[Pdns-users] Setting up intentionally invalid DNSSEC record in auto-secure environment
leen at consolejunkie.net
leen at consolejunkie.net
Wed Jan 6 20:38:44 UTC 2016
On 2016-01-06 20:42, Nicholas Williams wrote:
> I'll look into that other script. Thanks, Bert.
>
>> How about a creating a separate sub-zone with a broken presigned
> DNSSEC
>
>> You can set presigned for just that single zone using the
> PRESIGNED domain metadata[1] int your database.
>
> I really like this idea in combination. That documentation that
> Pieter
> sent me should help me get set up with presigning. But, Leen, how
> would I set up a subzone delegated to the same authoritative server
> (or can I, even?)? Can you point me to that documentation?
>
It's just a domain & delegation like any other (this is the same thing
the TLD does for you):
Just have both a autosigned-domain.tld and
presigned-subzone.autosigned-domain.tld in the domains-table like any
normal domain.
Both domains should have NS and SOA records in the records table like
any normal domain.
Then create the delegation in the autosigned-domain.tld domain by
adding the NS-records pointing to the
presigned-subzone.autosigned-domain.tld
Domain_id: autosigned-domain.tld ; name:
presigned-subzone.autosigned-domain.tld ; type: NS ; content:
ns1.autosigned-domain.tld
Domain_id: autosigned-domain.tld ; name:
presigned-subzone.autosigned-domain.tld ; type: NS ; content:
ns2.autosigned-domain.tld
Now because it's DNSSEC you need to make it secure.
Assuming you want to sign the sub-zone for testing:
pdnssec secure-zone presigned-subzone.autosigned-domain.tld
The you can grab the DS-record which the needs to be added to the
parent zone:
pdnssec show-zone presigned-subzone.autosigned-domain.tld
To know what the DS-record is.
Add the DNSSEC DS-record for presigned-subzone.autosigned-domain.tld in
the autosigned-domain.tld domain.
domain_id: autosigned-domain.tld; name:
presigned-subzone.autosigned-domain.tld ; type: DS ; content: '5725 8 2
512fa6fe4d1f9ba974832e3456c4769db6c16ca1...'
Hope that makes it clear.
You should now be able to look up a DNSSEC-signed record for the
presigned-subzone.autosigned-domain.tld for example the SOA-record.
Have a good day,
Leen.
> Google really hasn't indexed this documentation very well at all...
>
> Thanks,
>
> Nick
>
More information about the Pdns-users
mailing list