You are here

November 2014

Umstellung auf HTTPS

Nach der Unterstützung von DNSSEC und DANE habe ich nun auch das Blog auf HTTPS und somit auf eine sichere Verbindung umgestellt. Allerdings ist das verwendete SSL-Zertifikat selbst signiert und wird vom Browser nicht selbständig als vertrauenswürdig eingestuft. Die Fingerprints des SSL-Zertifikats sind wie folgt: 

  • SHA1: 1D:46:30:94:1A:3E:8C:70:F5:9F:23:78:DE:62:17:EE:15:3E:C9:AC
  • SHA-256: F8:65:DC:2C:B1:B1:CB:B7:A6:B8:82:AB:E6:3C:CD:2D:C6:A7:51:79:A7:32:97:BA:97:5F:7D:5C:16:8F:C6:CF

Wenn ihr in eurem Browser einen DNSSEC-Validator als Addon installiert habt, solltet ihr die Korrektheit des SSL-Zertifikats auch über diesen Weg kontrollieren können.


Bind9 vs. PowerDNS - part 2

Two weeks ago I wrote about implementing DNSSEC with Bind9 or PowerDNS and asked for opinions, because Bind9 appeared to me to be too complex to set it up with regular key signing and such and PowerDNS seemed to me to be nice and easy, but some kind of black box where I don't now what's happening.

I think I've now found the best and most suitable way for me to deal with DNSSEC. Or in short words: Bind9 won!

It won because of its inline-signing config option that you can use in bind9.9, which happens to be in backports. Another tip I can give due to my findings on the web: if you plan to implement DNSSEC with Bind9, do NOT! search for "bind dnssec" on the web. This will only bring up old HowTos and manuals which leaves you with the burden of manually update your keys. Just add the magic word "inline-signing" to your search phrase and you'll find proper results like the one from Michael McNally on a subpage of In-line Signing With NSEC3 in BIND 9.9+ -- A Walk-through. It's a fairly good starting point, but still left me with several manual steps to do to get a DNSSEC-signed zone. 

I'm quite a lazy guy when it comes down to manual steps that needs to get executed repeatedly, as many others in IT as well, I think. So I wrote some sort of small wrapper script to do the necessary steps of creating the keys, adding the necessary config options to your named.conf.local, enabling nsec3params, add the DS records to your zone file and displaying the DNSKEY to you, so that you just need to upload it to your registrar.

One problem was still open: when doing auto-signing/inline-signing with bind9, you are left with your plain text zone file whereas your signed zone file will keep to increase the serial with each key rollover. When changing your plain text zone file by adding, changing or removing RRs of that domain, you'll be left with the manual task of finding out was your actual serial is that is currently used, because it's not your serial +1 from your plain text zone file anymore. This is of course an awkward part I wanted to get rid off. And therefor my script includes an option to edit zone files with your favorite editor, increase the serial automatically by determing the currently highest number, either on disk or in DNS and raising this serial by 1. Finally the zone is automatically reloaded by rndc.

That way I now have the same comfort as in PowerDNS with Bind9, but also know what's going on, because it's not a black box anymore. Me happy. :-)

P.S.: I don't know whether this script is of interest to other users, because it relies heavily on my own setting, e.g. paths and such. But if there's interest, just ask...

P.P.S.: Well, I think it's better when you can decide yourself if my script is of interest to you... please find it attached...

AttachmentSize KB

Theme by Danetsoft and Danang Probo Sayekti inspired by Maksimer