DNSSEC
As long as I'll be involved in technical work in the nearest future, I'll write a few technical notes. Basically, they are based on my notes I made for myself. Not sure they will be useful for you, my lonely visitor, but who knows...
This first note is about setting up DNSSEC. Don't expect a manual here, I'll just point you to a couple of resources and list essential things.
I'm using bind9 as a DNS server for all my domains and as a resolver in my home network, routing all DNS traffic via VPN abroad to avoid spoofing it in my home country. So, all instructions below are for bind.
Here is the basic manual: DNSSEC Howto for BIND 9.9+
Another good manual: An introduction to DNSSEC
I deployed my zones as described in the basic manual with algorithm 8, RSASHA256. The only exception is the location for keys. I used /etc/bind/keys
instead of /var/cache/bind/keys
because keys are more or less static essentials, closely related to the configuration, unlike some things you might discover in /etc
, such as adjtime
, font cache
, etc.
How to check top level domain algorithm and key size (for .org zone in this example):
dig +multi org DNSKEY
Key types:
- 256 - ZSK, Zone Signing Key
- 257 - KSK, Key Signing Key
How to generate KSK:
dnssec-keygen -a RSASHA256 -b <ksk-size> -f KSK my.domain
How to generate ZSK:
dnssec-keygen -a RSASHA256 -b <zsk-size> my.domain
Validate: use delv
utility instead of dig
How to get DS records (some registrars automatically generate them, but some registrars do not):
dnssec-dsfromkey <public-key-filename>
DNSSEC verifiers: