DFRI DNS

We're using knot since 2016-05-14.

Knot

Example, adding a host:

ns.dfri.se# emacs /var/db/knot/193.25.171.in-addr.arpa.zone          # add PTR
ns.dfri.se# emacs /var/db/knot/c.9.8.2.c.7.6.0.1.0.0.2.ip6.arpa.zone # add PTR
ns.dfri.se# emacs /var/db/knot/dfri.se.zone    # add A, AAAA and SSHFP (below)
ns.dfri.se# knotc zone-reload dfri.se 193.25.171.in-addr.arpa c.9.8.2.c.7.6.0.1.0.0.2.ip6.arpa 
OK

DNSSEC

Knot deals with DNSSEC itself, no need to do anything when f.ex. adding a host.

TODO: Describe how to add a domain. TODO: Describe how to roll keys.

DANE

TLSA-records

[root@len ~]# echo "_443._tcp.dfri.se. IN TLSA 3 0 1" $(openssl x509 -in /usr/local/etc/lighttpd/certs/dfri.se.pem -fingerprint -sha256 -noout | cut -d= -f 2 | tr -d : )
_443._tcp.dfri.se. IN TLSA 3 0 1 169E39991E6DF5B306C04341E16A945CA41B235CC024ADDD18A9460C17D43D6B

knotc zone-begin dfri.se
knotc zone-unset dfri.se _443._tcp
knotc zone-set dfri.se _443._tcp 86400 TLSA 3 0 1 169E39991E6DF5B306C04341E16A945CA41B235CC024ADDD18A9460C17D43D6B
knotc zone-diff dfri.se
knotc zone-commit dfri.se

SSHFP-records

ssh-keygen -r $(hostname). | egrep 'SSHFP [134] 2'

TSIG för zone transfer

dnssec-keygen -a hmac-sha256 -b 256 -n HOST ns.dfri.se-ns.adb-centralen.se