DNSSEC for tonkersten.com and pa1ton.nl

Last night (Aug. 22 2010 at 00:25:47) SIDN signed the Dutch .nl zone and made it public. This is, of course, reason for a party and calls for the signing of my own zones. Unfortunately it’s not possible to use secure delegation, but that’s something for the future.

I do have two domains up and running and I signed them both.

This is what I did:

First you need a Zone Signing Key (ZSK) and a Key Signing Key (KSK) and these can be made with

dnssec-keygen -e -a RSASHA1 -b 2048 -n ZONE        tonkersten.com
dnssec-keygen    -a RSASHA1 -b 2048 -n ZONE -f KSK tonkersten.com

This results in two sets of two files (after a very long time)


The key-generating process can be sped up using the -u /dev/urandom option, but that results in a lower entropy and thus in lower security.

Now include the two public keys in the zone file

$include keys/Ktonkersten.com.+005+42559.key
$include keys/Ktonkersten.com.+005+61598.key

and sign the zone:

dnssec-signzone			\
	-d keys				\
	-K keys				\
	-N increment		\
	-o tonkersten.com	\
	-S tonkersten.com

giving me a file called db.tonkersten.fwd.signed.

This file should now be used in /etc/named.conf as the zone file for the signed zone.

So, when I do a query for the tonkersten.com domain, I get

$ dig +dnssec +multiline DNSKEY home.tonkersten.com

; <<>> DiG 9.7.1-P2 <<>> +dnssec +multiline DNSKEY home.tonkersten.com
;; global options:  +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 34594
;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 1

; EDNS: version: 0, flags: do; udp: 4096
;home.tonkersten.com.	IN DNSKEY

tonkersten.com.		3600 IN	SOA home.tonkersten.com. tonk.tonkersten.com. (
2010082303 ; serial
21600      ; refresh (6 hours)
7200       ; retry (2 hours)
604800     ; expire (1 week)
3600       ; minimum (1 hour)
tonkersten.com.		3600 IN	RRSIG SOA 5 2 3600 20100922081850 (
20100823081850 61598 tonkersten.com.
FJ0uZPzfaujQAcKa1NnB89Ccd7m18XL0Gw== )
home.tonkersten.com.	3600 IN	NSEC mail.tonkersten.com. A AAAA RRSIG NSEC
home.tonkersten.com.	3600 IN	RRSIG NSEC 5 3 3600 20100922081850 (
20100823081850 61598 tonkersten.com.
PQn52goXz8nXMovgDuB8HNWbzKwSCs07Ug== )

;; Query time: 52 msec
;; WHEN: Mon Aug 23 12:30:43 2010
;; MSG SIZE  rcvd: 734

Now it’s your turn.

Good luck ;-)


See also