Service/Nameservers: Difference between revisions

Line 104:

=== How to create keys for a new domain ===

cd keys

dnssec-keygen ~~-r/dev/random~~ -a RSASHA1 -b 1024 -n ZONE codewiz.org

dnssec-keygen -a RSASHA1 -b 1024 -n ZONE codewiz.org

dnssec-keygen ~~-r/dev/random -f KSK~~ -a RSASHA1 -b ~~1280~~ -n ZONE codewiz.org

dnssec-keygen -a RSASHA1 -b 2048 -n ZONE -f KSK codewiz.org

~~(the above commands take a very long time!)~~

=== How to manually sign a zone ===

~~dnssec~~-~~signzone -o codewiz.org -K keys masters/codewiz.org.~~zone

Normally, you should use the update-zone script

~~/etc/init.d/bind9 restart~~

~~=== How to publish DLV records ===~~

dnssec-signzone -S -e +31536000 -K keys -d keys -o codewiz.org masters/codewiz.org.zone

systemctl restart bind9

~~Go to dlv.isc.org and upload the two DNSKEY~~ records ~~for each zone, then follow the instructions~~ to ~~validate them.~~

=== Add DS records to TLD ===

~~This is the end result:~~

* sugarlabs.~~org: https://dlv~~.~~isc.org/zones/3609~~

This step must be performed using the interface of the registrar (I used name.com).

* sugarlabs.net: https://dlv.isc.org/zones/3612

* codewiz.org: https://dlv.isc.org/zones/3607

~~=== Add DS records~~ to ~~TLD ===~~

The data to copy is written by dnssec-signzone to the file keys/dsset-DOMAIN and looks like this:

~~This step must be done by the registrar~~.

codewiz.org. IN DS 7082 8 2 422B9AD0529099938BAB245BD189BBCF485A9194FC35BA3BB04894E9 C914554A

codewiz.org. IN DS 53631 13 2 C31F7790197F0DC5CE7726F731FA55A9189289540749A68A937BFD09 797D72E6

~~I've opened a support ticket on [http://joker.com/ Joker] asking~~ to ~~add~~

=== How to validate zone data ===

~~support for DS records. If they can't do it, we need to transfer~~

~~sugarlabs.org to another registrar. At this time, the only decent choice~~

~~for a DNSSEC enabled registrar is [http://name.com/ name.com].~~

* Online validators

https://dnssec-analyzer.verisignlabs.com/codewiz.org

~~=== How to validate zone data ===~~

* Validate zone data with dig:

dig +dnssec +multiline -t ns codewiz.org. @~~localhost~~ | grep ad

dig +dnssec +multiline -t ns codewiz.org. @1.1.1.1 | grep ad

* Validate zone data against domain DNSKEY:

Line 145:

Line 139:

* Validate zone data against root DNSKEY:

unbound-host -y '. DNSKEY 257 3 8 AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq QxA+Uk1ihz0=' -v codewiz.org

* Validate zone data online:

~~http://secspider.cs.ucla.edu/codewiz-org--zone.html~~

~~=== DNSSEC tutorial ===~~

~~http://www.nlnetlabs.nl/publications/dnssec_howto/index.html#x1-290003.4~~

@@ Line 104: / Line 104: @@
 === How to create keys for a new domain ===
   cd keys
-  dnssec-keygen -r/dev/random -a RSASHA1 -b 1024 -n ZONE codewiz.org
+  dnssec-keygen -a RSASHA1 -b 1024 -n ZONE codewiz.org
-  dnssec-keygen -r/dev/random -f KSK -a RSASHA1 -b 1280 -n ZONE codewiz.org
+  dnssec-keygen -a RSASHA1 -b 2048 -n ZONE -f KSK codewiz.org
-(the above commands take a very long time!)
 === How to manually sign a zone ===
- dnssec-signzone -o codewiz.org -K keys masters/codewiz.org.zone
+Normally, you should use the update-zone script
- /etc/init.d/bind9 restart
-=== How to publish DLV records ===
+ dnssec-signzone -S -e +31536000 -K keys -d keys -o codewiz.org masters/codewiz.org.zone
+ systemctl restart bind9
-Go to dlv.isc.org and upload the two DNSKEY records for each zone, then follow the instructions to validate them.
+=== Add DS records to TLD ===
-This is the end result:
-* sugarlabs.org: https://dlv.isc.org/zones/3609
+This step must be performed using the interface of the registrar (I used name.com).
-* sugarlabs.net: https://dlv.isc.org/zones/3612
-* codewiz.org: https://dlv.isc.org/zones/3607
-=== Add DS records to TLD ===
+The data to copy is written by dnssec-signzone to the file keys/dsset-DOMAIN and looks like this:
-This step must be done by the registrar.
+  codewiz.org.            IN DS 7082 8 2 422B9AD0529099938BAB245BD189BBCF485A9194FC35BA3BB04894E9 C914554A
+  codewiz.org.            IN DS 53631 13 2 C31F7790197F0DC5CE7726F731FA55A9189289540749A68A937BFD09 797D72E6
-I've opened a support ticket on [http://joker.com/ Joker] asking to add
+=== How to validate zone data ===
-support for DS records. If they can't do it, we need to transfer
-sugarlabs.org to another registrar. At this time, the only decent choice
-for a DNSSEC enabled registrar is [http://name.com/ name.com].
+* Online validators
+ https://dnssec-analyzer.verisignlabs.com/codewiz.org
-=== How to validate zone data ===
 * Validate zone data with dig:
-  dig +dnssec +multiline -t ns codewiz.org. @localhost | grep ad
+  dig +dnssec +multiline -t ns codewiz.org. @1.1.1.1 | grep ad
 * Validate zone data against domain DNSKEY:
@@ Line 145: / Line 139: @@
 * Validate zone data against root DNSKEY:
   unbound-host  -y '. DNSKEY 257 3 8 AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq QxA+Uk1ihz0=' -v  codewiz.org
-* Validate zone data online:
- http://secspider.cs.ucla.edu/codewiz-org--zone.html
-=== DNSSEC tutorial ===
-http://www.nlnetlabs.nl/publications/dnssec_howto/index.html#x1-290003.4