DNSSEC auth-zone

Luiz Fernando Softov fernando at softov.com.br
Tue Jul 13 11:03:02 UTC 2021

Hi, I had a misunderstanding.

drill is better than dig, I know, it was just an example of command.

In my conception, zones were auto signed by the daemon, Then I figured out
this was a mistake.

Zones are signed using tools, like dns-keygen, ldns-keygen and more.

I was able to find LDNS and examples like ldns-keygen, ldns-signzone.

Since I use C in my system, I was able to read the code and I could get
perfect work.
Only needed to create functions for my buffer, because I don't use struct
I made a sign function with user interaction and my beautiful interface.

Then I know, I need the KSK and ZSK (key and private).
Using these keys I read the zone and sign every RR.
And done, zone signed!

Changed the zonefile to the new one.
Restart the service.

After I put the DS in my registar.

Thanks for the help.

Em qua., 7 de jul. de 2021 às 11:10, Unbound <unbound at tacomawireless.net>

> On 2021-07-07 02:32, Luiz Fernando Softov via Unbound-users wrote:
> > Hi, I'm trying to configure a DNSSEC for an auth-zone
> > But I can't find any doc about it.
> >
> > There is a way to enable DNSSEC for auth-zone or local-zone?
> >
> > Like a signed zone in BIND or NSD does?
> > So, I can do a 'dig @ip-dns-server example.com +dnssec'
> The command your looking for is "drill". :-)
> # drill -h
> drill version 1.7.0 (ldns version 1.7.0)
> Written by NLnet Labs.
> Copyright (c) 2004-2008 NLnet Labs.
> Licensed under the revised BSD license.
> There is NO warranty; not even for MERCHANTABILITY or FITNESS
>    Usage: drill name [@server] [type] [class]
>         <name>  can be a domain name or an IP address (-x lookups)
>         <type>  defaults to A
>         <class> defaults to IN
>         arguments may be placed in random order
>    Options:
>         -D              enable DNSSEC (DO bit)
>         -T              trace from the root down to <name>
>         -S              chase signature(s) from <name> to a known key [*]
>         -I <address>    source address to query from
>         -V <number>     verbosity (0-5)
>         -Q              quiet mode (overrules -V)
>         -f file         read packet from file and send it
>         -i file         read packet from file and print it
>         -w file         write answer packet to file
>         -q file         write query packet to file
>         -h              show this help
>         -v              show version
>    Query options:
>         -4              stay on ip4
>         -6              stay on ip6
>         -a              fallback to EDNS0 and TCP if the answer is
> truncated
>         -b <bufsize>    use <bufsize> as the buffer size (defaults to 512
> b)
>         -c <file>       use file for rescursive nameserver configuration
>                         (/etc/resolv.conf)
>         -k <file>       specify a file that contains a trusted DNSSEC key
> [**]
>                         Used to verify any signatures in the current
> answer.
>                         When DNSSEC enabled tracing (-TD) or signature
>                         chasing (-S) and no key files are given, keys are
> read
>                         from: /etc/unbound/root.key
>         -o <mnemonic>   set flags to:
>                         [QR|qr][AA|aa][TC|tc][RD|rd][CD|cd][RA|ra][AD|ad]
>                         lowercase: unset bit, uppercase: set bit
>         -p <port>       use <port> as remote port number
>         -s              show the DS RR for each key in a packet
>         -u              send the query with udp (the default)
>         -x              do a reverse lookup
>         when doing a secure trace:
>         -r <file>       use file as root servers hint file
>         -t              send the query with tcp (connected)
>         -d <domain>     use domain as the start point for the trace
>         -y <name:key[:algo]>    specify named base64 tsig key, and
> optional an
>                         algorithm (defaults to hmac-md5.sig-alg.reg.int)
>         -z              don't randomize the nameservers before use
>    [*] = enables/implies DNSSEC
>    [**] = can be given more than once
>    ldns-team at nlnetlabs.nl | http://www.nlnetlabs.nl/ldns/
> # drill -TD host.some.domain
> # drill -D @www.xxx.yyy.zzz host.some.domain
> --Chris
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nlnetlabs.nl/pipermail/unbound-users/attachments/20210713/149e3568/attachment-0001.htm>

More information about the Unbound-users mailing list