production side dnssec changes and fail

you see a lot of this

you see a lot of this

So bananas was minding her own business when the zoo’s dnssec started to play up. I dont usually need to mess about with dns but with dnssec now in the mix after finding one zoo loaded pages ok but the other did not i had began to think i had dnssec issues.

Yep we all be muppets

Yep we all be muppets

diagnostics left me with problems so i re-signed the zones and things began to look better.   It was interesting to see an expire in action and with tlsa records it got way interesting after all the more you layer is another point of failure

dane tls

dane tls

So i went tool hunting and http://www.nlnetlabs.nl/projects/ldns/ (not here) means i know in advance when i have to sign zones which is a manual process as our registrar does dnssec but a human has to initiate it.

You can bash script this some of the way with rrsig’s but its not perfect. ldns is a useful tool worth the compile.

systemd (my blog) has a thing for dnssec too (an example for debian)

opendnssec-enforcer.service loaded active exited LSB: OpenDNSSEC Enforcer
opendnssec-signer.service loaded active exited LSB: OpenDNSSEC Signer

And i assume that enforcer is what tripped me up when the zones expired.I have yet to find any decent documentation for newbies on what ever these really do and why having a play server in real world pays off

It is not hard, and i feel dnssec is usable if a bit clunky around the edges.  opendnssec 2.1 might fix some of those issues for me but that would mean compiling it something that might break other working things.

the man who became a pig

the man who became a pig

Opendnssec is a pig to configure via xml syntax and missing things , however striping the !– and — got me something that should work that i can experiment with here in the zoo.

Whether or not bind will like it doing rollovers is a mystery. Its damm cryptic with

[engine] setup failed: HSM error

Which seems to be something about permissions

Error: Probably missing write permissions, please check the path and file given in the configuration.

Further efforts  and some manual key generating meant i only got rsasha1 signatures (version 7) rather than rsasha256 so i gave up on opendnssec auto signing and auto rollover of keys despite it doing nsec3 in debian  so that means signer and enforcer (version 1:1.4.6-6) seen from above where cut from running on a Jessie debian server since i am stupid not being able to get them to do stuff..

Yeah its the tempest

Yeah its the tempest

So once a month i will generate keys and then tell the domain registrar of the .zoo  that the key has changed which was always meant a ape at a keyboard.

I am rather disappointed that i could not get rollover to work despite printing off it seems like billions of pages of wiki and pdf files from opendnssec.org which may not be there fault as there software has yet to catch up with debian stable.

So that looks like a recuring task for the future.  For the thing that supposedly could wont and thats before i have to tell the registrar the change..

One response

  1. Pingback: letsencrypt fail | Bananas in the Falklands

by golly but...

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s