← ../

dnssec stuff.

types of dnssec records

RRSIG = signature of a record

DNSKEY = pubkeys of zsk and ksk (Zone Signing Key and Key Signong Key)

DS = fingerprint of our ksk placed in the domain above you (.gov for the example nsa.gov)

NSEC = get next record, used to be a problem because people could walk through all your dns records

NSEC3 = fixed the above (An extension to DNSSEC that allows proof of nonexistence for a name without permitting zonewalking )

get dnssec records

#return 2 keys (actually 3 keys, nsa seems to rotate their keys frequently)
dig +short DNSKEY nsa.gov

nsa.gov. 7200 IN DNSKEY 256 3 7 AwEAAalupW1SwiciSiY/Jn4ZZc9sX/inp9oMVPbRLf8V901oeEYgeh+u 8/g2OLYqAmc97D6AFOWqG3/GQcA0Fx54KnS33KiNWzxe0x0iJia/7nD6 XZcwFZcLJaTW7rmwwwVEejeuUmBv+D9qPKUgdX9zHVGn6Vuw+jEW4ywU kAgr0HOB

nsa.gov. 7200 IN DNSKEY 257 3 7 AwEAAdtNAoaoayPWNdhey0HQElxV4LiYi8RtAoEwepF1f4bZoIjaYtnm OX/eep/Pm4w6fRp6LPxwO+KRuEaLnqVPPbFwEkuICHp128YF348gSnkn XSYX3vo26GRAmIAybuxYxaDc6GdPFXSit7wgv0u38ewJiFkaeyi3smZp Gh5fCr/61/6I5P3uwELGXcfItPwrzTj+0JZxJEo0+hreDWU3iZ+jMa8f PpLTyo2yjgsntYfL+NGangLdc6/eoYbBCNxVtL2l9xDXEn/crklQkNfs wyqRFOiR/IKtA8pPx8wDRoAWjf5/kZJyVcGTxgOEVvVTHkAlb7W0BKtH 0wzEDiAZGkU=

create a Key Signing Key (KSK)

sudo dnssec-keygen -f KSK -a RSASHA256 -b 2048 -n ZONE 200013.net

create a Zone Signing Key (ZSK)

sudo dnssec-keygen -a RSASHA256 -b 2048 -n ZONE 200013.net

sign a zone file

write it out to a file named zone.signed (you cannot change the serial of the zone without resigning the SOA record. )

dnssec-signzone -N increment -3 $(head -c 512 /dev/random | sha1sum | cut -b 1-16) -S -o 200013.net -H 20 -f 200013.signed -K ./ 200013.zone

Generate a Delegation Signer (DS) record

this is to upload to your registrar

dnssec-dsfromkey -1 -K ./ -f zone.signed 200013.net