Sugar Labs

Changes

Service/Nameservers (view source)

Revision as of 00:41, 6 February 2022

344 bytes removed ,  00:41, 6 February 2022
Refresh DNSSEC docs
Line 104: Line 104:  
=== How to create keys for a new domain ===
 
=== How to create keys for a new domain ===
 
  cd keys
 
  cd keys
  dnssec-keygen -r/dev/random -a RSASHA1 -b 1024 -n ZONE codewiz.org
+
  dnssec-keygen -a RSASHA1 -b 1024 -n ZONE codewiz.org
  dnssec-keygen -r/dev/random -f KSK -a RSASHA1 -b 1280 -n ZONE codewiz.org
+
  dnssec-keygen -a RSASHA1 -b 2048 -n ZONE -f KSK codewiz.org
 
  −
(the above commands take a very long time!)
      
=== How to manually sign a zone ===
 
=== How to manually sign a zone ===
dnssec-signzone -o codewiz.org -K keys masters/codewiz.org.zone
+
Normally, you should use the update-zone script
/etc/init.d/bind9 restart
     −
=== How to publish DLV records ===
+
dnssec-signzone -S -e +31536000 -K keys -d keys -o codewiz.org masters/codewiz.org.zone
 +
systemctl restart bind9
   −
Go to dlv.isc.org and upload the two DNSKEY records for each zone, then follow the instructions to validate them.
+
=== Add DS records to TLD ===
This is the end result:
     −
* sugarlabs.org: https://dlv.isc.org/zones/3609
+
This step must be performed using the interface of the registrar (I used name.com).
* sugarlabs.net: https://dlv.isc.org/zones/3612
  −
* codewiz.org: https://dlv.isc.org/zones/3607
     −
=== Add DS records to TLD ===
+
The data to copy is written by dnssec-signzone to the file keys/dsset-DOMAIN and looks like this:
   −
This step must be done by the registrar.  
+
  codewiz.org.            IN DS 7082 8 2 422B9AD0529099938BAB245BD189BBCF485A9194FC35BA3BB04894E9 C914554A
 +
  codewiz.org.            IN DS 53631 13 2 C31F7790197F0DC5CE7726F731FA55A9189289540749A68A937BFD09 797D72E6
   −
I've opened a support ticket on [http://joker.com/ Joker] asking to add
+
=== How to validate zone data ===
support for DS records. If they can't do it, we need to transfer
  −
sugarlabs.org to another registrar. At this time, the only decent choice
  −
for a DNSSEC enabled registrar is [http://name.com/ name.com].
      +
* Online validators
 +
https://dnssec-analyzer.verisignlabs.com/codewiz.org
   −
=== How to validate zone data ===
      
* Validate zone data with dig:
 
* Validate zone data with dig:
  dig +dnssec +multiline -t ns codewiz.org. @localhost | grep ad
+
  dig +dnssec +multiline -t ns codewiz.org. @1.1.1.1 | grep ad
    
* Validate zone data against domain DNSKEY:
 
* Validate zone data against domain DNSKEY:
Line 145: Line 139:  
* Validate zone data against root DNSKEY:
 
* Validate zone data against root DNSKEY:
 
  unbound-host  -y '. DNSKEY 257 3 8 AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq QxA+Uk1ihz0=' -v  codewiz.org
 
  unbound-host  -y '. DNSKEY 257 3 8 AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq QxA+Uk1ihz0=' -v  codewiz.org
  −
* Validate zone data online:
  −
http://secspider.cs.ucla.edu/codewiz-org--zone.html
  −
  −
=== DNSSEC tutorial ===
  −
http://www.nlnetlabs.nl/publications/dnssec_howto/index.html#x1-290003.4
 
Retrieved from "https://wiki.sugarlabs.org/go/Special:MobileDiff/104038"