DNSSEC sign DNS zones in one command. DNSSEC-ninja!
root e9197fae6c Removed config again; got to messy. Possibly write these as a collectiong later | 7 yıl önce | |
---|---|---|
.gitignore | 7 yıl önce | |
LICENSE | 7 yıl önce | |
README.md | 7 yıl önce | |
dnssec-signer | 7 yıl önce |
DNSSEC sign DNS zone(s) in one command. DNSSEC-ninja!
This script follows a special kind of structure, to more easily understand where to look up and read DNS zones, e.g:
/path/to/zones/<domain.tld>/
The zone file, without any DNSSEC entries, must be called db
and be placed in the root of the folder <domain.tld>/
.
Personally this is an easier folder-structure to look-up and read when I'm working on a server, and the reason why I decided to have it like this.
Clone this repository ```bash git clone giaever@git.giaever.org:joachimmg/dnssec-signer.git && cd "dnssec-signer"
2. Make `dnssec-signer` executable ```bash
chmod +x dnssec-signer
Edit dnssec-signer
and alter the configuration section:
/etc/bind/named.conf.local
): The named
-file with the zones you're authoritative for. This file is used to only sign active zones when arguments aren't given when executing the script. Typically used when running the script as a deamon./etc/bind/zones
): The zones
-folder (see: Requirements) where you store your zones./usr/sbin/named-checkzone
): Where the application named-checkzone
is located on in your OS./usr/sbin/named-checkconf
): Where the application named-checkconf
is located on in your OS./usr/sbin/dnssec-keygen
): Where the application dnssec-keygen
is located on in your OS./usr/sbin/dnssec-signzone
): Where the application dnssec-signzone
is located on in your OS./bin/systemctl
): Where the application systemctl
is located on in your OS.bind.service
): Which DNS service you're using and that systemctl
will have to restart./usr/bin/logger
): Which logger application you will use and where it reside in your OS.-t "<username>" -p daemon.info
): Flags you want to pass to the logger
when logging successful messages.-t "<username>" -p daemon.err
): Flags you want to pass to the logger
when logging error messages.If you like, you can link the file to a bin
-directory, to globally access the script from any working directory.
ln -s /not/a/relative/path/to/dnssec-signer /usr/bin/
A signed zone will be stored in a file called db.signed
and is the one you have to refer to (or change) in the named
-file. This is something you only need to do once, after you signed the zone.
Please dont delete the db
-file!
db.signed
) and sign the zone again afterwards, which will generate a new db.signed
-file for you. It's more or less impossible to do changes in the signed file.db
-file and generate a new db.signed
-file.Please don't delete the KEYS! They are stored in the <domain.tld>/
-directory, and they should be kept there for resigning.
The first time a zone is signed there is generated a file called dsset-<domain.tld>
. To gain the chain of trust
you must add these keys, in the dsset
-file, with your registrar.
./dnssec-signer <zone>
./dnssec-signer <zone> <zone> ... <zone>
Note: This won't require the zone(s) to be in the named
-file
./dnssec-signer
Note: This will check that that zones is in your named
-file before processing it, as
this is typically used in a cron-job to update the hash for the zone.
Edit crontab for the root
sudo crontab -e
and add the following
0 0 */3 * * /path/to/dnssec-signer
This updates active zones every 3
'rd day. Append > /var/log/dnssec-signer
to store the last output log. Then you can open this and read the last result. There's also a timestamp produced at the start if you're wondering what time it updated the zone.
This is only tested under Bind9 on Ubuntu 16.04.03