Made on IRCNow

Blame

Date:: Sat Apr 2 18:59:57 2022 UTC
Message:: Daily backup
Actions:: History | Blob | Raw File
 1 2a1f38d1 2022-04-02 jrmu version=pmwiki-2.2.130 ordered=1 urlencoded=1
 2 2a1f38d1 2022-04-02 jrmu agent=Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
 3 2a1f38d1 2022-04-02 jrmu author=pyr3x
 4 2a1f38d1 2022-04-02 jrmu charset=UTF-8
 5 2a1f38d1 2022-04-02 jrmu csum=
 6 2a1f38d1 2022-04-02 jrmu ctime=1641755215
 7 2a1f38d1 2022-04-02 jrmu host=24.97.51.2
 8 2a1f38d1 2022-04-02 jrmu name=Nsd.DNSSec
 9 2a1f38d1 2022-04-02 jrmu rev=4
10 2a1f38d1 2022-04-02 jrmu targets=
11 2a1f38d1 2022-04-02 jrmu text=(:title Configuring DNSSEC for NSD:)%0a%0aThis guide assumes you are providing DNS for your domain through NSD.%0a%0aFirst step is to install ldns-utils package by NLnet Labs%0a%0a[@%0a# pkg_add ldns-utils%0a@]%0a%0aWe then need to generate zone signing keys and key signing keys%0a%0a[@%0a# mkdir /var/nsd/zsks%0a# mkdir /var/nsd/ksks%0a# cd /var/nsd/zsks && ldns-keygen -a ECDSAP384SHA384 domain.com%0a# cd /var/nsd/ksks && ldns-keygen -k -a ECDSAP384SHA384 domain.com%0a@]%0a%0aSign the zone with the ZSK and KSK and also enabling NSEC3. When generating the keys there will be specific numbers generated as part of the filename including your domain. When running the command ldns-signzone you will need to use the whole filename up to the period (.). See ldns-signzone(1) for more details.%0a%0a[@%0a# cd /var/nsd/zones/master%0a# ldns-signzone -n -o domain.com %3czone-file> ../../zsks/Kdomain.comXXX ../../ksks/Kdomain.comXXX%0a@]%0a%0aThis will generate a new zone file with the extension '.signed'. In this example the file would be called domain.com.signed.%0a%0aUpdate nsd.conf to point to the new zone file and restart nsd. Check /var/log/messages for any errors.%0a%0aAt this point the final step is to login to your registrar to update the glue records. This is specific to each registrar. You will need the information in your ksks/*.ds file to copy/paste into the registrar.%0a%0aTest if DNSSEC is working by typing your domain into https://dnssec-analyzer.verisignlabs.com/
12 2a1f38d1 2022-04-02 jrmu time=1642128803
13 2a1f38d1 2022-04-02 jrmu title=Configuring DNSSEC for NSD
14 2a1f38d1 2022-04-02 jrmu author:1642128803=pyr3x
15 2a1f38d1 2022-04-02 jrmu diff:1642128803:1641938878:=24c24%0a%3c # ldns-signzone -n -o domain.com %3czone-file> ../../zsks/Kdomain.comXXX ../../ksks/Kdomain.comXXX%0a---%0a> # ldns-signzone -n -o domain.com ../../zsks/Kdomain.comXXX ../../ksks/Kdomain.comXXX%0a
16 2a1f38d1 2022-04-02 jrmu host:1642128803=24.97.51.2
17 2a1f38d1 2022-04-02 jrmu author:1641938878=pyr3x
18 2a1f38d1 2022-04-02 jrmu diff:1641938878:1641755435:=3,4c3,4%0a%3c This guide assumes you are providing DNS for your domain through NSD.%0a%3c %0a---%0a> What is DNSSEC? XXX%0a> %0a8,33c8,9%0a%3c # pkg_add ldns-utils%0a%3c @]%0a%3c %0a%3c We then need to generate zone signing keys and key signing keys%0a%3c %0a%3c [@%0a%3c # mkdir /var/nsd/zsks%0a%3c # mkdir /var/nsd/ksks%0a%3c # cd /var/nsd/zsks && ldns-keygen -a ECDSAP384SHA384 domain.com%0a%3c # cd /var/nsd/ksks && ldns-keygen -k -a ECDSAP384SHA384 domain.com%0a%3c @]%0a%3c %0a%3c Sign the zone with the ZSK and KSK and also enabling NSEC3. When generating the keys there will be specific numbers generated as part of the filename including your domain. When running the command ldns-signzone you will need to use the whole filename up to the period (.). See ldns-signzone(1) for more details.%0a%3c %0a%3c [@%0a%3c # cd /var/nsd/zones/master%0a%3c # ldns-signzone -n -o domain.com ../../zsks/Kdomain.comXXX ../../ksks/Kdomain.comXXX%0a%3c @]%0a%3c %0a%3c This will generate a new zone file with the extension '.signed'. In this example the file would be called domain.com.signed.%0a%3c %0a%3c Update nsd.conf to point to the new zone file and restart nsd. Check /var/log/messages for any errors.%0a%3c %0a%3c At this point the final step is to login to your registrar to update the glue records. This is specific to each registrar. You will need the information in your ksks/*.ds file to copy/paste into the registrar.%0a%3c %0a%3c Test if DNSSEC is working by typing your domain into https://dnssec-analyzer.verisignlabs.com/%0a\ No newline at end of file%0a---%0a> pkg_add ldns-utils%0a> @]%0a\ No newline at end of file%0a
19 2a1f38d1 2022-04-02 jrmu host:1641938878=24.97.51.2
20 2a1f38d1 2022-04-02 jrmu author:1641755435=pyr3x
21 2a1f38d1 2022-04-02 jrmu diff:1641755435:1641755215:=3,6c3,4%0a%3c What is DNSSEC? XXX%0a%3c %0a%3c First step is to install ldns-utils package by NLnet Labs%0a%3c %0a---%0a> tbd%0a> %0a8c6%0a%3c pkg_add ldns-utils%0a---%0a> some command%0a
22 2a1f38d1 2022-04-02 jrmu host:1641755435=24.97.51.2
23 2a1f38d1 2022-04-02 jrmu author:1641755215=pyr3x
24 2a1f38d1 2022-04-02 jrmu diff:1641755215:1641755215:=1,7d0%0a%3c (:title Configuring DNSSEC for NSD:)%0a%3c %0a%3c tbd%0a%3c %0a%3c [@%0a%3c some command%0a%3c @]%0a\ No newline at end of file%0a
25 2a1f38d1 2022-04-02 jrmu host:1641755215=24.97.51.2