Wednesday, November 10, 2010


Quick and dirty DNSSEC recipe:

1) named.conf global options

options {
dnssec-enable yes;
dnssec-validation yes;

1.5) "root" zone trusted key

get root key:
dig +multi +noall +answer DNSKEY . >root.dnskey

convert to DS RR set:
dnssec-dsfromkey -f root.dnskey . >root.ds

include in named.conf:

managed-keys {
"." initial-key 257 3 8 "
blah blah blah ";

2) Generating key signing key (KSK) and zone signing key (ZSK)

ZSK: dnssec-keygen -r /dev/random -a RSASHA1 -b 1024 -n ZONE
KSK: dnssec-keygen -r /dev/random -f KSK -a RSASHA1 -b 1280 -n ZONE

3) Inside your zone file, include the public keys

$include ;ZSK
$include ;KSK

4) Sign the DNS zone

dnssec-signzone -r /dev/random -o -k

5) Verify the signed zone records:


6) Check a query...

dig +dnssec A

Note: data for which a local name server is authoritative for, and comes from disk will not result in the trust chain traversal. ie: It is assumed that if a server can read the zone off disk, then it is secure anyway.

1 comment:

Anonymous said...

The sport is somewhat much like blackjack, in that you just and the home are dealt playing cards, with the aim being to get as near a quantity as attainable. However, might also|you can even} make some side bets, similar to guessing {how many|what quantity of} playing cards shall be dealt earlier than the matching one appears. To prime it 1xbet off, this sport also has a 4000x prize multiplier might be} triggered at random. If this isn't sufficient for you, Playerz has greater than 2400 additional on line casino games {for you to|so that you just can} select from. There's extra to live casinos than beauty and fancy technology! Our tables are as social as the actual factor with chat rooms and sense of neighborhood that take Live Casino to a different level.