So bananas was minding her own business when the zoo’s dnssec started to play up. I dont usually need to mess about with dns but with dnssec now in the mix after finding one zoo loaded pages ok but the other did not i had began to think i had dnssec issues.
diagnostics left me with problems so i re-signed the zones and things began to look better. It was interesting to see an expire in action and with tlsa records it got way interesting after all the more you layer is another point of failure
So i went tool hunting and http://www.nlnetlabs.nl/projects/ldns/ (not here) means i know in advance when i have to sign zones which is a manual process as our registrar does dnssec but a human has to initiate it.
You can bash script this some of the way with rrsig’s but its not perfect. ldns is a useful tool worth the compile.
systemd (my blog) has a thing for dnssec too (an example for debian)
opendnssec-enforcer.service loaded active exited LSB: OpenDNSSEC Enforcer
opendnssec-signer.service loaded active exited LSB: OpenDNSSEC Signer
And i assume that enforcer is what tripped me up when the zones expired.I have yet to find any decent documentation for newbies on what ever these really do and why having a play server in real world pays off
It is not hard, and i feel dnssec is usable if a bit clunky around the edges. opendnssec 2.1 might fix some of those issues for me but that would mean compiling it something that might break other working things.
Opendnssec is a pig to configure via xml syntax and missing things , however striping the !– and — got me something that should work that i can experiment with here in the zoo.
Whether or not bind will like it doing rollovers is a mystery. Its damm cryptic with
[engine] setup failed: HSM error
Which seems to be something about permissions
Error: Probably missing write permissions, please check the path and file given in the configuration.
Further efforts and some manual key generating meant i only got rsasha1 signatures (version 7) rather than rsasha256 so i gave up on opendnssec auto signing and auto rollover of keys despite it doing nsec3 in debian so that means signer and enforcer (version 1:1.4.6-6) seen from above where cut from running on a Jessie debian server since i am stupid not being able to get them to do stuff..
So once a month i will generate keys and then tell the domain registrar of the .zoo that the key has changed which was always meant a ape at a keyboard.
I am rather disappointed that i could not get rollover to work despite printing off it seems like billions of pages of wiki and pdf files from opendnssec.org which may not be there fault as there software has yet to catch up with debian stable.
So that looks like a recuring task for the future. For the thing that supposedly could wont and thats before i have to tell the registrar the change..