around the block with dnssec

mehSo my registrar supports it but not at there dns servers, i look and yes i can change dns providers but those who can seem dont want me to buy just dns services, although servers, ssl and the rest i can buy oh well.

I suppose i could self host dns but the the question becomes do i want to and with no presence on two continents would it really matter that much for the zoo.

Apart from a few domains nobody actually does dnssec although .no has a 40% usage for dnssec domains using it outside that are very low – i know why now after all its not something that is easy to detect.  The instructions might be written in fish language, which things can be inferred from.

There is an issue that most dnssec domains use powerdns (a project not a company) so a bug in that might expose faults in everything which could be a bit fun.

securityI am not sure if dnssec is worth it for the zoo its €12 up per year per domain on a basic glance which most people wont notice or care about.

I see merits to dnssec but…. it feels a lot like security theatre.

Further confusion remains with the isc dlv zone which is now redundant.

dnssec

Things most people have no idea what they mean

Anyhow I discovered with professional dns servers you can support 4096 key dkim keys (my blog) but before i got here i had some fun with dmarc and a windows server which would not let fill in an html form.

Prices vary for dnssec hosting, with the microsoft** firm out of the running for not allowing my online query I am looking at money for low usage – you pay per quota. So i will see how it pans out.

I had to create the zone from scratch as there was no zone import but the web interfaces are quite good although there are questions as to whether this works.

The new provider liked a short 1 hour interval for refreshes, since our dns does not change i made the interval a day.

I then reflected for a couple of days and nearly made from cname records instad of a records.

Dnssec required that i have a zone to sign (logical) and that was easy to accomplish not that i know the details buy i think i have algorithim, flags, and key for my domain registrar.

So i decide to wait until a weekend (+7 days) to switch dns and add signing to the registrar.  After all this is a first time.

are-you-serious-wtf-meme-baby-faceThe switch did not take long kd-alg had to be 3, and then with changed dns and dnssec i ws told to wait a day, or see my whois output which pointed the domain back to the original name services, and my dnssec setting had also gone.

I decide to wait and see after all i have tracking id and printouts saying new name services.

One good result was i had an spf record – not a text record but an spf record on an dns report i have a text spf record but had not bothered to delete it.

So next day roles around (so 86400 is up). and no change until the jobs are resubmitted at my registrar. Then things sort of work but no dnssec so off i go to dnsviz (not here) which for somebody without a dns book*is as good as it gets.

i was 50% there You need a ksk (key signing key) and zsk (zone signing key) The dnssec info tells you most of the info with the public key for the domain not however how it might stick together.

Things in dnssec land are strange numbers say 7 translates to rsasha1 from the settings – flags should be (zsk)256 and (ksk)257, protocol is 3 which seems to convert to rsa-sha-nsec3 – seems to be the only value accepted, with pubkey is a long string.

So you have two entries for dnsec at your registrar  7.256 3 [public key] 7 257 3 [public key]

rsasha1 zsk rsa-sha-nsec3 mumblejumbo
rsasha1 ksk rsa-sha-nsec3 mumblejumbo

I was missing the 257 line so there was no key to connect to the tld until i added the 257 line from above.

Some registrars use an algorithm digest rsaha1 and rsasha256,

I had no further problems after that either although our ddwrt router is a bit lazy, so i pointed the dnssec firefox plugin from .cz (not this blog) to a local bind server and it turns green.

dnsecyesAs a first time at doing dnssec this was educational if not perfect but with the wrong nameservers that was actually ok i am not sure how much of that is me, or the exchange between my registrar and the tld.

* the o’reiily (my blog) one i did not like. ** microsoft are not server software, have fudded linux (my blog) so to support a firm with microsoft server is beyond the pale.

8 responses

  1. Pingback: advanced forward zone dnssec | Bananas in the Falklands

  2. Pingback: really secure ssh | Bananas in the Falklands

  3. Pingback: Opendkim with dnssec some numbers | Bananas in the Falklands

  4. Pingback: Chromium and google-chrome plugins suck | Bananas in the Falklands

  5. Pingback: self certified tls in dnssec out in the wild | Bananas in the Falklands

  6. Pingback: Review of the year. | Bananas in the Falklands

  7. Pingback: Playing whack a mole with dnsscan.shadowserver.org and hosting issues. | Bananas in the Falklands

  8. Pingback: fun with postfix tls and user certs | Bananas in the Falklands

by golly but...

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s