Having a look at DNSSEC braindump / 2010-11-09

2010-11-09 Having a look at DNSSEC braindump
Having a look at DNSSEC, but for now my head explodes. Reading some howtos, getting weird errors and a 'now what?' when the signing is a success. Anyway, braindump. Generating ZSK (zone signing key):
dnssec-keygen -r/dev/urandom -a RSASHA1 -b 1024 -n ZONE tinfoilhat.idefix.net
Generating KSK (key signing key):
dnssec-keygen -r/dev/urandom  -f KSK -a RSASHA1 -b 1280  -n ZONE tinfoilhat.idefix.net
adding the resulting records to the zonefile:
$INCLUDE /var/cache/bind/keys/Ktinfoilhat.idefix.net.+005+05157.key ; ZSK
$INCLUDE /var/cache/bind/keys/Ktinfoilhat.idefix.net.+005+18049.key ; KSK
And signing the result:
dnssec-signzone -o tinfoilhat.idefix.net \           ; zone name
-k Ktinfoilhat.idefix.net.+005+18049.key \           ; ksk
/etc/bind/zones/tinfoilhat.idefix.net-zone \         ; input file
Ktinfoilhat.idefix.net.+005+05157.key                ; zsk
/etc/bind/zones/tinfoilhat.idefix.net-zone.signed    ; output
And indeed:
localhost.tinfoilhat.idefix.net. 1800 IN A 127.0.0.1
                        1800    RRSIG   A 5 4 1800 20101209150007 (
                                        20101109150007 5157 tinfoilhat.idefix.net.
                                        NFHQ0ktGb+g9UiGRSQAhlMIoZYVDC8If/E2r
                                        dVrqEp5FA9RkiiMFgPDOy7FaqDy2NLWDs5W0
                                        WHdjgDwi0go70Qec2PJ6oD9jF9KXAVp2VpMv
                                        tOCBxE2MyXFmVt+HBVUqinE3ZWZNqJf71NYw
                                        +vLOSd77oKJYELjxaSwLW2Yw46M= )
                        1800    AAAA    ::1
                        1800    RRSIG   AAAA 5 4 1800 20101209150007 (
                                        20101109150007 5157 tinfoilhat.idefix.net.
                                        U6ii6sB9gI6cLuIv5ERne0CX0+F2sZspv3K/
                                        LixcjdOvPakRyGautN3bta7eJqp5L24BUNNw
                                        Vq/U4swpb/BbWgh2pgKqg0i6qwX//ZiLMJfM
                                        ZQ9So4bfOHJW/bSYA5BFss3OgwJGMgrlNOeO
                                        7KilwiJmtN6pjSlo9WSfgMkWgy8= )
Now to check how I check this... takes a bit of searching:
# dig +sigchase +trusted-key=/etc/trusted-key.key localhost.tinfoilhat.idefix.net aaaa
;; RRset to chase:
localhost.tinfoilhat.idefix.net. 1800 IN AAAA   ::1



Launch a query to find a RRset of type RRSIG for zone: localhost.tinfoilhat.idefix.net.

;; RRSIG is missing for continue validation: FAILED

It helps when you actually load the signed zone! Retry:
;; RRSIG of the RRset to chase:
localhost.tinfoilhat.idefix.net. 1800 IN RRSIG  AAAA 5 4 1800 20101209150653 20101109150653 5157 tinfoilhat.idefix.net. Rl7v0JiumH6MJHqHDB39LmdM8WOS4eDkMcFYDCGkvvgfTG+0BlBJjlPM wYlR+Tzb0Qr8cFJkeaXaHuiaauOTrj5F7FQLdsrGMLtpqRbIvgYSMYvV uBpRYEfB8v3lDIh6RcsD6vkOOoLQVkj+BbGx7tsnOngdqpq83F6wrGED 74M=



Launch a query to find a RRset of type DNSKEY for zone: tinfoilhat.idefix.net.

;; DNSKEYset that signs the RRset to chase:
tinfoilhat.idefix.net.  1800    IN      DNSKEY  257 3 5 AwEAAdYdd31BIhSS90RSfm2frY7MxOGajLtrB+kohDe0rLdAuVzYDjUx 2URzsDcnJbgWVYa0Lf66mbbwcaaflj1zgE5dVYejOgIjGC/PdxEw7qqm 5lA4vW97S3Wn4aifAbRfzSniDWhMLPcphPF2uHPWdIjxagxFv40tMuns 3lpQpGC8ppa1TnBkwKQeeZa8KThzmNqM3tn7KR1yftUaG2aLeAU=
tinfoilhat.idefix.net.  1800    IN      DNSKEY  256 3 5 AwEAAdGQ6wG/n1wMYhDwhge5HDvVG6FzL3uuuouuD4M3d0bqOUiIZrDw aH9QuMJeJFKUUcwOzmKy7Hc2ik3Jgy9bzAvYZQ8lzLSKcLgTfXNttFzb OiUT1zCmSzZJcAtG0kotRuIAjB5eblwsEMO1R+TBSiHWamQnS7bG9auQ xKGetr6d


;; RRSIG of the DNSKEYset that signs the RRset to chase:
tinfoilhat.idefix.net.  1800    IN      RRSIG   DNSKEY 5 3 1800 20101209150653 20101109150653 5157 tinfoilhat.idefix.net. CnDwi1jeBqTsS9ywFm5b9iLROoARK7L1vLfrlkvBYgoNl7hAbEbcNVI+ ekNVlW78pmoEQUYLv+prBGR4CjNDkItbUKOR/t2hRnNoeiIHSIPqLe71 TiWxoz3uwMTz5kPxhyfp1hKRFx4GZDw2PrFI5EsobrNklc1+YIjXMfam e4s=
tinfoilhat.idefix.net.  1800    IN      RRSIG   DNSKEY 5 3 1800 20101209150653 20101109150653 18049 tinfoilhat.idefix.net. LFhN+H7xUlSD0WzR9rS9yRf+x6VZueKaTPAvSqxztl8QrCS7ehagEJxJ y9g7dAfDk2ndu8lEI42mSedtnrQiEFZ3XKU+r7aDGn+QaxHHw/sl3kRx 3rovSI3XygnZW/per447fctgWsZ7S9AN9f6MIDTetY75NV/LEGCOvAAu 873rDT0fTkxARdPp3H6zo7D8WJEYI8AfbxbT8aGpcCPcvw==



Launch a query to find a RRset of type DS for zone: tinfoilhat.idefix.net.

;; DSset of the DNSKEYset
tinfoilhat.idefix.net.  86400   IN      DS      18049 5 2 9FA6BDC8106CB7DD65113FA359EA57DC88C63DF8C70B62B262B9760D A1DC8D7D
tinfoilhat.idefix.net.  86400   IN      DS      18049 5 1 BB874F9F438E0F1620114BC1256A2746D1FD585A

;; WARNING : NO RRSIG DS : RRSIG DS should come with DS



;; WE HAVE MATERIAL, WE NOW DO VALIDATION
;; VERIFYING AAAA RRset for localhost.tinfoilhat.idefix.net. with DNSKEY:5157: success
;; OK We found DNSKEY (or more) to validate the RRset
;; Ok, find a Trusted Key in the DNSKEY RRset: 18049
;; VERIFYING DNSKEY RRset for tinfoilhat.idefix.net. with DNSKEY:18049: success

;; Ok this DNSKEY is a Trusted Key, DNSSEC validation is ok: SUCCESS

Still a warning about RRSIG/DS which I do not fully understand. But for the rest the magic word is SUCCESS.

Links for information:


Tags: , , ,

IPv6 check

Running test...
, reachable as koos+website@idefix.net. PGP encrypted e-mail preferred. PGP key 5BA9 368B E6F3 34E4 local copy PGP key 5BA9 368B E6F3 34E4 via keyservers

RSS
Meningen zijn die van mezelf, wat ik schrijf is beschermd door auteursrecht. Sommige publicaties bevatten een expliciete vermelding dat ze ongevraagd gedeeld mogen worden.
My opinions are my own, what I write is protected by copyrights. Some publications contain an explicit license statement which allows sharing without asking permission.
Other webprojects: Camp Wireless, wireless Internet access at campsites, The Virtual Bookcase, book reviews
This page generated by $Id: newsitem.cgi,v 1.55 2021/11/09 13:09:49 koos Exp $ in 0.005753 seconds.