Line 8: |
Line 8: |
| | | |
| * [[User:Bernie|Bernie Innocenti]] | | * [[User:Bernie|Bernie Innocenti]] |
− | * [[User:dogi|Stefan Unterhauser]]
| |
− | * [[User:sascha_silbe|Sascha Silbe]]
| |
| | | |
| (please use preferably the administrative address) | | (please use preferably the administrative address) |
Line 27: |
Line 25: |
| ! '''ns1.sugarlabs.org''' | | ! '''ns1.sugarlabs.org''' |
| | lightwave | | | lightwave |
− | | FSF, Boston, USA | + | | Sonic, Santa Rosa CA, USA |
− | | 140.186.70.102 | + | | 192.184.220.216 |
− | | 2002:8cba:4666::1 | + | | 2001:5a8:601:f::216/64 |
| |- | | |- |
| | ns2.sugarlabs.net | | | ns2.sugarlabs.net |
| | sunjammer | | | sunjammer |
| | FSF, Boston, USA | | | FSF, Boston, USA |
− | | 140.186.70.53 | + | | 208.118.235.53 |
− | | 2002:8cba:4635::1 | + | | 2001:470:142:7::11 |
| |- | | |- |
| | ns1.codewiz.org | | | ns1.codewiz.org |
− | | trinity | + | | neo |
| | Develer, Firenze, Italy | | | Develer, Firenze, Italy |
− | | 83.149.158.210 | + | | 2.228.72.10 |
− | | 2002:5395:9ed2::1 | + | | 2001:b02:400:1::10 |
| |} | | |} |
| | | |
Line 55: |
Line 53: |
| git clone lightwave.sugarlabs.org:/var/lib/bind/etc/bind ns | | git clone lightwave.sugarlabs.org:/var/lib/bind/etc/bind ns |
| | | |
− | Do not checkout the repository as root. Your user on [[Machine/lightwave]] needs to be in group hostmaster.
| + | '''NOTE:''' Your user on [[Machine/lightwave]] needs to be in group hostmaster. Do not clone the repo on lightwave, clone it to your local host. |
| | | |
− | In order to make changes, you will also need the private keys for your domain. For security reasons, these
| + | To push changes, you will also need the DNSSEC private keys for your domain. For security reasons, these |
| are not kept on the master DNS itself. Ask one of the other hostmasters for a copy and put it in the keys/ | | are not kept on the master DNS itself. Ask one of the other hostmasters for a copy and put it in the keys/ |
| directory alongside the public keys. | | directory alongside the public keys. |
Line 88: |
Line 86: |
| * make BIND reload its configuration | | * make BIND reload its configuration |
| * watch BIND's log file to ensure there are no errors and slaves are actually transferring the changed zones | | * watch BIND's log file to ensure there are no errors and slaves are actually transferring the changed zones |
| + | |
| + | For other domains hosted on Sugar Labs infrastructure (such as eg. somosazucar.org) use: |
| + | |
| + | ./update-zone turtleartday.org |
| + | |
| + | This will check the zone before pushing. |
| | | |
| == GIT repository implementation details == | | == GIT repository implementation details == |
Line 98: |
Line 102: |
| | | |
| === How to create keys for a new domain === | | === How to create keys for a new domain === |
− | dnssec-keygen -r/dev/random -a RSASHA1 -b 1024 -n ZONE codewiz.org
| |
− | dnssec-keygen -r/dev/random -f KSK -a RSASHA1 -b 1280 -n ZONE codewiz.org
| |
| | | |
− | === How to manually sign a zone ===
| + | We standardized on algorithm 13 (ECDSAP256SHA256) because it's what RFC 8624 recommends and what Cloudflare uses: |
− | dnssec-signzone -o codewiz.org -K keys masters/codewiz.org.zone
| |
− | /etc/init.d/bind9 restart
| |
| | | |
− | === How to publish DLV records ===
| + | cd keys |
| + | dnssec-keygen -K keys -3 -a ECDSAP256SHA256 -n ZONE codewiz.org |
| + | dnssec-keygen -K keys -3 -a ECDSAP256SHA256 -n ZONE -f KSK codewiz.org |
| | | |
− | Go to dlv.isc.org and upload the two DNSKEY records for each zone, then follow the instructions to validate them.
| + | === How to manually sign a zone === |
− | This is the end result:
| + | Normally, you should use the update-zone script |
| | | |
− | * sugarlabs.org: https://dlv.isc.org/zones/3609
| + | dnssec-signzone -S -e +31536000 -K keys -d keys -o codewiz.org masters/codewiz.org.zone |
− | * sugarlabs.net: https://dlv.isc.org/zones/3612
| + | systemctl restart bind9 |
− | * codewiz.org: https://dlv.isc.org/zones/3607
| |
| | | |
| === Add DS records to TLD === | | === Add DS records to TLD === |
| | | |
− | This step must be done by the registrar. | + | This step must be performed using the interface of the registrar (I used name.com). |
| | | |
− | I've opened a support ticket on [http://joker.com/ Joker] asking to add
| + | The data to copy is written by dnssec-signzone to the file keys/dsset-DOMAIN and looks like this: |
− | support for DS records. If they can't do it, we need to transfer
| |
− | sugarlabs.org to another registrar. At this time, the only decent choice
| |
− | for a DNSSEC enabled registrar is [http://name.com/ name.com].
| |
| | | |
| + | codewiz.org. IN DS 53631 13 2 C31F7790197F0DC5CE7726F731FA55A9189289540749A68A937BFD09 797D72E6 |
| | | |
| === How to validate zone data === | | === How to validate zone data === |
| + | |
| + | ==== Online validators ==== |
| + | * https://dnssec-analyzer.verisignlabs.com/codewiz.org |
| + | * https://dnsviz.net/d/codewiz.org/dnssec/ |
| + | |
| + | ==== CLI tools ==== |
| | | |
| * Validate zone data with dig: | | * Validate zone data with dig: |
− | dig +dnssec +multiline -t ns codewiz.org. @localhost | grep ad | + | dig +dnssec +multiline -t ns codewiz.org. @1.1.1.1 | grep ad |
| + | ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1 |
| | | |
| * Validate zone data against domain DNSKEY: | | * Validate zone data against domain DNSKEY: |
− | unbound-host -y 'codewiz.org. IN DNSKEY 256 3 5 AwEAAa3dS5/3fkGXuqXft2dN/UPUivGqiYzZF+jWcow8LTAnlsoYaJFB VMAlJWbC6FFI7AMjoJYpmoeDMgHd4BtVqZO2ikx5zc48CtOUHUdXs7nw fMSQoVOnplpTKH2AgyRfDqYhtosP0euyJQNZI+NiYneZb1o1Ys7PE87Y 7FamjXwV' -v codewiz.org | + | $ unbound-host -y 'codewiz.org. DNSKEY 256 3 13 IbIcUsP+G7cnSmi12BpuiMjM9LnqvDaRS+qiquGKXxH/qAuOGlODFA4E 18O1OErfu0CkFjg6JEynOG6cSR40yg==' -v codewiz.org |
− | | + | codewiz.org has address 209.51.188.53 (secure) |
− | * Validate zone data against domain DS key:
| + | codewiz.org has IPv6 address 2001:470:142:7::11 (secure) |
− | unbound-host -y 'codewiz.org. IN DS 58126 5 2 96BF1964F3EA9885F5DE83DA14419F55F579A42BC18759C1B79BDE64 7587CFA8' -v codewiz.org | + | codewiz.org mail is handled by 10 neo.develer.net. (secure) |
− | | |
− | * Validate zone data against root DNSKEY:
| |
− | unbound-host -y '. DNSKEY 257 3 8 AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq QxA+Uk1ihz0=' -v codewiz.org
| |
| | | |
− | * Validate zone data online: | + | * Validate zone data against a domain's DS key: |
− | http://secspider.cs.ucla.edu/codewiz-org--zone.html | + | unbound-host -f keys/dsset-sugarlabs.org. -v sugarlabs.org |
| + | sugarlabs.org has address 185.199.111.153 (secure) |
| + | sugarlabs.org has address 185.199.110.153 (secure) |
| + | sugarlabs.org has no IPv6 address (secure) |
| + | sugarlabs.org mail is handled by 10 mail0.codewiz.org. (secure) |
| + | sugarlabs.org mail is handled by 20 sunjammer.sugarlabs.org. (secure) |
| | | |
− | === DNSSEC tutorial ===
| + | * Validate zone data against the root DNSKEY: |
− | http://www.nlnetlabs.nl/publications/dnssec_howto/index.html#x1-290003.4
| + | unbound-host -D -v wiki.sugarlabs.org |
| + | wiki.sugarlabs.org is an alias for sunjammer.sugarlabs.org. (secure) |
| + | sunjammer.sugarlabs.org has address 209.51.188.53 (secure) |
| + | sunjammer.sugarlabs.org has IPv6 address 2001:470:142:7::11 (secure) |
| + | sunjammer.sugarlabs.org has no mail handler record (secure) |