opennic:dnssec

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision		 Previous revision
opennic:dnssec [2018-04-18T23:28:38Z] – add powerdns jonaharagonopennic:dnssec [2026-04-29T17:49:34Z] (current) – update current keys and samples joestr1
Line 16: Line 16:
  
 <file - named.conf.keys> <file - named.conf.keys>
-trusted-keys +trust-anchors 
-        . 257 3 8 "AwEAAaq+qqsdDHByq/DFR5/u23qcDNOQJzjYBcSfjrGN +  initial-key 257 3 8 "AwEAAbtbsu+wl3fbEDbgvMgJ1BDXeAk5t6BU7B1KGVvc13zMJtjvarxp 
-                                LdY2+vY+ubhuiz0hG1xk5D+dK78Eh58wZ3tQnsRr3bVN +    WWrAb7fmWERX8kJawa3KpYty0EDFQ24nfQyhwEOld442ca89u4/ZU3jP 
-                                Vfcovlx/rdwuw5blez2TT0Et4IF/3b/RpMpCwSSOWTMG +    uwKohbGn55vIQ7KjCIrDNvRYjGVn2MNwZnL4WVVclJYsa1cGwVQ9t575 
-                                vi0EwIMNsjYWEZlRjcWku3cnAAvSD3YdaRW2JCKsbkK5 +    I5yvU+5g+jVcjUsGwFn6xmuJC0Z33ABKsC8b1cjfcnvE4wP3CrXOlDQ
-                                OQp2YjuQgIOL7J6f8mN6nkfAWd9L2U9H+TSEnx8gqqkX +    Er4uPUtMKrmG+Sj1Bm5U+do78mwEXOlTz/sNj8tkpL0pYB2j+XNaDVrO 
-                                IEIRWcbdWN1FiCdy3L8CaHbZcttzx5lLOGrjPW+raXn+    0uS1beekejnttMsC4SHMCsiwMvigW2O54ByhzijU2v87d7U9WEMVfPvO 
-                                KaQSU+WW9n2PPOZbNUrQnsW/DJ+b+soNQQbhwFlp/av5 +    6gearg1fo/1Tk4buzPZcS+W9WZgFAt7kT1ois3x0GGT7J55zENB9IZU4 
-                                VzaxB7/57vEKqj71x+Xu8S0sGpLcXrkf5p3ri93ScLsJ +    tMmWdYbZJOZsdAzmshuWJIUlTZdNN5671Rhc6P9TWnMlvb9iNT7G3DZ9 
-                                OT11fIlMRIwcKsWZEIIyYzuQeq8MoVTenvN6re/y872V +    PhBw1OF/OmmXobv3Wygbt5+u7q2CPPzwU4WTGpVNtr3Iry2SPW3XVpJS 
-                                b6JBHbBMk0JmsRwkXltz9PINWyvVyqM3PA1bJ4fz8Qbq +    M3+nW7LfxxtWZJlN4MDQYC5IptU+A5EO80/yE38E9tKGDWC1+Nw59QLa 
-                                XnTnJiR/yylhcE8rjPUtnf29NyDN7Co9JzPwnwE74F3k +    BE7ff+Jkq7OMjTHjFhYivkJSv+8LEbkGjWoaMAS2CT3/ZVMYLiQn8THi 
-                                3R18w45L8E5Dt5it2PIA9/rb6GDMrPAPsa1X82qNLzcb +    ZUBF+aOzJMw0EGPag1Qq4vfGgFkQMM3hOaH6bWN1yCvmspuiwLYkNCZZ 
-                                oosMj9vT7Ofg8M+x2/VYt6u4xX4glZRavyjTs6qGfzFS +    /l8ThKc57bGYy9TX"; 
-                                +Z44zrIP4CtNa0fL0AwJ/wsK4YJSX0xZ6/CJI/NNXeSg +
-                                G5vfMw04kUDI9d9oO9jkAhYDmTaOI6C5nVTymAs3uje8 +
-                                /mZlo/pUSllB0DkpTgd5PTAwQsA1";+
 }; };
 </file> </file>
Line 39: Line 37:
 > >
 > <code> > <code>
-dig DNSKEY . @45.56.116.224 +short+dig DNSKEY . @195.201.99.61 +short
 </code> </code>
 > <code> > <code>
-256 3 8 AwEAAaZnbL4yf5OZKLi/tjNBLKUwLuxhyvhildx0Efb/nMlRrCgafhCD 8A8tZkQLMQjQDu5Uckk/M1wCY5U8A9yvOapWMHx3S9dnFSvp4CFWitvo QYDJIMMooNGdYpljzKtR52wPdUpcqvSRwpp9a4gsoEx/r4jY9vyrT/SO 7yQuhh4uVKtZeHcXl/w2V14zVNUBoDl3SlSYIkVBa2HzponOsDlqJN6V QbZQ4mbvpnvbWOq55E/1pzIIrwp0X2VxSunhU/sGKpfiW9c5O6mPwUGl 1NDeYzycNKGy2Nsx4p4nkN43rRwjDBtD4CSUiTwtsMFTF5xKAbuUgSds BAQMyTnokYs+256 3 8 AwEAAeXw6/FhGTrrrowgiK/4mWwP76JM/Np6FwHmQ+Qn73wdOWT0d189 gkNeVNTVyQNU+q+MBnJ01OFbgQqsey6pd2OjAD5i8pDqZz/0zS7z70Uv eScfqLv08n8qoZOsv7QhytVE9qGqfXgeeGPUctOeqfdlJN/NXnU7crBT 6AxLg1FChV1m3dOcJwCW72XPi/Mbo9dsJSgbWZmVGCILBEQjVa13K4lt roHibq/1kUvmei0TLpzDpwu9OG3m50tAa+JTyId2vqopbCqEk2rQspQTbewkG2jF7TRvDZbRje8Z2eA2HLW3ClrlIFBcyv/0NqrFH9CJCR2g2Mu a77etVdrgUE
-257 3 8 AwEAAaq+qqsdDHByq/DFR5/u23qcDNOQJzjYBcSfjrGNLdY2+vY+ubhu iz0hG1xk5D+dK78Eh58wZ3tQnsRr3bVNVfcovlx/rdwuw5blez2TT0Et 4IF/3b/RpMpCwSSOWTMGvi0EwIMNsjYWEZlRjcWku3cnAAvSD3YdaRW2 JCKsbkK5OQp2YjuQgIOL7J6f8mN6nkfAWd9L2U9H+TSEnx8gqqkXIEIR WcbdWN1FiCdy3L8CaHbZcttzx5lLOGrjPW+raXn+KaQSU+WW9n2PPOZb NUrQnsW/DJ+b+soNQQbhwFlp/av5VzaxB7/57vEKqj71x+Xu8S0sGpLc Xrkf5p3ri93ScLsJOT11fIlMRIwcKsWZEIIyYzuQeq8MoVTenvN6re/y 872Vb6JBHbBMk0JmsRwkXltz9PINWyvVyqM3PA1bJ4fz8QbqXnTnJiR/ yylhcE8rjPUtnf29NyDN7Co9JzPwnwE74F3k3R18w45L8E5Dt5it2PIA 9/rb6GDMrPAPsa1X82qNLzcboosMj9vT7Ofg8M+x2/VYt6u4xX4glZRa vyjTs6qGfzFS+Z44zrIP4CtNa0fL0AwJ/wsK4YJSX0xZ6/CJI/NNXeSg G5vfMw04kUDI9d9oO9jkAhYDmTaOI6C5nVTymAs3uje8/mZlo/pUSllB 0DkpTgd5PTAwQsA1+257 3 8 AwEAAbtbsu+wl3fbEDbgvMgJ1BDXeAk5t6BU7B1KGVvc13zMJtjvarxp WWrAb7fmWERX8kJawa3KpYty0EDFQ24nfQyhwEOld442ca89u4/ZU3jP uwKohbGn55vIQ7KjCIrDNvRYjGVn2MNwZnL4WVVclJYsa1cGwVQ9t575 I5yvU+5g+jVcjUsGwFn6xmuJC0Z33ABKsC8b1cjfcnvE4wP3CrXOlDQEr4uPUtMKrmG+Sj1Bm5U+do78mwEXOlTz/sNj8tkpL0pYB2j+XNaDVrO 0uS1beekejnttMsC4SHMCsiwMvigW2O54ByhzijU2v87d7U9WEMVfPvO 6gearg1fo/1Tk4buzPZcS+W9WZgFAt7kT1ois3x0GGT7J55zENB9IZU4 tMmWdYbZJOZsdAzmshuWJIUlTZdNN5671Rhc6P9TWnMlvb9iNT7G3DZ9 PhBw1OF/OmmXobv3Wygbt5+u7q2CPPzwU4WTGpVNtr3Iry2SPW3XVpJS M3+nW7LfxxtWZJlN4MDQYC5IptU+A5EO80/yE38E9tKGDWC1+Nw59QLa BE7ff+Jkq7OMjTHjFhYivkJSv+8LEbkGjWoaMAS2CT3/ZVMYLiQn8THi ZUBF+aOzJMw0EGPag1Qq4vfGgFkQMM3hOaH6bWN1yCvmspuiwLYkNCZZ /l8ThKc57bGYy9TX
 </code> </code>
  
Line 78: Line 76:
  
 <file lua config.lua> <file lua config.lua>
-addDS('.', "47089 8 2 6D81988A88BD546E429486CC0A97518F90F9FC6C6C6B7E5BC2788469858C7324")+addDS('.', "60820 8 2 A01E33C8E95712E555FA9E6C09921830F3A518E36C5998F4ADBF5570AA86B538")
 </file> </file>
  
Line 98: Line 96:
 <code> <code>
 dnssec dnssec
-trust-anchor=.,33750,8,2,ced6135102155c7a9c8a99945068ee0dcc21e2f70a5046b4e50ae98ad3ba9de2 +trust-anchor=.,60820,8,2,A01E33C8E95712E555FA9E6C09921830F3A518E36C5998F4ADBF5570AA86B538
-trust-anchor=.,47089,8,2,6d81988a88bd546e429486cc0a97518f90f9fc6c6c6b7e5bc2788469858c7324+
 </code> </code>
 +
 +==== Unbound ====
 +
 +1. Generate the ''/etc/unbound/opennic.dnskey'' file:
 +
 +<code>
 +dig @195.201.99.61 . DNSKEY | dnssec-dsfromkey -2 -f - . > /etc/unbound/opennic.dnskey
 +</code>
 +
 +2. Edit ''/etc/unbound/unbound.conf'' and set the attribute ''auto-trust-anchor-file'' with the ''opennic.dnskey'' file:
 +
 +<code>
 +auto-trust-anchor-file: "opennic.dnskey"
 +</code>
 +
 +3. Restart Unbound: ''systemctl restart unbound''
  
 ===== Testing DNSSEC ===== ===== Testing DNSSEC =====
Line 107: Line 120:
  
 <code> <code>
-root@nyc3:~# dig pir.org +dnssec +multi @167.99.153.82+root@korridor:~# dig pir.org +dnssec +multi @46.102.156.180
  
-; <<>> DiG 9.10.3-P4-Ubuntu <<>> pir.org +dnssec +multi @167.99.153.82+; <<>> DiG 9.20.21-1~deb13u1-Debian <<>> pir.org +dnssec +multi @46.102.156.180
 ;; global options: +cmd ;; global options: +cmd
 ;; Got answer: ;; Got answer:
-;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 3924 +;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 22885 
-;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1+;; flags: qr rd ra ad; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1
  
 ;; OPT PSEUDOSECTION: ;; OPT PSEUDOSECTION:
-; EDNS: version: 0, flags: do; udp: 4096+; EDNS: version: 0, flags: do; udp: 65494 
 +; COOKIE: 641abe6c795889030100000069f2434e9c48eb04cf870e99 (good)
 ;; QUESTION SECTION: ;; QUESTION SECTION:
-;pir.org.               IN A+;pir.org. IN A
  
 ;; ANSWER SECTION: ;; ANSWER SECTION:
-pir.org.                241 IN A 97.107.141.235 +pir.org. 299 IN A 141.193.213.20 
-pir.org.                241 IN RRSIG A 5 2 300 ( +pir.org. 299 IN A 141.193.213.21 
-                                20180430162216 20180416162216 30795 pir.org. +pir.org. 299 IN RRSIG A 5 2 300 ( 
-                                Al1OgzE47XZcgl2t9IysJROLgM2Z2/f7tJ6LDuDdTHOD + 20260512204001 20260428204001 42621 pir.org. 
-                                itT5fJZjRypVJLfZrU73ng5J86dJCFEREk2k6I1lhmno + FnApY4+UtOcd3InElCd8W9+q8koa8vw5qt68ZETv+EcN 
-                                lJHKH1/MZK+LRDjZWJWqo3F5+MJTFv8W0F8zXWu4AMJE + ZnTzUm2qW+9AqE7R0YfS2ZBs9c9fn65CuFsRr+ynEyI/ 
-                                RYyyhX4fl+mL02T4VLGqpjrH2AX9tH8wRT9TuJE= )+ OyekiTuLZhmgZjLR5bSlUi1dGPA0G1EUdBrZvaxJGb3z 
 + UYcjWXGoi6zhX7vqzuFwJ0VN7B0aYhQnyvU+0v8= )
  
-;; Query time: msec +;; Query time: 735 msec 
-;; SERVER: 167.99.153.82#53(167.99.153.82+;; SERVER: 127.0.0.53#53(127.0.0.53) (UDP
-;; WHEN: Mon Apr 16 19:46:05 UTC 2018 +;; WHEN: Wed Apr 29 19:43:42 CEST 2026 
-;; MSG SIZE  rcvd: 21+;; MSG SIZE  rcvd: 263
 </code> </code>
  
Line 138: Line 153:
  
 <code> <code>
-root@nyc3:~# dig dnssec-failed.org +dnssec +multi @167.99.153.82+root@korridor:~# dig dnssec-failed.org +dnssec +multi @46.102.156.180
  
-; <<>> DiG 9.10.3-P4-Ubuntu <<>> dnssec-failed.org +dnssec +multi @167.99.153.82+; <<>> DiG 9.20.21-1~deb13u1-Debian <<>> dnssec-failed.org +dnssec +multi
 ;; global options: +cmd ;; global options: +cmd
 ;; Got answer: ;; Got answer:
-;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 10808+;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 36673
 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
  
 ;; OPT PSEUDOSECTION: ;; OPT PSEUDOSECTION:
-; EDNS: version: 0, flags: do; udp: 4096+; EDNS: version: 0, flags: do; udp: 65494 
 +; COOKIE: dd4e47674a1c21f40100000069f24389ffb0f254c877cb94 (good)
 ;; QUESTION SECTION: ;; QUESTION SECTION:
-;dnssec-failed.org.     IN A+;dnssec-failed.org. IN A
  
-;; Query time: 1029 msec +;; Query time: 1555 msec 
-;; SERVER: 167.99.153.82#53(167.99.153.82+;; SERVER: 127.0.0.53#53(127.0.0.53) (UDP
-;; WHEN: Mon Apr 16 19:48:04 UTC 2018 +;; WHEN: Wed Apr 29 19:44:41 CEST 2026 
-;; MSG SIZE  rcvd: 46+;; MSG SIZE  rcvd: 74
 </code> </code>
  
Line 160: Line 176:
  
 <code> <code>
-root@nyc3:~# dig google.com +dnssec +multi @167.99.153.82+root@korridor:~# dig google.com +dnssec +multi @46.102.156.180
  
-; <<>> DiG 9.10.3-P4-Ubuntu <<>> google.com +dnssec +multi @167.99.153.82+; <<>> DiG 9.20.21-1~deb13u1-Debian <<>> google.com +dnssec +multi @46.102.156.180
 ;; global options: +cmd ;; global options: +cmd
 ;; Got answer: ;; Got answer:
-;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 51509+;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 15620
 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
  
 ;; OPT PSEUDOSECTION: ;; OPT PSEUDOSECTION:
-; EDNS: version: 0, flags: do; udp: 4096+; EDNS: version: 0, flags: do; udp: 1232 
 +; COOKIE: 19b6c445faa8b2370100000069f2442a56ff0168fadfb041 (good)
 ;; QUESTION SECTION: ;; QUESTION SECTION:
-;google.com.            IN A+;google.com. IN A
  
 ;; ANSWER SECTION: ;; ANSWER SECTION:
-google.com.             40 IN A 172.217.12.206+google.com. 285 IN A 142.251.38.142
  
-;; Query time: msec +;; Query time: msec 
-;; SERVER: 167.99.153.82#53(167.99.153.82+;; SERVER: 46.102.156.180#53(46.102.156.180) (UDP
-;; WHEN: Mon Apr 16 19:48:56 UTC 2018 +;; WHEN: Wed Apr 29 19:47:22 CEST 2026 
-;; MSG SIZE  rcvd: 55+;; MSG SIZE  rcvd: 83
 </code> </code>
  • /wiki/data/attic/opennic/dnssec.1524094118.txt.gz
  • Last modified: 8 years ago
  • by jonaharagon