's/'$SERIAL'/'${DATE}01'/' /etc/bind/zone/janmg.com
fi
dnssec-signzone -A -3 $(head -c 1000 /dev/urandom | sha256sum | cut -b 1-16) -N INCREMENT -o janmg.com -z -t /etc/bind/zone/janmg.com

service named reload
dig DNSKEY janmg.com. @localhost +multiline
dig A janmg.com. @localhost +noadditional +dnssec +multiline
dig A janmg.com. +noadditional +dnssec +multiline

https://dnssec-debugger.verisignlabs.com/janmg.com 

dig janmg.com soa
cd /var/bind/
DNSKEY=$(dnssec-keygen -f KSK -a NSEC3RSASHA1 -b 4096 -n ZONE janmg.com 2> /dev/null)
dig DNSKEY janmg.com. @localhost +multiline

Systemd resolved

sudo service systemd-resolved restart
sudo systemd-resolve --status
vi /etc/netplan/01-netcfg.yaml
netplan generate
netplan apply

ZSK Rollover

0       6      1       feb,jun,oct *   dnssec-reverb -s zsk-add example.org
0       6       1      mar,jul,nov *   dnssec-reverb -s zsk-roll example.org
0       6       1      apr,aug,dec *   dnssec-reverb -s zsk-rmold example.org
Retrieved from "https://www.janmg.com/wiki/index.php?title=DNSSEC&oldid=2094"