2019-09-11 First zone with valid DNSSEC signatures 2 months ago
My previous test with DNSSEC zone signing showed a problem with entropy in virtual machines. Today I had time to reboot the home server running the virtual machines including the virtual machine with the nameserver, based on bind9. Now I can create DNSSEC signatures for zonefiles at high speed (0.028 seconds) with enough entropy available. My first test is with camp-wireless.com which is a domainname for redirecting to Camp Wireless but since that variant was mentioned somewhere I had to generate the redirects to the right version. The next step was to upload the DS records for the zone to my registrar and get them entered into the top level domain. This failed on the first attempt, the DS records have to be entered very carefully at the registrar. I tested the result with dnsviz for camp-wireless.com and found an error in the first try: I updated the serial after signing the zone. So the soa record wasn't signed correctly anymore. I updated my zonefile Makefile to do the steps in the right order:-zone-signedserial: named-checkzone $* $^ ./SOA.pl $^ dnssec-signzone -S -K /etc/bind/keys -g -a -r /dev/random -D -S -o $* $^ rndc reload $* touch $@For the zone camp-wireless.com the original data is in camp-wireless.com-zone, the DNSSEC signatures in camp-wireless.com-zone.signed. And make will abort when one of the commands gives an error level, so it will for example stop completely when I make a typo in the zonefile which will make named-checkzone fail. The -D option creates a file to be used with $INCLUDE in the original zonefile. This does create a circular dependency: named-checkzone will fail when the -signedserial file isn't available on the first run. So the first run will have to be manually. So now the zone is signed correctly. The next developments will be to find out how to monitor this extensively so I won't be surprised by problems and to redo the signing from time to time to make DNSSEC zone walking very hard. And when I trust all of this I will implement it on other domain names that I manage. So I tested the results using internet.nl and after adding some redirect steps since redirecting http://camp-wireless.com/ to https://camp-wireless.com/ which in turn forwards to https://www.camp-wireless.org/ it is now good enough for the 'Hall of fame' Websitetest: www.camp-wireless.com - internet.nl (dutch). Not bad for a redirect-only domain name. It seems redirecting to the same name in https before redirecting to the definitive target is better than skipping that step.