advanced forward zone dnssec

crap security


Having setup one basic dns sec domain (my blog) I decided to do another this time it was a .com so what might have worked in the other is another exciting experience of will it or wont it.

So i recreate the zone, turn on dns sec muse on the records setup for a day and then switch over..  A first change is my dnssec setttings where the protocol used is that same but has a higher number might throw a spanner in the works but its new.

Since i know i need a ksk and a zsk (two records) i hopefuly should be a lot faster than i before.

Primarily i am doing this for tlsa records which for a good primer on try this (not here)  The other domain a . eu has no tls, this . com has tls.

There are other ways to generate tlsa with

openssl x509 -in input.crt -outform DER | openssl sha256

But that gets your a hash not a tlsa record IN TLSA 3 1 1 largesequenceoflettersandnumbers

dnsecyes  danednssecAnyhow so this image (left) should change to this (right)

The 3 1 1 are needed otherwise the dns record will be rejected.

The switch day arrives and unlike before my nameservers go straight over on a .com.  However the dnssec keys are different rather than use a public key i can use keytag, and digest and digest type of which all have been provided by the dns provider which is very different to my experience with .eu.

These also stick however i have ds mismatch and a ttl mismatch of which i cant do anything about

But it mostly works bar those bugs appear not within my range of problem solving ability or power to resolve.

An interesting note to this is the keys (or digests) are not printed for .com  registry in the whois, so it appears that the bugs i noted i cannot do anything about.

A day later and an experimental dane tlsa entry does not work which i can fix and that will be a blog post for another day.  One tlsa record does work so its not all bad.

I am not convinced about sshfs records which i could do but i imagine theres a whole lot of wrong encryption in my setup although its very secure despite its ancient setup.

All good apparently.  Reverse dnssec zones however are a mystery but something to think on and a topic for later

17 responses

  1. Pingback: something about haveged | Bananas in the Falklands

  2. Pingback: site html generators in html | Bananas in the Falklands

  3. Pingback: self certified tls in dnssec out in the wild | Bananas in the Falklands

  4. Pingback: production side dnssec changes and fail | Bananas in the Falklands

  5. Pingback: sshfp | Bananas in the Falklands

  6. Pingback: all the toys, and ssl mafia double ready | Bananas in the Falklands

  7. Pingback: Funny dns traffic | Bananas in the Falklands

  8. Pingback: hosted web hosting – um meh | Bananas in the Falklands

  9. Pingback: fun with postfix tls and user certs | Bananas in the Falklands

  10. Pingback: giving up on the mysteries of hpkp | Bananas in the Falklands

  11. Pingback: dnssec on on leap years | Bananas in the Falklands

  12. Pingback: the unscheduled lets encrypt renewal by 21 days | Bananas in the Falklands

  13. Pingback: pi hole (nothing about circles) | Bananas in the Falklands

  14. Pingback: The dns game | Bananas in the Falklands

  15. Pingback: http/2 in the wild | Bananas in the Falklands

  16. Pingback: Lets encrypt in the wild | Bananas in the Falklands

  17. Pingback: the day the internet came and visited our nameservers and probed them. | Bananas in the Falklands

by golly but...

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.