SSH using public key authentication to IOS



ip domain-name
crypto key generate rsa
ip ssh time-out 60
ip ssh authentication-retries 2
username fakrul privilege 15 secret R@nDomp@$$worD!
ip ssh pubkey-chain
 username fakrul
 ! copy the entire public key as appears in the cat including the ssh-rsa and username@hostname.
ip ssh server algorithm authentication publickey !enable key based authentication only
line vty 0 4
transport input ssh
privilege level 15

Install Cisco IOS XRv in GNS3


, , , ,

Software / Application:

  1. VirtualBox (
  2. GNS3 (

We also need Cisco IOS XRv Router image. For lab we use iosxrv-demo-6.0.0.vmdk which is free to use. The only limitation is it has AAA hardcoded users & rate limit of 2 Mbps. For full features please check the following link:

To download the image please visit You need Cisco CCO account.


1. Create a new VM


2. For the VM please choose:

  1. Name: xrv-1
  2. Type: Other
  3. Version: Other/Unknown (64-bit)

Continue reading

Sign expiring zone (DNSSEC)


Following script will check the expiry of RRSIG and if it’s expiring within 7 days; it will sign your zone again.


declare -i expire_date
declare -i currert_date
declare -i d1
declare -i diff

expire_date="$(date +%s -d $(dig +short +dnssec SOA | awk '$2 == 7 { print $0}' | cut -d' ' -f5 | cut -c1-8))"
echo "Expire date: $expire_date"
#expire_date="$(dig +short +dnssec SOA | awk '$2 == 7 { print $0}' | cut -d' ' -f5 | cut -c1-8)"
currert_date="$(date +%s)"
echo "Current date: $currert_date"

echo "Days to expire: $diff"

if [ "$diff" -gt "7" ]
echo "RRSIG will not expiring within one week. No need to sign the zone"
echo "RRSIG will expire next week. Sign DNS Zone......"
sudo ldns-signzone /etc/nsd/ZONES/ /etc/nsd/KSK/ /etc/nsd/ZSK/ -f /etc/nsd/SIGNED/
echo "Reload NSD......"
/etc/init.d/nsd reload

Enable IPv6 in OpenVPN



In my earlier post (OpenVPN in Ubuntu 14.04) I have gone through the steps to install OpenVPN in Ubuntu; that was only for IPv4. To enable IPv6 in OpenVPN do the followings:

OpenVPN Server IP : 2001:df2:ee00:ee00::10/64

2001:df2:ee00:abcd::/64 has been routed to the OpenVPN server host. That mean users connected via OpenVPN will get one prefix from 2001:df2:ee00:abcd::/64 block.

Step 1: We need to edit OpenVPN configuration file and enable IPv6 tunnel service

vi /etc/openvpn/server.conf

Add the following :

server-ipv6 2001:0df2:ee00:abcd::/64
push tun-ipv6
ifconfig-ipv6 2001:0df2:ee00:abcd::1 2001:0df2:ee00:abcd::2
push "route-ipv6 2001:0df2:ee00:ee00::2/64"
push "route-ipv6 2000::/3"

Step 2: Enable IPv6 forwarding:

echo 1 > /proc/sys/net/ipv6/conf/all/forwarding

Step 3: Reload OpenVPN Service

/etc/init.d/openvpn restart

Try connect your OpenVPN client. Test the IPv6 reachablity by accessing

1. To make IPv6 forwarding persistent remember, in /etc/sysctl.conf uncomment:
net.ipv6.conf.all.forwarding = 1

2. Make sure that you route 2001:df2:ee00:abcd::/64 to you OpenVPN Server. I have done this from my cisco router

ipv6 route 2001:df2:ee00:abcd::/64 2001:df2:ee00:ee00::10

NSD with DNSSEC (Forward & Reverse DNS)


, ,

In previous two blogs (1st part2nd part) I explain how to setup NSD as primary DNS server and BIND as secondary. Now let’s see how can we implement DNSEC with it.

1. You can put all the key in single folder; but for better understanding I put necessary information in 4 folders:
ZONES: All zone files, SIGNED: All signed zone files, ZSK: All ZSK keys, KSK: All KSK Keys
sudo mkdir /etc/nsd/SIGNED /etc/nsd/KSK /etc/nsd/ZSK

2. Time to install ldns, a NLnet Labs’ project:
sudo apt-get install ldnsutils

3. Create ZSK /etc/nsd/ZSK
cd /etc/nsd/ZSK
sudo ldns-keygen -a RSASHA1_NSEC3 -b 1024

Create KSK
cd /etc/nsd/KSK
sudo ldns-keygen -a RSASHA1_NSEC3 -b 2048 -k

ldns-keygen will create 3 files: a .key file with the public DNSKEY, a .private file with the private keydata and a .ds with the DS record of the DNSKEY record.

4. Edit /etc/nsd/nsd.conf to change the path for the signed zones:
zonesdir: "/etc/nsd/SIGNED"

more changes:

name: “”
zonefile: “”

5. Now use the ldns-signzone command to sign and to create a new file ready for DNSSEC queries.

sudo ldns-signzone /etc/nsd/ZONES/ \
/etc/nsd/KSK/ \
/etc/nsd/ZSK/ \
-f /etc/nsd/SIGNED/

This will create a signed zone file under /etc/nsd/SIGNED folder.

Continue reading