New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
DNSSEC #26
Comments
DNSSEC simply works when configured on the DNS server. Support in nsupdate shouldn't be needed. |
maybe we would want to add some configuration example? (and sometimes I also confuse the nsupdate.info software todo and the nsupdate.info site / dns todo) what also was a bit unclear to me while reading DNSSEC docs: they keys seem to have a limited validity, so does this need regular intervention by the admin to install new keys? |
Runing DNSSEC with using a recent BIND is not that complicated. The only critical thing is that your domain provider is willing to add the DS records to the top level domain. For my zone I have the following config for DNSSEC with nsupdate:
Only auto-dnssec maintain and key-directory "/etc/bind/stratum0.net" are relevant to DNSSEC. With this setup, you only need to use dnssec-keygen to generate the KSK and ZSK. Finally you generate the DS records with dnssec-dsfromkey -f and pass those to your domain provider. There is a short guide at http://fanf.livejournal.com/112476.html. If your domain provider doesn't support DNSSEC, you can use DLV (DNSSEC Look-aside Validation). It's an alternative entry point and also very useful for initial testing. Also very useful for debugging is http://dnsviz.net/d/stratum0.net/dnssec/, which shows you a graph of all keys and their relationships. The gray DNSKEYs are KSKs and the while ones are ZSKs. To keep DNS messages smaller, DNSSEC uses shorter keys and so they must be rotated regularly. The longer (2048 bit) KSKs have a lifetime on the order of years and the shorter (1024 bit) ZSKs on the order of months. Note that they do not expire after this time, it's just strongly recommended to perform a rollover after that time. With auto-dnssec maintain, you just have to generate new keys. The metadata in the key files allows BIND to handle the rollover automatically. For KSK changes, you'd need to notify your domain provider again. This setup has been running without problems for since two months on stratum0.net (which provides DYNDNS for our hackerspace). |
see also #105 |
also interesting: how does dnssec signing impact zone update performance? |
docs: add some info about DNSSEC, fixes #26
document usage with DNSSEC, add a configuration example, useful links, ...
The text was updated successfully, but these errors were encountered: