Tag Archives: DNSSEC

Sign expiring zone (DNSSEC)

14 Monday Nov 2016

Posted by in My Work

Leave a comment

Tags

Following script will check the expiry of RRSIG and if it’s expiring within 7 days; it will sign your zone again.

#!/bin/bash

declare -i expire_date
declare -i currert_date
declare -i d1
declare -i diff

expire_date="$(date +%s -d $(dig +short fakrul.com +dnssec SOA | awk '$2 == 7 { print $0}' | cut -d' ' -f5 | cut -c1-8))"
echo "Expire date: $expire_date"
#expire_date="$(dig +short fakrul.com +dnssec SOA | awk '$2 == 7 { print $0}' | cut -d' ' -f5 | cut -c1-8)"
currert_date="$(date +%s)"
echo "Current date: $currert_date"

diff=$((expire_date-currert_date))/86400
echo "Days to expire: $diff"

if [ "$diff" -gt "7" ]
then
echo "RRSIG will not expiring within one week. No need to sign the zone"
else
echo "RRSIG will expire next week. Sign DNS Zone......"
sudo ldns-signzone /etc/nsd/ZONES/fakrul.com.zone /etc/nsd/KSK/Kfakrul.com.+007+22704 /etc/nsd/ZSK/Kfakrul.com.+007+04664 -f /etc/nsd/SIGNED/fakrul.com.zone.signed
echo "Reload NSD......"
/etc/init.d/nsd reload
fi

NSD with DNSSEC (Forward & Reverse DNS)

01 Tuesday Nov 2016

Posted by in Education, My Work

Leave a comment

Tags

, ,

In previous two blogs (1st part2nd part) I explain how to setup NSD as primary DNS server and BIND as secondary. Now let’s see how can we implement DNSEC with it.

1. You can put all the key in single folder; but for better understanding I put necessary information in 4 folders:
ZONES: All zone files, SIGNED: All signed zone files, ZSK: All ZSK keys, KSK: All KSK Keys
sudo mkdir /etc/nsd/SIGNED /etc/nsd/KSK /etc/nsd/ZSK

2. Time to install ldns, a NLnet Labs’ project:
sudo apt-get install ldnsutils

3. Create ZSK /etc/nsd/ZSK
cd /etc/nsd/ZSK
sudo ldns-keygen -a RSASHA1_NSEC3 -b 1024 ssh.com.bd

Create KSK
cd /etc/nsd/KSK
sudo ldns-keygen -a RSASHA1_NSEC3 -b 2048 -k ssh.com.bd

ldns-keygen will create 3 files: a .key file with the public DNSKEY, a .private file with the private keydata and a .ds with the DS record of the DNSKEY record.

4. Edit /etc/nsd/nsd.conf to change the path for the signed zones:
zonesdir: "/etc/nsd/SIGNED"

more changes:

zone:
name: “ssh.com.bd”
zonefile: “ssh.com.bd.zone.signed”

5. Now use the ldns-signzone command to sign ssh.com.bd and to create a new file ready for DNSSEC queries.

sudo ldns-signzone /etc/nsd/ZONES/ssh.com.bd.zone \
/etc/nsd/KSK/Kssh.com.bd.+007+22704 \
/etc/nsd/ZSK/Kssh.com.bd.+007+04664 \
-f /etc/nsd/SIGNED/ssh.com.bd.zone.signed

This will create a signed zone file under /etc/nsd/SIGNED folder.

Continue reading