opennic:dnssec

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Next revision		 Previous revision
opennic:dnssec [2018-04-16T19:49:31Z] – created jonaharagonopennic:dnssec [2026-04-29T17:49:34Z] (current) – update current keys and samples joestr1
Line 16: Line 16:
  
 <file - named.conf.keys> <file - named.conf.keys>
-trusted-keys +trust-anchors 
-        . 257 3 8 "AwEAAaq+qqsdDHByq/DFR5/u23qcDNOQJzjYBcSfjrGN +  initial-key 257 3 8 "AwEAAbtbsu+wl3fbEDbgvMgJ1BDXeAk5t6BU7B1KGVvc13zMJtjvarxp 
-                                LdY2+vY+ubhuiz0hG1xk5D+dK78Eh58wZ3tQnsRr3bVN +    WWrAb7fmWERX8kJawa3KpYty0EDFQ24nfQyhwEOld442ca89u4/ZU3jP 
-                                Vfcovlx/rdwuw5blez2TT0Et4IF/3b/RpMpCwSSOWTMG +    uwKohbGn55vIQ7KjCIrDNvRYjGVn2MNwZnL4WVVclJYsa1cGwVQ9t575 
-                                vi0EwIMNsjYWEZlRjcWku3cnAAvSD3YdaRW2JCKsbkK5 +    I5yvU+5g+jVcjUsGwFn6xmuJC0Z33ABKsC8b1cjfcnvE4wP3CrXOlDQ
-                                OQp2YjuQgIOL7J6f8mN6nkfAWd9L2U9H+TSEnx8gqqkX +    Er4uPUtMKrmG+Sj1Bm5U+do78mwEXOlTz/sNj8tkpL0pYB2j+XNaDVrO 
-                                IEIRWcbdWN1FiCdy3L8CaHbZcttzx5lLOGrjPW+raXn+    0uS1beekejnttMsC4SHMCsiwMvigW2O54ByhzijU2v87d7U9WEMVfPvO 
-                                KaQSU+WW9n2PPOZbNUrQnsW/DJ+b+soNQQbhwFlp/av5 +    6gearg1fo/1Tk4buzPZcS+W9WZgFAt7kT1ois3x0GGT7J55zENB9IZU4 
-                                VzaxB7/57vEKqj71x+Xu8S0sGpLcXrkf5p3ri93ScLsJ +    tMmWdYbZJOZsdAzmshuWJIUlTZdNN5671Rhc6P9TWnMlvb9iNT7G3DZ9 
-                                OT11fIlMRIwcKsWZEIIyYzuQeq8MoVTenvN6re/y872V +    PhBw1OF/OmmXobv3Wygbt5+u7q2CPPzwU4WTGpVNtr3Iry2SPW3XVpJS 
-                                b6JBHbBMk0JmsRwkXltz9PINWyvVyqM3PA1bJ4fz8Qbq +    M3+nW7LfxxtWZJlN4MDQYC5IptU+A5EO80/yE38E9tKGDWC1+Nw59QLa 
-                                XnTnJiR/yylhcE8rjPUtnf29NyDN7Co9JzPwnwE74F3k +    BE7ff+Jkq7OMjTHjFhYivkJSv+8LEbkGjWoaMAS2CT3/ZVMYLiQn8THi 
-                                3R18w45L8E5Dt5it2PIA9/rb6GDMrPAPsa1X82qNLzcb +    ZUBF+aOzJMw0EGPag1Qq4vfGgFkQMM3hOaH6bWN1yCvmspuiwLYkNCZZ 
-                                oosMj9vT7Ofg8M+x2/VYt6u4xX4glZRavyjTs6qGfzFS +    /l8ThKc57bGYy9TX"; 
-                                +Z44zrIP4CtNa0fL0AwJ/wsK4YJSX0xZ6/CJI/NNXeSg +
-                                G5vfMw04kUDI9d9oO9jkAhYDmTaOI6C5nVTymAs3uje8 +
-                                /mZlo/pUSllB0DkpTgd5PTAwQsA1";+
 }; };
 </file> </file>
Line 39: Line 37:
 > >
 > <code> > <code>
-dig DNSKEY . @45.56.116.224 +short+dig DNSKEY . @195.201.99.61 +short
 </code> </code>
 > <code> > <code>
-256 3 8 AwEAAaZnbL4yf5OZKLi/tjNBLKUwLuxhyvhildx0Efb/nMlRrCgafhCD 8A8tZkQLMQjQDu5Uckk/M1wCY5U8A9yvOapWMHx3S9dnFSvp4CFWitvo QYDJIMMooNGdYpljzKtR52wPdUpcqvSRwpp9a4gsoEx/r4jY9vyrT/SO 7yQuhh4uVKtZeHcXl/w2V14zVNUBoDl3SlSYIkVBa2HzponOsDlqJN6V QbZQ4mbvpnvbWOq55E/1pzIIrwp0X2VxSunhU/sGKpfiW9c5O6mPwUGl 1NDeYzycNKGy2Nsx4p4nkN43rRwjDBtD4CSUiTwtsMFTF5xKAbuUgSds BAQMyTnokYs+256 3 8 AwEAAeXw6/FhGTrrrowgiK/4mWwP76JM/Np6FwHmQ+Qn73wdOWT0d189 gkNeVNTVyQNU+q+MBnJ01OFbgQqsey6pd2OjAD5i8pDqZz/0zS7z70Uv eScfqLv08n8qoZOsv7QhytVE9qGqfXgeeGPUctOeqfdlJN/NXnU7crBT 6AxLg1FChV1m3dOcJwCW72XPi/Mbo9dsJSgbWZmVGCILBEQjVa13K4lt roHibq/1kUvmei0TLpzDpwu9OG3m50tAa+JTyId2vqopbCqEk2rQspQTbewkG2jF7TRvDZbRje8Z2eA2HLW3ClrlIFBcyv/0NqrFH9CJCR2g2Mu a77etVdrgUE
-257 3 8 AwEAAaq+qqsdDHByq/DFR5/u23qcDNOQJzjYBcSfjrGNLdY2+vY+ubhu iz0hG1xk5D+dK78Eh58wZ3tQnsRr3bVNVfcovlx/rdwuw5blez2TT0Et 4IF/3b/RpMpCwSSOWTMGvi0EwIMNsjYWEZlRjcWku3cnAAvSD3YdaRW2 JCKsbkK5OQp2YjuQgIOL7J6f8mN6nkfAWd9L2U9H+TSEnx8gqqkXIEIR WcbdWN1FiCdy3L8CaHbZcttzx5lLOGrjPW+raXn+KaQSU+WW9n2PPOZb NUrQnsW/DJ+b+soNQQbhwFlp/av5VzaxB7/57vEKqj71x+Xu8S0sGpLc Xrkf5p3ri93ScLsJOT11fIlMRIwcKsWZEIIyYzuQeq8MoVTenvN6re/y 872Vb6JBHbBMk0JmsRwkXltz9PINWyvVyqM3PA1bJ4fz8QbqXnTnJiR/ yylhcE8rjPUtnf29NyDN7Co9JzPwnwE74F3k3R18w45L8E5Dt5it2PIA 9/rb6GDMrPAPsa1X82qNLzcboosMj9vT7Ofg8M+x2/VYt6u4xX4glZRa vyjTs6qGfzFS+Z44zrIP4CtNa0fL0AwJ/wsK4YJSX0xZ6/CJI/NNXeSg G5vfMw04kUDI9d9oO9jkAhYDmTaOI6C5nVTymAs3uje8/mZlo/pUSllB 0DkpTgd5PTAwQsA1+257 3 8 AwEAAbtbsu+wl3fbEDbgvMgJ1BDXeAk5t6BU7B1KGVvc13zMJtjvarxp WWrAb7fmWERX8kJawa3KpYty0EDFQ24nfQyhwEOld442ca89u4/ZU3jP uwKohbGn55vIQ7KjCIrDNvRYjGVn2MNwZnL4WVVclJYsa1cGwVQ9t575 I5yvU+5g+jVcjUsGwFn6xmuJC0Z33ABKsC8b1cjfcnvE4wP3CrXOlDQEr4uPUtMKrmG+Sj1Bm5U+do78mwEXOlTz/sNj8tkpL0pYB2j+XNaDVrO 0uS1beekejnttMsC4SHMCsiwMvigW2O54ByhzijU2v87d7U9WEMVfPvO 6gearg1fo/1Tk4buzPZcS+W9WZgFAt7kT1ois3x0GGT7J55zENB9IZU4 tMmWdYbZJOZsdAzmshuWJIUlTZdNN5671Rhc6P9TWnMlvb9iNT7G3DZ9 PhBw1OF/OmmXobv3Wygbt5+u7q2CPPzwU4WTGpVNtr3Iry2SPW3XVpJS M3+nW7LfxxtWZJlN4MDQYC5IptU+A5EO80/yE38E9tKGDWC1+Nw59QLa BE7ff+Jkq7OMjTHjFhYivkJSv+8LEbkGjWoaMAS2CT3/ZVMYLiQn8THi ZUBF+aOzJMw0EGPag1Qq4vfGgFkQMM3hOaH6bWN1yCvmspuiwLYkNCZZ /l8ThKc57bGYy9TX
 </code> </code>
  
Line 72: Line 70:
  
 4. Restart BIND: ''systemctl restart bind9'' 4. Restart BIND: ''systemctl restart bind9''
 +
 +==== PowerDNS Recursor ====
 +
 +Create ''/etc/powerdns/config.lua'' with the following content:
 +
 +<file lua config.lua>
 +addDS('.', "60820 8 2 A01E33C8E95712E555FA9E6C09921830F3A518E36C5998F4ADBF5570AA86B538")
 +</file>
 +
 +Add the following lines to ''/etc/powerdns/recursor.conf'':
 +
 +<code>
 +lua-config-file=/etc/powerdns/config.lua
 +dnssec=log-fail
 +</code>
 +
 +Note that this will validate correctly, but will only log bogus domains instead of returning ''SERVFAIL''. This is fine in the DNSSEC testing period, but for full DNSSEC compliance, ''dnssec'' should be changed from ''log-fail'' to ''validate''.
 +
 +Restart PowerDNS: ''systemctl restart pdns-recursor''
  
 ==== dnsmasq ==== ==== dnsmasq ====
Line 79: Line 96:
 <code> <code>
 dnssec dnssec
-trust-anchor=.,33750,8,2,ced6135102155c7a9c8a99945068ee0dcc21e2f70a5046b4e50ae98ad3ba9de2 +trust-anchor=.,60820,8,2,A01E33C8E95712E555FA9E6C09921830F3A518E36C5998F4ADBF5570AA86B538
-trust-anchor=.,47089,8,2,6d81988a88bd546e429486cc0a97518f90f9fc6c6c6b7e5bc2788469858c7324+
 </code> </code>
 +
 +==== Unbound ====
 +
 +1. Generate the ''/etc/unbound/opennic.dnskey'' file:
 +
 +<code>
 +dig @195.201.99.61 . DNSKEY | dnssec-dsfromkey -2 -f - . > /etc/unbound/opennic.dnskey
 +</code>
 +
 +2. Edit ''/etc/unbound/unbound.conf'' and set the attribute ''auto-trust-anchor-file'' with the ''opennic.dnskey'' file:
 +
 +<code>
 +auto-trust-anchor-file: "opennic.dnskey"
 +</code>
 +
 +3. Restart Unbound: ''systemctl restart unbound''
  
 ===== Testing DNSSEC ===== ===== Testing DNSSEC =====
Line 88: Line 120:
  
 <code> <code>
-root@nyc3:~# dig pir.org +dnssec +multi @167.99.153.82+root@korridor:~# dig pir.org +dnssec +multi @46.102.156.180
  
-; <<>> DiG 9.10.3-P4-Ubuntu <<>> pir.org +dnssec +multi @167.99.153.82+; <<>> DiG 9.20.21-1~deb13u1-Debian <<>> pir.org +dnssec +multi @46.102.156.180
 ;; global options: +cmd ;; global options: +cmd
 ;; Got answer: ;; Got answer:
-;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 3924 +;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 22885 
-;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1+;; flags: qr rd ra ad; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1
  
 ;; OPT PSEUDOSECTION: ;; OPT PSEUDOSECTION:
-; EDNS: version: 0, flags: do; udp: 4096+; EDNS: version: 0, flags: do; udp: 65494 
 +; COOKIE: 641abe6c795889030100000069f2434e9c48eb04cf870e99 (good)
 ;; QUESTION SECTION: ;; QUESTION SECTION:
-;pir.org.               IN A+;pir.org. IN A
  
 ;; ANSWER SECTION: ;; ANSWER SECTION:
-pir.org.                241 IN A 97.107.141.235 +pir.org. 299 IN A 141.193.213.20 
-pir.org.                241 IN RRSIG A 5 2 300 ( +pir.org. 299 IN A 141.193.213.21 
-                                20180430162216 20180416162216 30795 pir.org. +pir.org. 299 IN RRSIG A 5 2 300 ( 
-                                Al1OgzE47XZcgl2t9IysJROLgM2Z2/f7tJ6LDuDdTHOD + 20260512204001 20260428204001 42621 pir.org. 
-                                itT5fJZjRypVJLfZrU73ng5J86dJCFEREk2k6I1lhmno + FnApY4+UtOcd3InElCd8W9+q8koa8vw5qt68ZETv+EcN 
-                                lJHKH1/MZK+LRDjZWJWqo3F5+MJTFv8W0F8zXWu4AMJE + ZnTzUm2qW+9AqE7R0YfS2ZBs9c9fn65CuFsRr+ynEyI/ 
-                                RYyyhX4fl+mL02T4VLGqpjrH2AX9tH8wRT9TuJE= )+ OyekiTuLZhmgZjLR5bSlUi1dGPA0G1EUdBrZvaxJGb3z 
 + UYcjWXGoi6zhX7vqzuFwJ0VN7B0aYhQnyvU+0v8= )
  
-;; Query time: msec +;; Query time: 735 msec 
-;; SERVER: 167.99.153.82#53(167.99.153.82+;; SERVER: 127.0.0.53#53(127.0.0.53) (UDP
-;; WHEN: Mon Apr 16 19:46:05 UTC 2018 +;; WHEN: Wed Apr 29 19:43:42 CEST 2026 
-;; MSG SIZE  rcvd: 21+;; MSG SIZE  rcvd: 263
 </code> </code>
  
Line 119: Line 153:
  
 <code> <code>
-root@nyc3:~# dig dnssec-failed.org +dnssec +multi @167.99.153.82+root@korridor:~# dig dnssec-failed.org +dnssec +multi @46.102.156.180
  
-; <<>> DiG 9.10.3-P4-Ubuntu <<>> dnssec-failed.org +dnssec +multi @167.99.153.82+; <<>> DiG 9.20.21-1~deb13u1-Debian <<>> dnssec-failed.org +dnssec +multi
 ;; global options: +cmd ;; global options: +cmd
 ;; Got answer: ;; Got answer:
-;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 10808+;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 36673
 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
  
 ;; OPT PSEUDOSECTION: ;; OPT PSEUDOSECTION:
-; EDNS: version: 0, flags: do; udp: 4096+; EDNS: version: 0, flags: do; udp: 65494 
 +; COOKIE: dd4e47674a1c21f40100000069f24389ffb0f254c877cb94 (good)
 ;; QUESTION SECTION: ;; QUESTION SECTION:
-;dnssec-failed.org.     IN A+;dnssec-failed.org. IN A
  
-;; Query time: 1029 msec +;; Query time: 1555 msec 
-;; SERVER: 167.99.153.82#53(167.99.153.82+;; SERVER: 127.0.0.53#53(127.0.0.53) (UDP
-;; WHEN: Mon Apr 16 19:48:04 UTC 2018 +;; WHEN: Wed Apr 29 19:44:41 CEST 2026 
-;; MSG SIZE  rcvd: 46+;; MSG SIZE  rcvd: 74
 </code> </code>
  
Line 141: Line 176:
  
 <code> <code>
-root@nyc3:~# dig google.com +dnssec +multi @167.99.153.82+root@korridor:~# dig google.com +dnssec +multi @46.102.156.180
  
-; <<>> DiG 9.10.3-P4-Ubuntu <<>> google.com +dnssec +multi @167.99.153.82+; <<>> DiG 9.20.21-1~deb13u1-Debian <<>> google.com +dnssec +multi @46.102.156.180
 ;; global options: +cmd ;; global options: +cmd
 ;; Got answer: ;; Got answer:
-;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 51509+;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 15620
 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
  
 ;; OPT PSEUDOSECTION: ;; OPT PSEUDOSECTION:
-; EDNS: version: 0, flags: do; udp: 4096+; EDNS: version: 0, flags: do; udp: 1232 
 +; COOKIE: 19b6c445faa8b2370100000069f2442a56ff0168fadfb041 (good)
 ;; QUESTION SECTION: ;; QUESTION SECTION:
-;google.com.            IN A+;google.com. IN A
  
 ;; ANSWER SECTION: ;; ANSWER SECTION:
-google.com.             40 IN A 172.217.12.206+google.com. 285 IN A 142.251.38.142
  
-;; Query time: msec +;; Query time: msec 
-;; SERVER: 167.99.153.82#53(167.99.153.82+;; SERVER: 46.102.156.180#53(46.102.156.180) (UDP
-;; WHEN: Mon Apr 16 19:48:56 UTC 2018 +;; WHEN: Wed Apr 29 19:47:22 CEST 2026 
-;; MSG SIZE  rcvd: 55+;; MSG SIZE  rcvd: 83
 </code> </code>
  • /wiki/data/attic/opennic/dnssec.1523908171.txt.gz
  • Last modified: 8 years ago
  • by jonaharagon