Categories
Network

DNSSEC with named

Faster entropy

after haveged is installed /proc/sys/kernel/random/entropy_avail should return something above 1000.

yum install -y epel-release
yum install -y rng-tools haveged
systemctl enable haveged.service
systemctl start haveged.service
systemctl status haveged.service
cat /proc/sys/kernel/random/entropy_avail
cat /dev/random | rngtest -c 1000

Source: NixCraft

Create directory for Keys

mkdir /var/named/keys/
chown root:named  /var/named/keys/
chmod u=rwx,g=rx,o=  /var/named/keys/
cd /var/named/keys/

Create a Zone Signing Key(ZSK)

cd /var/named/keys/
dnssec-keygen -a NSEC3RSASHA1 -b 2048 -n ZONE petabyte.se

Source: Digitalocean

Create a Key Signing Key(KSK)

cd /var/named/keys/
dnssec-keygen -f KSK -a NSEC3RSASHA1 -b 4096 -n ZONE petabyte.se

What is ZSK / KSK

See Clouadflare Article

Add public ZSK and KSK to zone file.

add path to keys to the end of your zonefile.

echo "\$INCLUDE keys/Kpetabyte.se.+007+42528.key" >> se.petabyte echo "\$INCLUDE keys/Kpetabyte.se.+007+55208.key" >> se.petabyte

Sign zonefile

dnssec-signzone -A -3 $(head -c 1000 /dev/random | sha1sum | cut -b 1-16) -N INCREMENT -o petabyte.se -t se.petabyte