[GH-ISSUE #26] DNSSEC #27

Closed
opened 2026-02-26 09:35:00 +03:00 by kerem · 6 comments
Owner

Originally created by @ThomasWaldmann on GitHub (Oct 22, 2013).
Original GitHub issue: https://github.com/nsupdate-info/nsupdate.info/issues/26

Originally assigned to: @ThomasWaldmann on GitHub.

document usage with DNSSEC, add a configuration example, useful links, ...

Originally created by @ThomasWaldmann on GitHub (Oct 22, 2013). Original GitHub issue: https://github.com/nsupdate-info/nsupdate.info/issues/26 Originally assigned to: @ThomasWaldmann on GitHub. document usage with DNSSEC, add a configuration example, useful links, ...
kerem 2026-02-26 09:35:00 +03:00
Author
Owner

@jluebbe commented on GitHub (Dec 7, 2013):

DNSSEC simply works when configured on the DNS server. Support in nsupdate shouldn't be needed.

<!-- gh-comment-id:30065590 --> @jluebbe commented on GitHub (Dec 7, 2013): DNSSEC simply works when configured on the DNS server. Support in nsupdate shouldn't be needed.
Author
Owner

@ThomasWaldmann commented on GitHub (Dec 8, 2013):

maybe we would want to add some configuration example?

(and sometimes I also confuse the nsupdate.info software todo and the nsupdate.info site / dns todo)

what also was a bit unclear to me while reading DNSSEC docs: they keys seem to have a limited validity, so does this need regular intervention by the admin to install new keys?

<!-- gh-comment-id:30079523 --> @ThomasWaldmann commented on GitHub (Dec 8, 2013): maybe we would want to add some configuration example? (and sometimes I also confuse the nsupdate.info software todo and the nsupdate.info site / dns todo) what also was a bit unclear to me while reading DNSSEC docs: they keys seem to have a limited validity, so does this need regular intervention by the admin to install new keys?
Author
Owner

@jluebbe commented on GitHub (Dec 8, 2013):

Runing DNSSEC with using a recent BIND is not that complicated. The only critical thing is that your domain provider is willing to add the DS records to the top level domain.

For my zone I have the following config for DNSSEC with nsupdate:

zone "stratum0.net" {
        auto-dnssec maintain;
        type master;
        update-policy {
                  ....
        };
        file "/etc/bind/stratum0.net/stratum0.net";
        key-directory "/etc/bind/stratum0.net";
};

Only auto-dnssec maintain and key-directory "/etc/bind/stratum0.net" are relevant to DNSSEC. With this setup, you only need to use dnssec-keygen to generate the KSK and ZSK. Finally you generate the DS records with dnssec-dsfromkey -f and pass those to your domain provider. There is a short guide at http://fanf.livejournal.com/112476.html.

If your domain provider doesn't support DNSSEC, you can use DLV (DNSSEC Look-aside Validation). It's an alternative entry point and also very useful for initial testing.

Also very useful for debugging is http://dnsviz.net/d/stratum0.net/dnssec/, which shows you a graph of all keys and their relationships. The gray DNSKEYs are KSKs and the while ones are ZSKs. To keep DNS messages smaller, DNSSEC uses shorter keys and so they must be rotated regularly. The longer (2048 bit) KSKs have a lifetime on the order of years and the shorter (1024 bit) ZSKs on the order of months. Note that they do not expire after this time, it's just strongly recommended to perform a rollover after that time.

With auto-dnssec maintain, you just have to generate new keys. The metadata in the key files allows BIND to handle the rollover automatically. For KSK changes, you'd need to notify your domain provider again.

This setup has been running without problems for since two months on stratum0.net (which provides DYNDNS for our hackerspace).

<!-- gh-comment-id:30080259 --> @jluebbe commented on GitHub (Dec 8, 2013): Runing DNSSEC with using a recent BIND is not that complicated. The only critical thing is that your domain provider is willing to add the DS records to the top level domain. For my zone I have the following config for DNSSEC with nsupdate: ``` zone "stratum0.net" { auto-dnssec maintain; type master; update-policy { .... }; file "/etc/bind/stratum0.net/stratum0.net"; key-directory "/etc/bind/stratum0.net"; }; ``` Only auto-dnssec maintain and key-directory "/etc/bind/stratum0.net" are relevant to DNSSEC. With this setup, you only need to use dnssec-keygen to generate the KSK and ZSK. Finally you generate the DS records with dnssec-dsfromkey -f <zonefile> and pass those to your domain provider. There is a short guide at http://fanf.livejournal.com/112476.html. If your domain provider doesn't support DNSSEC, you can use [DLV (DNSSEC Look-aside Validation)](https://dlv.isc.org/). It's an alternative entry point and also very useful for initial testing. Also very useful for debugging is http://dnsviz.net/d/stratum0.net/dnssec/, which shows you a graph of all keys and their relationships. The gray DNSKEYs are KSKs and the while ones are ZSKs. To keep DNS messages smaller, DNSSEC uses shorter keys and so they must be rotated regularly. The longer (2048 bit) KSKs have a lifetime on the order of years and the shorter (1024 bit) ZSKs on the order of months. Note that they do not expire after this time, it's just strongly recommended to perform a rollover after that time. With auto-dnssec maintain, you just have to generate new keys. The metadata in the key files allows BIND to handle the rollover automatically. For KSK changes, you'd need to notify your domain provider again. This setup has been running without problems for since two months on stratum0.net (which provides DYNDNS for our hackerspace).
Author
Owner

@ThomasWaldmann commented on GitHub (Dec 8, 2013):

see also #105

<!-- gh-comment-id:30082014 --> @ThomasWaldmann commented on GitHub (Dec 8, 2013): see also #105
Author
Owner
<!-- gh-comment-id:65897419 --> @ThomasWaldmann commented on GitHub (Dec 6, 2014): http://securityblog.switch.ch/2014/11/13/dnssec-signing-your-domain-with-bind-inline-signing/
Author
Owner

@ThomasWaldmann commented on GitHub (Dec 6, 2014):

also interesting: how does dnssec signing impact zone update performance?

<!-- gh-comment-id:65897742 --> @ThomasWaldmann commented on GitHub (Dec 6, 2014): also interesting: how does dnssec signing impact zone update performance?
Sign in to join this conversation.
No milestone
No project
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
starred/nsupdate.info-nsupdate-info#27
No description provided.