diederik.nl at DNSSEC?

A small update on DNSSEC.


I’m running FreeBSD 11 at a dedicated server hosted by ColoClue (<3). My DNS-Server is PowerDNS with MySQL.

Domain registrations are done by OpenProvider (<3), with the great guys from Afraid.org running the slave-DNS Server.

Whilst I’m still in doubt whether DNSSEC is ‘mandatory’ for the internet, several mail-addons (like DANE) run on DNSSEC.

Today, it seems that I have got DNSSEC running for diederik.nl, with help from the awesome pdnsutil tool. I will tell short what I did, and then later on elaborate on why I did it.

Key generation

First, I generated a Private-Public key pair, that is just saved in PowerDNS.

pdnsutil secure-zone diederik.nl

Then I rectified the zone:

pdnsutil rectify-zone diederik.nl

At this point, it seems that the KSK is available, but to have DNSSEC to work, I also need to have a ZSK. Both need to be entered in OpenProvider.

pdnsutil show-zone diederik.nl

Gives me the KSK. I’ll add a ZSK and ZSK rollover-key with the following commands:

pdnsutil add-zone-key diederik.nl zsk 1024 active rsasha256
pdnsutil add-zone-key diederik.nl zsk 1024 inactive rsasha256


pdnsutil show-zone diederik.nl

gives the output:


So we have the KSK and ZSK. Within Openprovider I added the following data:

So the KSK is the Elliptic Curve Key (Also starting with CSK DNSKEY = diederik.nl. IN DNSKEY 257) and the ZSK is starting with CSK DNSKEY = diederik.nl. IN DNSKEY 256

From there, the only thing I needed to do was *TEST*. You can use the website https://en.internet.nl for that…

If this ‘guide’ was any good for you, please drop me a line! It is much appreciated!

Dit bericht is geplaatst in Daily stuff. Bookmark de permalink.