[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

DNSSEC, BIND9, ...

To: BerkeleyLUG <berkeleylug@googlegroups.com>
Subject: DNSSEC, BIND9, ...
From: "Michael Paoli" <Michael.Paoli@cal.berkeley.edu>
Date: Sun, 09 Sep 2018 18:55:12 -0700
Arc-authentication-results: i=2; gmr-mx.google.com; spf=neutral (google.com: 198.144.192.42 is neither permitted nor denied by best guess record for domain of michael.paoli@cal.berkeley.edu) smtp.mailfrom=Michael.Paoli@cal.berkeley.edu
Arc-authentication-results: i=1; gmr-mx.google.com; spf=neutral (google.com: 198.144.192.42 is neither permitted nor denied by best guess record for domain of michael.paoli@cal.berkeley.edu) smtp.mailfrom=Michael.Paoli@cal.berkeley.edu
Arc-message-signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:reply-to:user-agent :content-disposition:mime-version:subject:to:from:date:message-id :sender:dkim-signature; bh=MsQtFnsUL5pivjjrV2TYkgTEz35OCmw3Ha3QyuSHLAk=; b=OK26C3XVxZeOsv+JrP4CnZUo5z/UoXZbI9VVz0iXNxvyGGmyRq1eOioUTbXVJKKK5l wAlVniQqFQ6ACmv0ml69O4JvwOGM7oIaSweo90/jYp1uKWDrv0p+2Pu24jiH/PiXQ4Xw OCf45wlUiz2V56IAPf4375JozgGPy9DNWSDd9QWCnuuNVyh7X/cxrHOd8gnbKaRdRa/b VYNMmVriiyyMz0KWOm0VPUT3DchQWOiZaovYwUNqeYYpnk3m/Q1b2VpgEiwYCEDXs8hH cl5mv/BoXJmGd7F+EPP4FQkUH6mTcrddHyv24kqoPOAcVDt4OdtnQsCSvaQnY3WYF7sy OwSw==
Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=user-agent:content-transfer-encoding:content-disposition :mime-version:subject:to:from:date:message-id; bh=mteYgW2eHciK6Dun20TxMnRhWBclLSz9rmFpNbjUeFk=; b=fyCd4jXeDvw71YFxMKSjFkY0rT8JmjOxhwPyPvIYvHikfE1keHRzrm40gu+pxJ0bLH YCxAqAIiACHUBeAe0OrAR466PwbkYKWK2Jt94oStjIyUy5lDjMJtKnCIOyy+swuSgQp2 U1arstzDqyynf76WHsRjcfJyOLE7jm63xZmY7eBFEwtArZVqUZ3+udPb0TaMOcxZXZ1p 7Otw4GivBIdp3fsjjUvSKWhKFzzbh+wFlZj3AIuPLyB0fE8gIAwDfEXsij5qnNirrXYN 12Dftmsu0wY2NrD9tVP9FAM3MX94BqrLuRNdx2JfPD+VXjL1B6UtfEYZ2NrgezgHdy1v ZFtw==
Arc-seal: i=2; a=rsa-sha256; t=1536544513; cv=pass; d=google.com; s=arc-20160816; b=0UdFkBS8u8qKr0h5w9sZUl8dARJtT0IdXGPWFMcwINT9pRPnynD3lFG2wamkSARifm jMb6aSaY1YummDe90yIkbiRHXwSU2auugK+PffGNs1UuOrd9HoadYpmCU7kpeD8v/xAT LLS4tImmGeH+3BL4s29t4JWDFVwXjcR8pfY6YPTPd1+vWxOcPlkdKRvM74tQ4LpsLdfp pKC1MSPL5D2qa4BaoWb8R+ToMiQcQF2tunqZXPIu4yLCSlWLq2dPiDriZP6HZ28WShAq mWSMlbj6VVl9XeTIHT58qW0TOtUjoqLTQYDOkmSyINZIiedLADKZ0Xzvek8o399Vtvu7 xh0w==
Arc-seal: i=1; a=rsa-sha256; t=1536544513; cv=none; d=google.com; s=arc-20160816; b=dBbkYokva51uvSd2vZ3K1/M/uFfYdpC0+SeuNdiqB5o4OZisdg7e3B6SMlvJzmdusj Qafd/beRcGUNj1El9JrWIDAk/y5dAccfEBjEZZK/tVDcIii1V3Pd6G2O5Eosdpr+8Jt+ NGaRbmp4EvzWM38SKeIlVe37tXjRRSaQlR61CtxPZQPAsea2jkVvD9ACJR8jS/d5UVTp oZFnGBhtVgFgPI/1WnbNYBnP/AcBI+IIcaAHKW8phOlGsY5xBaAbdOGcCrdHMCjZjZe/ F3n8uDuslJRWiMYHDwfOHCFjA5i0oqXmU6zFyPoeudagcemdCD/RJD6LRC7iiaKGV1RY fENA==
Delivered-to: historian@entropia.netisland.net
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlegroups.com; s=20161025; h=sender:message-id:date:from:to:subject:mime-version :content-disposition:user-agent:x-original-sender :x-original-authentication-results:reply-to:precedence:mailing-list :list-id:list-post:list-help:list-archive:list-subscribe :list-unsubscribe; bh=MsQtFnsUL5pivjjrV2TYkgTEz35OCmw3Ha3QyuSHLAk=; b=BACNwzsYELdQ4hnA3fGXv9NH7oyzVc3AYTkTBgX97ZtawA7W0BNPe9bkd3yqiwLeIb 4Ecn3qJgf7eafl9Y00lpW0+oG5UvO2fCLYdZjz5KzJf7Yvcfa/aw7csFIGr9G/QYCahh K9erRVYRvQtzuzTCiP3J4+BGtV2D2CuJG84lNu+tW+lyyR7pR/rgWNYIOqV1bDpHyvrL 1Pf6dFJTxRKPQEjGuLOmYPMf3C2ei182rxWT7NQVW0uTrMP0h/QNG/EUIbl1hRPBJCee cKq+5bJzh8hj3ko3BA34d3AyXrjxJ2auhIKAA8BPV5FUhmT+UB+KTmTfo8unp3Aqegxj N4yQ==
List-archive: <https://groups.google.com/group/berkeleylu>
List-help: <https://groups.google.com/support/>, <mailto:berkeleylug+help@googlegroups.com>
List-id: <berkeleylug.googlegroups.com>
List-post: <https://groups.google.com/group/berkeleylug/post>, <mailto:berkeleylug@googlegroups.com>
List-subscribe: <https://groups.google.com/group/berkeleylug/subscribe>, <mailto:berkeleylug+subscribe@googlegroups.com>
List-unsubscribe: <mailto:googlegroups-manage+61884646931+unsubscribe@googlegroups.com>, <https://groups.google.com/group/berkeleylug/subscribe>
Mailing-list: list berkeleylug@googlegroups.com; contact berkeleylug+owners@googlegroups.com
Reply-to: berkeleylug@googlegroups.com
Sender: berkeleylug@googlegroups.com
User-agent: Internet Messaging Program (IMP) H3 (4.2.1-RC1)

So, some questions were asked earlier today regarding DNSSEC and
BIND9.

I'd mentioned I had some information on that and/or had earlier sent
out some notes on such.

I also mentioned I take care of some domains that have DNSSEC set up,
these include:
balug.org
sf-lug.org
sf-lug.com
(plus a couple of my own ... so ... 5 total).

Once DNSSEC is in place, maintaining it is quite easy.  Just need to be
reasonably careful when setting it up.  I think about the last thing
I did with DNSSEC that was a slightly more involved change, was
changing out some key(s) - I believe KSKs, ... as they were
(inefficiently) "too big" - notably stronger and longer than up-stream,
so no real security advantage, and mostly disadvantage in CPU burn
(extra cycle(s) for verification) and size (more bits to shuffle about
across the network).

And peeking a bit again, I've got this in my
notes:

DNSSEC with BIND >=9.9 and inline-signing

guide:
  https://ftp.isc.org/isc/dnssec-guide/dnssec-guide.pdf

key directory, e.g.:
named.conf:include "/etc/bind/named.conf.options";
named.conf.options:     key-directory "/var/cache/bind/keys";
# cd /var/cache/bind/keys && pwd -P && ls -ld .
/var/lib/named/var/cache/bind/keys
drwxrwx--- 2 root bind 4096 Sep 23 05:55 .
#

generate keys

# (umask 037 && dnssec-keygen -a RSASHA256 -b 1024 balug.org &&dnssec-keygen -a RSASHA256 -b 2048 -f KSK balug.org)SAVE COPIES!!! (if DS is set up in parent and private keys lost, oneis screwed)


At least as of 2017-09-24:
Algorithm:
.(root),com,net is using 8 (RSASHA256)
org is using 7 (NSEC3RSASHA1)
bits:
.(root) is using 2048
com,net,org is using 2048 (KSK) / 1024 (ZSK)

enable inline signing for zone:
inline-signing yes;
auto-dnssec maintain;
serial-update-method unixtime;
(or default of: serial-update-method increment;)

resources:
guide: https://ftp.isc.org/isc/dnssec-guide/dnssec-guide.pdf
excellent troubleshooting: http://dnsviz.net/
Debian wiki bits (rather out-of-date at last check):
  https://wiki.debian.org/DNSSEC
  https://wiki.debian.org/DNSSEC%20Howto%20for%20BIND%209.9+
BIND documentation
more lists of resources: https://www.isc.org/downloads/bind/dnssec/
resolver validation checks:
  http://dnssec.vs.uni-due.de/
  https://rootcanary.org/test.html
  https://en.internet.nl/connection/

--
You received this message because you are subscribed to the Google Groups "BerkeleyLUG" group.
To unsubscribe from this group and stop receiving emails from it, send an email to berkeleylug+unsubscribe@googlegroups.com.
To post to this group, send email to berkeleylug@googlegroups.com.
Visit this group at https://groups.google.com/group/berkeleylug.
For more options, visit https://groups.google.com/d/optout.

Prev by Date: 1TB SATA drive, all-in-one printer/scanner/...: Re: Free computer: Fwd: HW for you/BALUG
Next by Date: Computer-related happening (could possibly be Linux-related too....)
Previous by thread: 3 of us here so far, have AC power, Wi-Fi & Internet*: Re: BerkeleyLUG meetup this Sunday 2018-09-09 at 85C Bakery
Next by thread: Computer-related happening (could possibly be Linux-related too....)
Index(es):
- Date
- Thread