[Pdns-users] Setting up intentionally invalid DNSSEC record in auto-secure environment

leen at consolejunkie.net leen at consolejunkie.net
Wed Jan 6 20:38:44 UTC 2016


On 2016-01-06 20:42, Nicholas Williams wrote:
> I'll look into that other script. Thanks, Bert.
>
>> How about a creating a separate sub-zone with a broken presigned
> DNSSEC
>
>> You can set presigned for just that single zone using the
> PRESIGNED domain metadata[1] int your database.
>
> I really like this idea in combination. That documentation that 
> Pieter
> sent me should help me get set up with presigning. But, Leen, how
> would I set up a subzone delegated to the same authoritative server
> (or can I, even?)? Can you point me to that documentation?
>

It's just a domain & delegation like any other (this is the same thing 
the TLD does for you):

Just have both a autosigned-domain.tld and 
presigned-subzone.autosigned-domain.tld in the domains-table like any 
normal domain.

Both domains should have NS and SOA records in the records table like 
any normal domain.

Then create the delegation in the autosigned-domain.tld domain by 
adding the NS-records pointing to the 
presigned-subzone.autosigned-domain.tld

Domain_id: autosigned-domain.tld ; name: 
presigned-subzone.autosigned-domain.tld ; type: NS ; content: 
ns1.autosigned-domain.tld
Domain_id: autosigned-domain.tld ; name: 
presigned-subzone.autosigned-domain.tld ; type: NS ; content: 
ns2.autosigned-domain.tld

Now because it's DNSSEC you need to make it secure.

Assuming you want to sign the sub-zone for testing:

pdnssec secure-zone presigned-subzone.autosigned-domain.tld

The you can grab the DS-record which the needs to be added to the 
parent zone:

pdnssec show-zone presigned-subzone.autosigned-domain.tld

To know what the DS-record is.

Add the DNSSEC DS-record for presigned-subzone.autosigned-domain.tld in 
the autosigned-domain.tld domain.

domain_id: autosigned-domain.tld; name: 
presigned-subzone.autosigned-domain.tld	; type: DS	; content: '5725 8 2 
512fa6fe4d1f9ba974832e3456c4769db6c16ca1...'

Hope that makes it clear.

You should now be able to look up a DNSSEC-signed record for the 
presigned-subzone.autosigned-domain.tld for example the SOA-record.

Have a good day,
  Leen.

> Google really hasn't indexed this documentation very well at all...
>
> Thanks,
>
> Nick
>





More information about the Pdns-users mailing list