Quick and dirty DNSSEC recipe:
1) named.conf global options
options {
dnssec-enable yes;
dnssec-validation yes;
};
1.5) "root" zone trusted key
get root key:
dig +multi +noall +answer DNSKEY . >root.dnskey
convert to DS RR set:
dnssec-dsfromkey -f root.dnskey . >root.ds
include in named.conf:
managed-keys {
"." initial-key 257 3 8 "
blah blah blah ";
};
2) Generating key signing key (KSK) and zone signing key (ZSK)
ZSK: dnssec-keygen -r /dev/random -a RSASHA1 -b 1024 -n ZONE myzone.name
KSK: dnssec-keygen -r /dev/random -f KSK -a RSASHA1 -b 1280 -n ZONE myzone.name
3) Inside your zone file, include the public keys
$include Kmyzone.name.+005+1234.key ;ZSK
$include Kmyzone.name.+005+4567.key ;KSK
4) Sign the DNS zone
dnssec-signzone -r /dev/random -o myzone.name -k Kmyzone.name.+005+1234 myzone.name Kmyzone.name.+005.4567.key
5) Verify the signed zone records:
cat myzone.name.signed
6) Check a query...
dig +dnssec www.myzone.name A
Note: data for which a local name server is authoritative for, and comes from disk will not result in the trust chain traversal. ie: It is assumed that if a server can read the zone off disk, then it is secure anyway.
1 comment:
The sport is somewhat much like blackjack, in that you just and the home are dealt playing cards, with the aim being to get as near a quantity as attainable. However, might also|you can even} make some side bets, similar to guessing {how many|what quantity of} playing cards shall be dealt earlier than the matching one appears. To prime it 1xbet off, this sport also has a 4000x prize multiplier might be} triggered at random. If this isn't sufficient for you, Playerz has greater than 2400 additional on line casino games {for you to|so that you just can} select from. There's extra to live casinos than beauty and fancy technology! Our tables are as social as the actual factor with chat rooms and sense of neighborhood that take Live Casino to a different level.
Post a Comment