DFRI DNS
We're using knot since 2016-05-14.
Knot
Example, adding host newhost.dfri.se with last octet 47:
knotc zone-begin 193.25.171.in-addr.arpa
knotc zone-set 193.25.171.in-addr.arpa 47 86400 PTR newhost.dfri.se.
knotc zone-commit 193.25.171.in-addr.arpa
knotc zone-begin c.9.8.2.c.7.6.0.1.0.0.2.ip6.arpa
knotc zone-set c.9.8.2.c.7.6.0.1.0.0.2.ip6.arpa 7.4.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0 86400 PTR newhost.dfri.se.
knotc zone-commit c.9.8.2.c.7.6.0.1.0.0.2.ip6.arpa
knotc zone-begin dfri.se # For SSHFP records, see below
knotc zone-set dfri.se newhost 86400 A 171.25.193.77
knotc zone-set dfri.se newhost 86400 AAAA 2001:67c:289c:0::47
knotc zone-set dfri.se newhost 86400 SSHFP 1 2 ...
knotc zone-commit dfri.se
DNSSEC
Knot deals with DNSSEC itself, no need to do anything when f.ex. adding a record to a zone.
TODO: Describe how to add a domain. TODO: Describe how to roll keys.
policy and keys
[root@ns ~]# knotc conf-read policy
policy.id = dfri
policy[dfri].keystore = dfri
policy[dfri].algorithm = rsasha256
policy[dfri].ksk-size = 2048
policy[dfri].zsk-size = 2048
policy[dfri].zsk-lifetime = 2592000
policy[dfri].ksk-lifetime = 0
policy[dfri].propagation-delay = 86400
policy[dfri].rrsig-lifetime = 1209600
policy[dfri].rrsig-refresh = 604800
[root@ns ~]# keymgr dfri.se list iso
2df2aa8090d62ded0b3de721700b18750daf04ab ksk=no zsk=yes tag=26170 algorithm =8 public-only=no created=2018-10-22T16:15:57 pre-active=1970-01-01T00:00:00 publish=2018-10-22T16:15:57 ready=1970-01-01T00:00:00 active=2018-10-22T17:15:57 retire-active=1970-01-01T00:00:00 retire=1970-01-01T00:00:00 post-active=1970-01-01T00:00:00 remove=1970-01-01T00:00:00
57d458877bd6eb1b5991af4d715cb69e8f3a107a ksk=yes zsk=no tag=62537 algorithm=8 public-only=no created=2018-05-25T12:15:56 pre-active=1970-01-01T00:00:00 publish=2018-05-25T12:15:56 ready=2018-05-25T12:15:56 active=2018-05-28T07:58:31 retire-active=1970-01-01T00:00:00 retire=1970-01-01T00:00:00 post-active=1970-01-01T00:00:00 remove=1970-01-01T00:00:00
old KASP stuff
[root@ns /var/db/knot/kasp]# keymgr -l policy show dfri manual control: false keystore: default algorithm: 8 DNSKEY TTL: 1200 KSK key size: 2048 ZSK key size: 1024 ZSK lifetime: 2592000 RRSIG lifetime: 1209600 RRSIG refresh: 604800 NSEC3 enabled: false NSEC3 iterations: 0 NSEC3 salt length: 0 NSEC3 salt lifetime: 0 SOA min TTL: 0 zone max TTL: 0 data propagation: 3600
soa-min-ttl seconds
SOA Minimum TTL field. Note, Knot DNS overwrites the value
with the real used value.
zone-max-ttl seconds
Max TTL in the zone. Note, Knot DNS will determine the value
automatically in the future.
delay seconds
Zone signing and data propagation delay. The value is added
for safety to timing of all rollover steps.
[root@ns /var/db/knot/kasp]# keymgr -l policy set dfri zone-max-ttl 86400 ... [root@ns /var/db/knot/kasp]# keymgr -l policy set dfri soa-min-ttl 3600 manual control: false keystore: default algorithm: 8 DNSKEY TTL: 1200 KSK key size: 2048 ZSK key size: 1024 ZSK lifetime: 2592000 RRSIG lifetime: 1209600 RRSIG refresh: 604800 NSEC3 enabled: false NSEC3 iterations: 0 NSEC3 salt length: 0 NSEC3 salt lifetime: 0 SOA min TTL: 3600 zone max TTL: 86400 data propagation: 3600
DANE
TLSA-records
[root@len ~]# echo "_443._tcp.dfri.se. IN TLSA 3 0 1" $(openssl x509 -in /usr/local/etc/lighttpd/certs/dfri.se.pem -fingerprint -sha256 -noout | cut -d= -f 2 | tr -d : )
_443._tcp.dfri.se. IN TLSA 3 0 1 169E39991E6DF5B306C04341E16A945CA41B235CC024ADDD18A9460C17D43D6B
knotc zone-begin dfri.se
knotc zone-unset dfri.se _443._tcp
knotc zone-set dfri.se _443._tcp 86400 TLSA 3 0 1 169E39991E6DF5B306C04341E16A945CA41B235CC024ADDD18A9460C17D43D6B
knotc zone-diff dfri.se
knotc zone-commit dfri.se
SSHFP-records
Publish the following RR's in (a DNSSEC signed!) zone. Algorithms RSA (1), ECDSA (3) and Ed25519 (4) and hash type SHA256 (2).
ssh-keygen -r $(hostname). | egrep 'SSHFP [134] 2' | while read -r name in type n1 n2 fpr; do echo $name 1h SSHFP $n1 $n2 $fpr; done
TSIG för zone transfer
FIXME: use keymgr -t instead
dnssec-keygen -a hmac-sha256 -b 256 -n HOST ns.dfri.se-ns.adb-centralen.se