Changes

1,381 bytes added ,  05:11, 9 October 2010
no edit summary
Line 117: Line 117:  
  /etc/init.d/bind9 reload
 
  /etc/init.d/bind9 reload
 
  sleep 3
 
  sleep 3
 +
 +
 +
== DNSSEC details ==
 +
 +
=== How to create keys for a new domain ===
 +
dnssec-keygen -r/dev/random -a RSASHA1 -b 1024 -n ZONE codewiz.org
 +
dnssec-keygen -r/dev/random -f KSK -a RSASHA1 -b 1280 -n ZONE codewiz.org
 +
 +
=== How to manually sign a zone ===
 +
 +
 +
=== How to validate zone data ===
 +
 +
* Validate zone data with dig:
 +
dig +dnssec +multiline -t ns codewiz.org. @localhost | grep ad
 +
 +
* Validate zone data against domain DNSKEY:
 +
unbound-host -y 'codewiz.org. IN DNSKEY 256 3 5 AwEAAa3dS5/3fkGXuqXft2dN/UPUivGqiYzZF+jWcow8LTAnlsoYaJFB VMAlJWbC6FFI7AMjoJYpmoeDMgHd4BtVqZO2ikx5zc48CtOUHUdXs7nw fMSQoVOnplpTKH2AgyRfDqYhtosP0euyJQNZI+NiYneZb1o1Ys7PE87Y 7FamjXwV' -v codewiz.org
 +
 +
* Validate zone data against domain DS key:
 +
unbound-host  -y 'codewiz.org. IN DS 58126 5 2 96BF1964F3EA9885F5DE83DA14419F55F579A42BC18759C1B79BDE64 7587CFA8' -v  codewiz.org
 +
 +
* Validate zone data against root DNSKEY:
 +
unbound-host  -y '. DNSKEY 257 3 8 AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq QxA+Uk1ihz0=' -v  codewiz.org
 +
 +
* Validate zone data online:
 +
http://secspider.cs.ucla.edu/codewiz-org--zone.html