Revision [2010]

This is an old revision of DnsSec made by BrianKoontz on 2009-07-01 18:27:45.

 

DNSSEC

This is a workspace set up to discuss DNSSEC as it relates to OpenNIC.

Resources


Test DNSSEC implementation on gopher zone

cat /dev/random > /tmp/random
...let run for a few seconds...
dd if=/tmp/random of=/tmp/random_1.1M count=2048
dd if=/tmp/random of=/tmp/random_2.1M count=2048 skip=2048
mkdir zones/gopher.zone
mv gopher.zone zones/gopher.zone
cd zones/gopher.zone
/usr/sbin/dnssec-keygen -a RSASHA1 -b 1024 -n ZONE -r ~/random_1.1M gopher
/usr/sbin/dnssec-keygen -a RSASHA1 -b 4096 -n ZONE -f KSK -r ~/random_2.1M gopher
cat Kgopher.+005+*.key >> gopher.zone
/usr/sbin/dnssec-signzone -o gopher gopher.zone
options {
	dnssec-enable yes; // use for both authoritative and recursive servers
	dnssec-validation yes; // omit for BIND 9.3
};

// Only needed for recursive servers at this time, but once ns0 has a valid key, another ##trusted-keys## section 
// in the T1 servers will be 
// needed to complete the "chain of trust"
trusted-keys {
	"gopher" 257 3 5 "AwEAA...Nij";
};
dig @66.244.95.11 gopher dnskey // Considered insecure, as this key might be spoofed in compromised servers
brian@alabaster <03:23 AM>$ dig www.gopher +dnssec

; <<>> DiG 9.3.4-P1 <<>> www.gopher +dnssec
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 15189
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
...

DNSSEC periodic maintenance

To do!
There are no comments on this page.
Valid XHTML :: Valid CSS: :: Powered by WikkaWiki