Having a look at DNSSEC braindump / 2010-11-09

Koos van den Hout

2010-11-09 Having a look at DNSSEC braindump 9 years ago
Having a look at DNSSEC, but for now my head explodes. Reading some howtos, getting weird errors and a 'now what?' when the signing is a success. Anyway, braindump. Generating ZSK (zone signing key): 
dnssec-keygen -r/dev/urandom -a RSASHA1 -b 1024 -n ZONE tinfoilhat.idefix.net
Generating KSK (key signing key): 
dnssec-keygen -r/dev/urandom  -f KSK -a RSASHA1 -b 1280  -n ZONE tinfoilhat.idefix.net
adding the resulting records to the zonefile: 
$INCLUDE /var/cache/bind/keys/Ktinfoilhat.idefix.net.+005+05157.key ; ZSK
$INCLUDE /var/cache/bind/keys/Ktinfoilhat.idefix.net.+005+18049.key ; KSK
And signing the result: 
dnssec-signzone -o tinfoilhat.idefix.net \           ; zone name
-k Ktinfoilhat.idefix.net.+005+18049.key \           ; ksk
/etc/bind/zones/tinfoilhat.idefix.net-zone \         ; input file
Ktinfoilhat.idefix.net.+005+05157.key                ; zsk
/etc/bind/zones/tinfoilhat.idefix.net-zone.signed    ; output
And indeed: 
localhost.tinfoilhat.idefix.net. 1800 IN A 127.0.0.1
                        1800    RRSIG   A 5 4 1800 20101209150007 (
                                        20101109150007 5157 tinfoilhat.idefix.net.
                                        NFHQ0ktGb+g9UiGRSQAhlMIoZYVDC8If/E2r
                                        dVrqEp5FA9RkiiMFgPDOy7FaqDy2NLWDs5W0
                                        WHdjgDwi0go70Qec2PJ6oD9jF9KXAVp2VpMv
                                        tOCBxE2MyXFmVt+HBVUqinE3ZWZNqJf71NYw
                                        +vLOSd77oKJYELjxaSwLW2Yw46M= )
                        1800    AAAA    ::1
                        1800    RRSIG   AAAA 5 4 1800 20101209150007 (
                                        20101109150007 5157 tinfoilhat.idefix.net.
                                        U6ii6sB9gI6cLuIv5ERne0CX0+F2sZspv3K/
                                        LixcjdOvPakRyGautN3bta7eJqp5L24BUNNw
                                        Vq/U4swpb/BbWgh2pgKqg0i6qwX//ZiLMJfM
                                        ZQ9So4bfOHJW/bSYA5BFss3OgwJGMgrlNOeO
                                        7KilwiJmtN6pjSlo9WSfgMkWgy8= )
Now to check how I check this... takes a bit of searching: 
# dig +sigchase +trusted-key=/etc/trusted-key.key localhost.tinfoilhat.idefix.net aaaa
;; RRset to chase:
localhost.tinfoilhat.idefix.net. 1800 IN AAAA   ::1



Launch a query to find a RRset of type RRSIG for zone: localhost.tinfoilhat.idefix.net.

;; RRSIG is missing for continue validation: FAILED
It helps when you actually load the signed zone! Retry: 
;; RRSIG of the RRset to chase:
localhost.tinfoilhat.idefix.net. 1800 IN RRSIG  AAAA 5 4 1800 20101209150653 20101109150653 5157 tinfoilhat.idefix.net. Rl7v0JiumH6MJHqHDB39LmdM8WOS4eDkMcFYDCGkvvgfTG+0BlBJjlPM wYlR+Tzb0Qr8cFJkeaXaHuiaauOTrj5F7FQLdsrGMLtpqRbIvgYSMYvV uBpRYEfB8v3lDIh6RcsD6vkOOoLQVkj+BbGx7tsnOngdqpq83F6wrGED 74M=



Launch a query to find a RRset of type DNSKEY for zone: tinfoilhat.idefix.net.

;; DNSKEYset that signs the RRset to chase:
tinfoilhat.idefix.net.  1800    IN      DNSKEY  257 3 5 AwEAAdYdd31BIhSS90RSfm2frY7MxOGajLtrB+kohDe0rLdAuVzYDjUx 2URzsDcnJbgWVYa0Lf66mbbwcaaflj1zgE5dVYejOgIjGC/PdxEw7qqm 5lA4vW97S3Wn4aifAbRfzSniDWhMLPcphPF2uHPWdIjxagxFv40tMuns 3lpQpGC8ppa1TnBkwKQeeZa8KThzmNqM3tn7KR1yftUaG2aLeAU=
tinfoilhat.idefix.net.  1800    IN      DNSKEY  256 3 5 AwEAAdGQ6wG/n1wMYhDwhge5HDvVG6FzL3uuuouuD4M3d0bqOUiIZrDw aH9QuMJeJFKUUcwOzmKy7Hc2ik3Jgy9bzAvYZQ8lzLSKcLgTfXNttFzb OiUT1zCmSzZJcAtG0kotRuIAjB5eblwsEMO1R+TBSiHWamQnS7bG9auQ xKGetr6d


;; RRSIG of the DNSKEYset that signs the RRset to chase:
tinfoilhat.idefix.net.  1800    IN      RRSIG   DNSKEY 5 3 1800 20101209150653 20101109150653 5157 tinfoilhat.idefix.net. CnDwi1jeBqTsS9ywFm5b9iLROoARK7L1vLfrlkvBYgoNl7hAbEbcNVI+ ekNVlW78pmoEQUYLv+prBGR4CjNDkItbUKOR/t2hRnNoeiIHSIPqLe71 TiWxoz3uwMTz5kPxhyfp1hKRFx4GZDw2PrFI5EsobrNklc1+YIjXMfam e4s=
tinfoilhat.idefix.net.  1800    IN      RRSIG   DNSKEY 5 3 1800 20101209150653 20101109150653 18049 tinfoilhat.idefix.net. LFhN+H7xUlSD0WzR9rS9yRf+x6VZueKaTPAvSqxztl8QrCS7ehagEJxJ y9g7dAfDk2ndu8lEI42mSedtnrQiEFZ3XKU+r7aDGn+QaxHHw/sl3kRx 3rovSI3XygnZW/per447fctgWsZ7S9AN9f6MIDTetY75NV/LEGCOvAAu 873rDT0fTkxARdPp3H6zo7D8WJEYI8AfbxbT8aGpcCPcvw==



Launch a query to find a RRset of type DS for zone: tinfoilhat.idefix.net.

;; DSset of the DNSKEYset
tinfoilhat.idefix.net.  86400   IN      DS      18049 5 2 9FA6BDC8106CB7DD65113FA359EA57DC88C63DF8C70B62B262B9760D A1DC8D7D
tinfoilhat.idefix.net.  86400   IN      DS      18049 5 1 BB874F9F438E0F1620114BC1256A2746D1FD585A

;; WARNING : NO RRSIG DS : RRSIG DS should come with DS



;; WE HAVE MATERIAL, WE NOW DO VALIDATION
;; VERIFYING AAAA RRset for localhost.tinfoilhat.idefix.net. with DNSKEY:5157: success
;; OK We found DNSKEY (or more) to validate the RRset
;; Ok, find a Trusted Key in the DNSKEY RRset: 18049
;; VERIFYING DNSKEY RRset for tinfoilhat.idefix.net. with DNSKEY:18049: success

;; Ok this DNSKEY is a Trusted Key, DNSSEC validation is ok: SUCCESS
Still a warning about RRSIG/DS which I do not fully understand. But for the rest the magic word is SUCCESS.

Links for information:

Tags: , , ,
, reachable as koos+website@idefix.net. PGP encrypted e-mail preferred.

PGP key 5BA9 368B E6F3 34E4 local copy PGP key 5BA9 368B E6F3 34E4 via keyservers pgp key statistics for 0x5BA9368BE6F334E4 Koos van den Hout
RSS
Other webprojects: Camp Wireless, wireless Internet access at campsites, The Virtual Bookcase, book reviews
This page generated in 0.004358 seconds.