• About

blog.alam.rocks

blog.alam.rocks

Tag Archives: DNSSEC

Sign expiring zone (DNSSEC)

14 Monday Nov 2016

Posted by Fakrul Alam in My Work

≈ Leave a comment

Tags

DNSSEC

Following script will check the expiry of RRSIG and if it’s expiring within 7 days; it will sign your zone again.

#!/bin/bash

declare -i expire_date
declare -i currert_date
declare -i d1
declare -i diff

expire_date="$(date +%s -d $(dig +short fakrul.com +dnssec SOA | awk '$2 == 7 { print $0}' | cut -d' ' -f5 | cut -c1-8))"
echo "Expire date: $expire_date"
#expire_date="$(dig +short fakrul.com +dnssec SOA | awk '$2 == 7 { print $0}' | cut -d' ' -f5 | cut -c1-8)"
currert_date="$(date +%s)"
echo "Current date: $currert_date"

diff=$((expire_date-currert_date))/86400
echo "Days to expire: $diff"

if [ "$diff" -gt "7" ]
then
echo "RRSIG will not expiring within one week. No need to sign the zone"
else
echo "RRSIG will expire next week. Sign DNS Zone......"
sudo ldns-signzone /etc/nsd/ZONES/fakrul.com.zone /etc/nsd/KSK/Kfakrul.com.+007+22704 /etc/nsd/ZSK/Kfakrul.com.+007+04664 -f /etc/nsd/SIGNED/fakrul.com.zone.signed
echo "Reload NSD......"
/etc/init.d/nsd reload
fi

NSD with DNSSEC (Forward & Reverse DNS)

01 Tuesday Nov 2016

Posted by Fakrul Alam in Education, My Work

≈ Leave a comment

Tags

DNS, DNSSEC, NSD

In previous two blogs (1st part &  2nd part) I explain how to setup NSD as primary DNS server and BIND as secondary. Now let’s see how can we implement DNSEC with it.

1. You can put all the key in single folder; but for better understanding I put necessary information in 4 folders:
ZONES: All zone files, SIGNED: All signed zone files, ZSK: All ZSK keys, KSK: All KSK Keys
sudo mkdir /etc/nsd/SIGNED /etc/nsd/KSK /etc/nsd/ZSK

2. Time to install ldns, a NLnet Labs’ project:
sudo apt-get install ldnsutils

3. Create ZSK /etc/nsd/ZSK
cd /etc/nsd/ZSK
sudo ldns-keygen -a RSASHA1_NSEC3 -b 1024 ssh.com.bd

Create KSK
cd /etc/nsd/KSK
sudo ldns-keygen -a RSASHA1_NSEC3 -b 2048 -k ssh.com.bd

ldns-keygen will create 3 files: a .key file with the public DNSKEY, a .private file with the private keydata and a .ds with the DS record of the DNSKEY record.

4. Edit /etc/nsd/nsd.conf to change the path for the signed zones:
zonesdir: "/etc/nsd/SIGNED"

more changes:

zone:
name: “ssh.com.bd”
zonefile: “ssh.com.bd.zone.signed”

5. Now use the ldns-signzone command to sign ssh.com.bd and to create a new file ready for DNSSEC queries.

sudo ldns-signzone /etc/nsd/ZONES/ssh.com.bd.zone \
/etc/nsd/KSK/Kssh.com.bd.+007+22704 \
/etc/nsd/ZSK/Kssh.com.bd.+007+04664 \
-f /etc/nsd/SIGNED/ssh.com.bd.zone.signed

This will create a signed zone file under /etc/nsd/SIGNED folder.

Continue reading →

Social

  • View rapappu’s profile on Twitter
  • View fakrulalam’s profile on LinkedIn
  • View fakrul’s profile on GitHub
  • View FakrulAlamPappu’s profile on Google+
  • View fakrulalam’s profile on Flickr

Twitter Updates

  • #sydeny #summer https://t.co/4FhMTbgG1g 1 week ago
  • RT @protocoljournal: The August 2022 issue of IPJ is ready. Head over to protocoljournal.org for your copy! https://t.co/c0dfwBQAuu 3 weeks ago
  • RT @teamcymru: Take The first step toward clarity, visibility, and reducing external asset related risks With our free Attack Surface Asses… 3 weeks ago
  • RT @akanygren: Have you been working with tech for years and want an overview of #IPv6? I've been working on an open source "Inessential I… 1 month ago
  • blog.lastpass.com/2022/11/notice… 2 months ago
  • #bdnog15 CfP is now open bdnog.org/bdnog15/cfp.php #bdnog #bangladesh #nog #networkoperatorsgroup 2 months ago
  • RT @Cloudflare: Today we’re introducing Cloudflare Radar’s route leak data and API so that anyone can get information about route leaks acr… 2 months ago
  • Battling Zimbabwe fall short as Bangladesh win in chaotic final-over finish espncricinfo.com/series/icc-men… #t20 #worldcup #bangladeh 3 months ago
  • RT @vince2_: With the team @Free_1337, we have developed a Netflow/IPFIX collector and visualizer. It is available at https://t.co/6XtpOtm9… 6 months ago
  • RT @openbsdnow: Effective Shell effective-shell.com 7 months ago
  • RT @nocontextfooty: https://t.co/PU0JeRSrbD 7 months ago
  • smallstep.com/blog/if-openss… 7 months ago
  • github.com/tldr-pages/tldr 9 months ago
  • How to properly interpret a traceroute or MTR | APNIC Blog blog.apnic.net/2022/03/28/how… 9 months ago
  • #dayandnight #Newcastle #beachlife https://t.co/LaKATcEsFY 10 months ago
Follow @rapappu

Tags

antismap antivirus automation Azure bangladesh BASH BASH Script BDCERT bgp bind ccsp centos CentOS mirror CERT CISA cisco Cyber Security ddos dhaka dhakacom DNS DNSSEC GSM intrusion detectoin system Intrusion prevention system ips IPv6 ISACA junos linux Looking Glass lxc lxc profile lxd mailqueue mailscanner Mail Server mailwatch Meraki mikrotik monitor mpls MPLS L3 VPN mysql My Work network network management nginx NSD observium OpenVPN perl PHP ping postfix Proxy PTA python RANCID Reading RPKI Shell Script sms sms server SNMP SSH Tutorial ubuntu Ubuntu Mirror Server Virtual Box vispan vmware websvn Youtube hack খামাখা

Blog at WordPress.com.

  • Follow Following
    • blog.alam.rocks
    • Join 27 other followers
    • Already have a WordPress.com account? Log in now.
    • blog.alam.rocks
    • Customize
    • Follow Following
    • Sign up
    • Log in
    • Report this content
    • View site in Reader
    • Manage subscriptions
    • Collapse this bar