DNSSEC auth-zone
Luiz Fernando Softov
fernando at softov.com.br
Tue Jul 13 11:03:02 UTC 2021
Hi, I had a misunderstanding.
drill is better than dig, I know, it was just an example of command.
In my conception, zones were auto signed by the daemon, Then I figured out
this was a mistake.
Zones are signed using tools, like dns-keygen, ldns-keygen and more.
I was able to find LDNS and examples like ldns-keygen, ldns-signzone.
Since I use C in my system, I was able to read the code and I could get
perfect work.
Only needed to create functions for my buffer, because I don't use struct
FILE *.
I made a sign function with user interaction and my beautiful interface.
Then I know, I need the KSK and ZSK (key and private).
Using these keys I read the zone and sign every RR.
And done, zone signed!
Changed the zonefile to the new one.
Restart the service.
After I put the DS in my registar.
Thanks for the help.
Em qua., 7 de jul. de 2021 às 11:10, Unbound <unbound at tacomawireless.net>
escreveu:
> On 2021-07-07 02:32, Luiz Fernando Softov via Unbound-users wrote:
> > Hi, I'm trying to configure a DNSSEC for an auth-zone
> > But I can't find any doc about it.
> >
> > There is a way to enable DNSSEC for auth-zone or local-zone?
> >
> > Like a signed zone in BIND or NSD does?
> > So, I can do a 'dig @ip-dns-server example.com +dnssec'
> The command your looking for is "drill". :-)
> # drill -h
> drill version 1.7.0 (ldns version 1.7.0)
> Written by NLnet Labs.
>
> Copyright (c) 2004-2008 NLnet Labs.
> Licensed under the revised BSD license.
> There is NO warranty; not even for MERCHANTABILITY or FITNESS
> FOR A PARTICULAR PURPOSE.
> Usage: drill name [@server] [type] [class]
> <name> can be a domain name or an IP address (-x lookups)
> <type> defaults to A
> <class> defaults to IN
>
> arguments may be placed in random order
>
> Options:
> -D enable DNSSEC (DO bit)
> -T trace from the root down to <name>
> -S chase signature(s) from <name> to a known key [*]
> -I <address> source address to query from
> -V <number> verbosity (0-5)
> -Q quiet mode (overrules -V)
>
> -f file read packet from file and send it
> -i file read packet from file and print it
> -w file write answer packet to file
> -q file write query packet to file
> -h show this help
> -v show version
>
> Query options:
> -4 stay on ip4
> -6 stay on ip6
> -a fallback to EDNS0 and TCP if the answer is
> truncated
> -b <bufsize> use <bufsize> as the buffer size (defaults to 512
> b)
> -c <file> use file for rescursive nameserver configuration
> (/etc/resolv.conf)
> -k <file> specify a file that contains a trusted DNSSEC key
> [**]
> Used to verify any signatures in the current
> answer.
> When DNSSEC enabled tracing (-TD) or signature
> chasing (-S) and no key files are given, keys are
> read
> from: /etc/unbound/root.key
> -o <mnemonic> set flags to:
> [QR|qr][AA|aa][TC|tc][RD|rd][CD|cd][RA|ra][AD|ad]
> lowercase: unset bit, uppercase: set bit
> -p <port> use <port> as remote port number
> -s show the DS RR for each key in a packet
> -u send the query with udp (the default)
> -x do a reverse lookup
> when doing a secure trace:
> -r <file> use file as root servers hint file
> -t send the query with tcp (connected)
> -d <domain> use domain as the start point for the trace
> -y <name:key[:algo]> specify named base64 tsig key, and
> optional an
> algorithm (defaults to hmac-md5.sig-alg.reg.int)
> -z don't randomize the nameservers before use
>
> [*] = enables/implies DNSSEC
> [**] = can be given more than once
>
> ldns-team at nlnetlabs.nl | http://www.nlnetlabs.nl/ldns/
>
> # drill -TD host.some.domain
> # drill -D @www.xxx.yyy.zzz host.some.domain
>
> HTH
>
> --Chris
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nlnetlabs.nl/pipermail/unbound-users/attachments/20210713/149e3568/attachment-0001.htm>
More information about the Unbound-users
mailing list