Re: [Pdns-users] Setting up intentionally invalid DNSSEC record in auto-secure environment

Wed, 06 Jan 2016 12:42:07 -0800 

On 2016-01-06 20:42, Nicholas Williams wrote:

I'll look into that other script. Thanks, Bert.


 How about a creating a separate sub-zone with a broken presigned

DNSSEC


 You can set presigned for just that single zone using the

PRESIGNED domain metadata[1] int your database.
I really like this idea in combination. That documentation that Pieter 
sent me should help me get set up with presigning. But, Leen, how
would I set up a subzone delegated to the same authoritative server
(or can I, even?)? Can you point me to that documentation?
It's just a domain & delegation like any other (this is the same thing the TLD does for you):
Just have both a autosigned-domain.tld and presigned-subzone.autosigned-domain.tld in the domains-table like any normal domain.
Both domains should have NS and SOA records in the records table like any normal domain.
Then create the delegation in the autosigned-domain.tld domain by adding the NS-records pointing to the presigned-subzone.autosigned-domain.tld
Domain_id: autosigned-domain.tld ; name: presigned-subzone.autosigned-domain.tld ; type: NS ; content: ns1.autosigned-domain.tld Domain_id: autosigned-domain.tld ; name: presigned-subzone.autosigned-domain.tld ; type: NS ; content: ns2.autosigned-domain.tld 

Now because it's DNSSEC you need to make it secure.

Assuming you want to sign the sub-zone for testing:

pdnssec secure-zone presigned-subzone.autosigned-domain.tld
The you can grab the DS-record which the needs to be added to the parent zone: 

pdnssec show-zone presigned-subzone.autosigned-domain.tld

To know what the DS-record is.
Add the DNSSEC DS-record for presigned-subzone.autosigned-domain.tld in the autosigned-domain.tld domain.
domain_id: autosigned-domain.tld; name: presigned-subzone.autosigned-domain.tld ; type: DS ; content: '5725 8 2 512fa6fe4d1f9ba974832e3456c4769db6c16ca1...' 

Hope that makes it clear.
You should now be able to look up a DNSSEC-signed record for the presigned-subzone.autosigned-domain.tld for example the SOA-record. 

Have a good day,
 Leen.


Google really hasn't indexed this documentation very well at all...

Thanks,

Nick




_______________________________________________
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Reply via email to