DNSSEC

From Braindump
Revision as of 13:46, 27 December 2025 by Jan (talk | contribs) (Sign Zone)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

https://zytrax.com/books/dns/

https://www.iana.org/domains/root/servers

https://root-servers.org/ 

whois islief.com
dig +short NS islief.com
dig +short SOA islief.com

dig +short DS islief.com
dig +short DNSKEY islief.com

dig +short A islief.com
dig +short AAAA islief.com

dig +short MX islief.com

dig +trace +all www.islief.com
dig com @f.root-servers.net
dig islief.com @g.gtld-servers.net

dnssec-settime -I +172800 -D +345600 Kjanmg.com.+005+12332.key
dnssec-keygen -a NSEC3RSASHA1 -b 2048 -n ZONE janmg.com
dig A janmg.com. @localhost +noadditional +dnssec +multiline

https://www.digitalocean.com/community/tutorials/how-to-setup-dnssec-on-an-authoritative-bind-dns-server--2

https://manager.linode.com/dns/domain%5Fslave/janmg%2Ecom 

cd /var/bind/
dnssec-keygen -a NSEC3RSASHA1 -b 4096 -n ZONE janmg.com
dnssec-settime -I +172800 -D +345600 Kjanmg.com.+005+12332.key
dig A janmg.com. @localhost +noadditional +dnssec +multiline
dnssec-keygen -f KSK -a NSEC3RSASHA1 -b 4096 -n ZONE janmg.com
sudo vi /etc/bind/zone/janmg.com
sudo service named restart
dnssec-signzone -A -3 $(head -c 1000 /dev/urandom | sha256sum | cut -b 1-16) -N INCREMENT -o janmg.com -t /etc/bind/zone/janmg.com
sudo dnssec-signzone -A -3 $(head -c 1000 /dev/urandom | sha256sum | cut -b 1-16) -N INCREMENT -o janmg.com -z -t /etc/bind/zone/janmg.com

cat /etc/bind/zone/janmg.com

SERIAL=$(/usr/sbin/named-checkzone janmg.com /etc/bind/zone/janmg.com | egrep -ho '[0-9]{10}')
DATE=$(date -u +"%Y%m%d")
if [[ "${SERIAL}" =~ "${DATE}".* ]];
then 
 sed -i 's/'$SERIAL'/'$(($SERIAL+1))'/' /etc/bind/zone/janmg.com
else
 sed -i 's/'$SERIAL'/'${DATE}01'/' /etc/bind/zone/janmg.com
fi

chown named:named /var/bind/K*
chown named:named /etc/bind/zone
tail -f /var/log/named/janmg.log 

sudo dnssec-dsfromkey -2 -f /etc/bind/zone/janmg.com.signed janmg.com

https://account.dyn.com/dns/domain-registration/dnssec.html?name=janmg.com 

dig A janmg.com. +noadditional +dnssec +multiline

https://dnssec-debugger.verisignlabs.com/janmg.com

https://www.cloudflare.com/dns/dnssec/how-dnssec-works/

https://www.digitalocean.com/community/tutorials/how-to-setup-dnssec-on-an-authoritative-bind-dns-server--2

https://blog.webernetz.net/dnssec-zsk-key-rollover/

https://account.dyn.com/dns/domain-registration/dnssec.html?name=janmg.com

https://manager.linode.com/dns/domain%5Fslave/janmg%2Ecom

https://dnssec-debugger.verisignlabs.com/janmg.com

http://dnsviz.net/d/janmg.com/dnssec/

DNS Key

DNSKEY - Contains a public signing key (KSK)

DS - Contains the hash of a DNSKEY record

KSK Key-Signing Keys

ZSK Zone-Signing Keys

RRSIG - Contains a cryptographic signature

RRset - Same resource type

NSEC and NSEC3 - For explicit denial-of-existence of a DNS record

Ubuntu: AppArmor

KSK

Key Signing Keys are used for signing the zone keys, their DS'es are registered in the dns hierarchy above. 

cd /var/bind/
KSK=$(dnssec-keygen -f KSK -a NSEC3RSASHA1 -b 4096 -n ZONE janmg.com)
dnssec-settime -I +12mo -D +13mo ${KSK}

ZSK

ZSK1=$(dnssec-keygen -a NSEC3RSASHA1 -b 4096 -n ZONE janmg.com)
dnssec-settime -I +4mo -D +5mo ${ZSK1}.key
ZSK2=$(dnssec-keygen -a NSEC3RSASHA1 -b 4096 -n ZONE janmg.com)
dnssec-settime -A +3mo -I +7mo -D +8mo ${ZSK2}.key
rm -rf /etc/bind/zone/janmg.com.signed*
dnssec-signzone -A -3 $(head -c 64 /dev/urandom | sha256sum | cut -b 1-64) -N date -o janmg.com -t -S -K /var/bind/ /etc/bind/zone/janmg.com
service bind9 reload
tail -20f /var/log/named/janmg.log

Update KSK on DYN

dnssec-dsfromkey -2 -f /etc/bind/zone/janmg.com.signed janmg.com
cd /var/bind/
KSK=$(dnssec-keygen -f KSK -a NSEC3RSASHA1 -b 4096 -n ZONE janmg.com 2> /dev/null)
dnssec-settime -I +5y -D +10y ${KSK}.key
dnssec-dsfromkey -2 -f /etc/bind/zone/janmg.com.signed janmg.com
ZSK1=$(dnssec-keygen -f KSK -a NSEC3RSASHA1 -b 4096 -n ZONE janmg.com 2> /dev/null)
dnssec-settime -I +4mo -D +5mo ${ZSK1}.key
ZSK2=$(dnssec-keygen -a NSEC3RSASHA1 -b 4096 -n ZONE janmg.com 2> /dev/null)
dnssec-settime -A +3mo -I +7mo -D +8mo ${ZSK2}.key

ZSK

dig A janmg.com. @localhost +noadditional +dnssec +multiline

Sign Zone

/usr/sbin/zonesigner.sh
dnssec-keygen -a NSEC3RSASHA1 -b 4096 -n ZONE janmg.com
sudo vi /etc/bind/zone/janmg.com
sudo service named restart
dnssec-signzone -A -3 $(head -c 1000 /dev/urandom | sha256sum | cut -b 1-16) -N INCREMENT -o janmg.com -t /etc/bind/zone/janmg.com
sudo dnssec-signzone -A -3 $(head -c 1000 /dev/urandom | sha256sum | cut -b 1-16) -N INCREMENT -o janmg.com -z -t /etc/bind/zone/janmg.com
cat /etc/bind/zone/janmg.com
SERIAL=$(/usr/sbin/named-checkzone janmg.com /etc/bind/zone/janmg.com | egrep -ho '[0-9]{10}')
DATE=$(date -u +"%Y%m%d")
if [[ "${SERIAL}" =~ "${DATE}".* ]];
then
  sed -i 's/'$SERIAL'/'$(($SERIAL+1))'/' /etc/bind/zone/janmg.com
else
  sed -i 's/'$SERIAL'/'${DATE}01'/' /etc/bind/zone/janmg.com
fi
dnssec-signzone -A -3 $(head -c 1000 /dev/urandom | sha256sum | cut -b 1-16) -N INCREMENT -o janmg.com -z -t /etc/bind/zone/janmg.com

service named reload
dig DNSKEY janmg.com. @localhost +multiline
dig A janmg.com. @localhost +noadditional +dnssec +multiline
dig A janmg.com. +noadditional +dnssec +multiline

https://dnssec-debugger.verisignlabs.com/janmg.com 

dig janmg.com soa
cd /var/bind/
DNSKEY=$(dnssec-keygen -f KSK -a NSEC3RSASHA1 -b 4096 -n ZONE janmg.com 2> /dev/null)
dig DNSKEY janmg.com. @localhost +multiline

Systemd resolved

sudo service systemd-resolved restart
sudo systemd-resolve --status
vi /etc/netplan/01-netcfg.yaml
netplan generate
netplan apply

ZSK Rollover

0       6      1       feb,jun,oct *   dnssec-reverb -s zsk-add example.org
0       6       1      mar,jul,nov *   dnssec-reverb -s zsk-roll example.org
0       6       1      apr,aug,dec *   dnssec-reverb -s zsk-rmold example.org
Retrieved from "https://www.janmg.com/wiki/index.php?title=DNSSEC&oldid=2094"