2010-11-09
Having a look at DNSSEC braindump
Having a look at DNSSEC, but for now my head explodes. Reading some howtos, getting weird errors and a 'now what?' when the signing is a success. Anyway, braindump. Generating ZSK (zone signing key):dnssec-keygen -r/dev/urandom -a RSASHA1 -b 1024 -n ZONE tinfoilhat.idefix.netGenerating KSK (key signing key):dnssec-keygen -r/dev/urandom -f KSK -a RSASHA1 -b 1280 -n ZONE tinfoilhat.idefix.netadding the resulting records to the zonefile:$INCLUDE /var/cache/bind/keys/Ktinfoilhat.idefix.net.+005+05157.key ; ZSK $INCLUDE /var/cache/bind/keys/Ktinfoilhat.idefix.net.+005+18049.key ; KSKAnd signing the result:dnssec-signzone -o tinfoilhat.idefix.net \ ; zone name -k Ktinfoilhat.idefix.net.+005+18049.key \ ; ksk /etc/bind/zones/tinfoilhat.idefix.net-zone \ ; input file Ktinfoilhat.idefix.net.+005+05157.key ; zsk /etc/bind/zones/tinfoilhat.idefix.net-zone.signed ; outputAnd indeed:localhost.tinfoilhat.idefix.net. 1800 IN A 127.0.0.1 1800 RRSIG A 5 4 1800 20101209150007 ( 20101109150007 5157 tinfoilhat.idefix.net. NFHQ0ktGb+g9UiGRSQAhlMIoZYVDC8If/E2r dVrqEp5FA9RkiiMFgPDOy7FaqDy2NLWDs5W0 WHdjgDwi0go70Qec2PJ6oD9jF9KXAVp2VpMv tOCBxE2MyXFmVt+HBVUqinE3ZWZNqJf71NYw +vLOSd77oKJYELjxaSwLW2Yw46M= ) 1800 AAAA ::1 1800 RRSIG AAAA 5 4 1800 20101209150007 ( 20101109150007 5157 tinfoilhat.idefix.net. U6ii6sB9gI6cLuIv5ERne0CX0+F2sZspv3K/ LixcjdOvPakRyGautN3bta7eJqp5L24BUNNw Vq/U4swpb/BbWgh2pgKqg0i6qwX//ZiLMJfM ZQ9So4bfOHJW/bSYA5BFss3OgwJGMgrlNOeO 7KilwiJmtN6pjSlo9WSfgMkWgy8= )Now to check how I check this... takes a bit of searching:# dig +sigchase +trusted-key=/etc/trusted-key.key localhost.tinfoilhat.idefix.net aaaa ;; RRset to chase: localhost.tinfoilhat.idefix.net. 1800 IN AAAA ::1 Launch a query to find a RRset of type RRSIG for zone: localhost.tinfoilhat.idefix.net. ;; RRSIG is missing for continue validation: FAILEDIt helps when you actually load the signed zone! Retry:;; RRSIG of the RRset to chase: localhost.tinfoilhat.idefix.net. 1800 IN RRSIG AAAA 5 4 1800 20101209150653 20101109150653 5157 tinfoilhat.idefix.net. Rl7v0JiumH6MJHqHDB39LmdM8WOS4eDkMcFYDCGkvvgfTG+0BlBJjlPM wYlR+Tzb0Qr8cFJkeaXaHuiaauOTrj5F7FQLdsrGMLtpqRbIvgYSMYvV uBpRYEfB8v3lDIh6RcsD6vkOOoLQVkj+BbGx7tsnOngdqpq83F6wrGED 74M= Launch a query to find a RRset of type DNSKEY for zone: tinfoilhat.idefix.net. ;; DNSKEYset that signs the RRset to chase: tinfoilhat.idefix.net. 1800 IN DNSKEY 257 3 5 AwEAAdYdd31BIhSS90RSfm2frY7MxOGajLtrB+kohDe0rLdAuVzYDjUx 2URzsDcnJbgWVYa0Lf66mbbwcaaflj1zgE5dVYejOgIjGC/PdxEw7qqm 5lA4vW97S3Wn4aifAbRfzSniDWhMLPcphPF2uHPWdIjxagxFv40tMuns 3lpQpGC8ppa1TnBkwKQeeZa8KThzmNqM3tn7KR1yftUaG2aLeAU= tinfoilhat.idefix.net. 1800 IN DNSKEY 256 3 5 AwEAAdGQ6wG/n1wMYhDwhge5HDvVG6FzL3uuuouuD4M3d0bqOUiIZrDw aH9QuMJeJFKUUcwOzmKy7Hc2ik3Jgy9bzAvYZQ8lzLSKcLgTfXNttFzb OiUT1zCmSzZJcAtG0kotRuIAjB5eblwsEMO1R+TBSiHWamQnS7bG9auQ xKGetr6d ;; RRSIG of the DNSKEYset that signs the RRset to chase: tinfoilhat.idefix.net. 1800 IN RRSIG DNSKEY 5 3 1800 20101209150653 20101109150653 5157 tinfoilhat.idefix.net. CnDwi1jeBqTsS9ywFm5b9iLROoARK7L1vLfrlkvBYgoNl7hAbEbcNVI+ ekNVlW78pmoEQUYLv+prBGR4CjNDkItbUKOR/t2hRnNoeiIHSIPqLe71 TiWxoz3uwMTz5kPxhyfp1hKRFx4GZDw2PrFI5EsobrNklc1+YIjXMfam e4s= tinfoilhat.idefix.net. 1800 IN RRSIG DNSKEY 5 3 1800 20101209150653 20101109150653 18049 tinfoilhat.idefix.net. LFhN+H7xUlSD0WzR9rS9yRf+x6VZueKaTPAvSqxztl8QrCS7ehagEJxJ y9g7dAfDk2ndu8lEI42mSedtnrQiEFZ3XKU+r7aDGn+QaxHHw/sl3kRx 3rovSI3XygnZW/per447fctgWsZ7S9AN9f6MIDTetY75NV/LEGCOvAAu 873rDT0fTkxARdPp3H6zo7D8WJEYI8AfbxbT8aGpcCPcvw== Launch a query to find a RRset of type DS for zone: tinfoilhat.idefix.net. ;; DSset of the DNSKEYset tinfoilhat.idefix.net. 86400 IN DS 18049 5 2 9FA6BDC8106CB7DD65113FA359EA57DC88C63DF8C70B62B262B9760D A1DC8D7D tinfoilhat.idefix.net. 86400 IN DS 18049 5 1 BB874F9F438E0F1620114BC1256A2746D1FD585A ;; WARNING : NO RRSIG DS : RRSIG DS should come with DS ;; WE HAVE MATERIAL, WE NOW DO VALIDATION ;; VERIFYING AAAA RRset for localhost.tinfoilhat.idefix.net. with DNSKEY:5157: success ;; OK We found DNSKEY (or more) to validate the RRset ;; Ok, find a Trusted Key in the DNSKEY RRset: 18049 ;; VERIFYING DNSKEY RRset for tinfoilhat.idefix.net. with DNSKEY:18049: success ;; Ok this DNSKEY is a Trusted Key, DNSSEC validation is ok: SUCCESSStill a warning about RRSIG/DS which I do not fully understand. But for the rest the magic word is SUCCESS.Links for information: