Re: DNSSEC and NSEC missing ZSK?
On 09/02/2021 10:47 pm, @ wrote: > Well, I have finally ogttenteh test zone to the point where dnssec-verify is > happy and everything that I can check also seems happy except dnsviz which is > very very VERY angry and basically says the zone is entirely garabge. I am > hoping this is a propagation issue, but I kind of doubt it since it should be > quarrying the authoritative DNS for the DNSKEY and RRSIG and such, I'd think. The easiest way to get help is to post your named.conf and zone file. Obfuscating the configuration works against you, especially when you have a limited understanding of DNSSEC. DNSVIZ displays your current state very well. If its showing you errors, then it requires you to act. The query IPs DNSVIZ typically uses are: 64.191.0.132 64.191.0.138 2620:ff:c000::132 2620:ff:c000::138 So you can easily reconcile the DNSVIZ query, in real time, that produced your data set. The DS record propagation, at the registry level, should never take days (no more than 15-30 minutes is my experience). You need to make sure you have configured (or instructed the registry, per manual intervention) the correct Algorithm (13) and the digest type (SHA256) when you provide your Hash. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Updating a DNSSEC config to use a different algorithm
On 02/02/2021 12:10 am, @lbutlr wrote: > I've been using alg-7 for DNS, but that is no longer recommended. How > difficult is it to change the signing algorithm and what is the process (Bind > 9.16.11)? I migrated recently from Alg8 to Alg13, no drama.. My registry does not have a user portal for passing the new DS records, so the only risk was making sure the operation took place when the registry had their DNS support troops on deck. My simple notes, including updating TLSA (DANE) AND DKIM keys at the end of the process. Hope it helps.. I have all of my zone files (db.*domain*) in /etc/bind. Reflect your path used when including the keys in your zone. 1. Generate new ZSK & KSK, Alg 13 == dnssec-keygen -f KSK -3 -a ECDSAP256SHA256 -r /dev/random yourdomain.com dnssec-keygen -3 -a ECDSAP256SHA256 -r /dev/random yourdomain.com Check for your 4 new key files: ls -lt k* -rw-r--r-- 1 bind 345 Jan 15 10:10 Kyourdomain.com.+013+34567.key -rw--- 1 bind 186 Jan 15 10:10 Kyourdomain.com.+013+34567.private -rw-r--r-- 1 bind 344 Jan 15 10:10 Kyourdomain.com.+013+42793.key -rw--- 1 bind 186 Jan 15 10:10 Kyourdomain.com.+013+42793.private 2. Include the new public keys in the Zone file & Increment zone serial ; yourdomain.com $TTL 1200 yourdomain.com. IN SOA host01.yourdomain.com. postmaster.yourdomain.com. ( 2021020101 ; Serial. 12000 ; refresh 120 ; retry 14D ; expire 24H ; TTL ) IN TXT "v=spf1 a mx ip4:77.123.45.67 ip6:2424:ae00:123:6::/64" ; Name Servers IN NS host01.yourdomain.com. ; ns IN NS host02.yourdomain.com. ; ns IN NS host03.yourdomain.com. ; ns ; Mail Exchanger IN MX 10 bigmx.yourdomain.com. ; mail yourdomain.com. IN 2424:ae00:123:6::7 yourdomain.com. IN A 77.123.45.67 _25._tcp.host01.yourdomain.com. IN TLSA 3 1 1 53xx..33f1b8cf81e37c2e212b _443._tcp.host01.yourdomain.com. IN TLSA 3 1 1 53xx..33f1b8cf81e37c2e212b mail._domainkey IN TXT ( "v=DKIM1; h=sha256; k=rsa; s=email; " "p=MII...xxdu" "axAB" ) $INCLUDE Kyourdomain.com.+013+34567.key $INCLUDE Kyourdomain.com.+013+42793.key ; EOF save it right :) 3. Sign your Zone == dnssec-signzone -S -K /etc/bind/ -g -a -r /dev/random -o yourdomain.com db.yourdomain-com @host01:/etc/bind# dnssec-signzone -S -K /etc/bind/ -g -a -r /dev/random -o yourdomain.com db.yourdomain-com Verifying the zone using the following algorithms: ECDSAP256SHA256. Zone fully signed: Algorithm: ECDSAP256SHA256: KSKs: 1 active, 0 stand-by, 0 revoked ZSKs: 1 active, 0 stand-by, 0 revoked db.yourdomain-com.signed @host01:/etc/bind# 4. Collect your DS record HASH for the domain registry === Depending if you use a domain registry that you pass the DS record data to OR a customer portal you enter this hash data yourself. Essentially, remove existing entries (IF you have a previous Alg8 etc in place) and install the new DS HASH Alg13. You will need to provide the Alg type (13) & Digest (SHA256) either way. "Algorithm 13, ECDSAP256SHA256" usually does the trick. @host01:/etc/bind# ls -lt dsset* -rw-r--r-- 1 bind 172 Jan 15 dsset-yourdomain.com. @host01:/etc/bind# more dsset-yourdomain.com. yourdomain.com. IN DS 42793 13 1 42YC45643B1EF30E42A9D73BDD4EBD8B0 yourdomain.com. IN DS 42793 13 2 7A5A1408995DBBA92E8B575B30DC9BDD10992F90C48C21B9A3 9A348929 Now get this record data to the registry via your registry method. Kettle on. 5. Wait for Registry to complete entry & TXFR == Check DNSVIZ for new key key ID and Alg displayed.. we all love DNSVIZ ! OR simply pass a query via DIG directly and review output: @host01:/etc/bind# dig yourdomain.com dnskey +noall +answer +multiline ; <<>> DiG 9.9.5-9+debxxx <<>> yourdomain.com dnskey +noall +answer +multiline ;; global options: +cmd yourdomain.com. 1200 IN DNSKEY 257 3 13 ( ur4UnMMi4bDNfUEbJfRMlVQ/mxLSMF4quoPrCUopUp94 R9HEG6Sl9gIU9Nl73uRktnUxJspUjqrmOaWsUBcNXA== ) ; KSK; alg =
Re: DNSSEC validation via DLV
On 19/07/2019 9:27 am, p...@vspace.co.za wrote: > > Problem being, no options exist as to export the DS record of co.za, com.au > or net.au domains to the respective registrars, being namecheap.com and > axxess.co.za. > Change registry right ? Crazy domains supports them for the ".com.au" zone. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNSSEC validation via DLV
Not a difficult process really.. -Configure a DNSSEC enabled name server -Create a some zone keys (dnssec-keygen) -Sign your zone (dnssec-signzone) -Update your nameserver configuration to point to the signed zone file -Export your DS records (dsset) to the domain registration company (EPP). Confirm the chain.. http://dnsviz.net/d/apnic.com.au/dnssec/ Mal On 18/07/2019 4:46 pm, Mark Elkins wrote: > I can't comment on com.au (but looking up the Nameservers, I see the AD > bit set - so DNSSEC appears to be in use.. > > However, co.za (and net.oza, org.za & web.za) which are managed by the > ZACR (and DNS) - they are all signed and I personally have domains under > these second levels - all running DNSSEC. The DS records are added to > the parents using EPP - and it works perfectly. I used to present free > (to the community) DNS classes to the community (the ZACR paid me) and > this (DNSSEC) was taught to attendees. Unfortunately, no more classes > for now. > > DNSSEC in CO.ZA became live at about the time DLV stopped running. The > other SLD's had already been running for about a year. > > For the record, EDU.ZA is also signed and can accept DS records - albeit > via a Web interface. > > @peek - you are most welcome to chat to me. > > > On 2019/07/18 04:34, p...@vspace.co.za wrote: > >> With DLV (DNSSEC Lookaside Validation) having been decommissioned, >> though zones still exists that does not provide a fully signed path >> from root to zone, i.e. .com.au , co.za etc, how would an >> administrator enable / implement DNSSEC validation for these zones ? >> >> >> ___ >> Please visit https://lists.isc.org/mailman/listinfo/bind-users to >> unsubscribe from this list >> >> bind-users mailing list >> bind-users@lists.isc.org >> https://lists.isc.org/mailman/listinfo/bind-users > > > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users > ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users