~mcf/dnssec-rr

43f766ac33a45e3dc72608b6832c67cd2db120ae — Michael Forney 6 months ago 75dc167
README updates
1 files changed, 31 insertions(+), 25 deletions(-)

M README.md
M README.md => README.md +31 -25
@@ 22,10 22,12 @@ You can also use `-gen rsa[:size]` to generate RSA keys.
Let's say we have a complete zone file `example.com.zone`:

```
example.com.		86400	IN	SOA	ns1.example.com. root.example.com. 2020040900 7200 900 1209600 1200
example.com.		86400	IN	NS	ns1.example.com.
example.com.		86400	IN	A	1.2.3.4
ns1.example.com.	86400	IN	A	1.2.3.4
$ORIGIN example.com.
$TTL	86400
@	IN	SOA	ns1.example.com. root.example.com. 2020040900 7200 900 1209600 1200
		NS	ns1.example.com.
		A	1.2.3.4
ns1		A	1.2.3.4
```

You can sign it with two keys, `ksk-example.com.pem` and


@@ 33,20 35,22 @@ You can sign it with two keys, `ksk-example.com.pem` and

```
$ cp example.com.zone example.com.zone.signed
$ dnskey -k example.com. ksk-example.com.pem >> example.com.zone.signed
$ dnskey example.com. zsk-example.com.pem >> example.com.zone.signed
$ nsec < example.com.zone.signed >> example.com.zone.signed
$ rrsig -k ksk-example.com.pem < example.com.zone.signed >> example.com.zone.signed
$ rrsig -z zsk-example.com.pem < example.com.zone.signed >> example.com.zone.signed
$ { dnskey -k example.com. ksk-example.com.pem
    dnskey example.com. zsk-example.com.pem
    nsec example.com.zone.signed
    rrsig -k ksk-example.com.pem example.com.zone.signed
    rrsig -z zsk-example.com.pem example.com.zone.signed
  } >> example.com.zone.signed
```

Alternatively, you can sign it with a single key, `csk-example.com.pem`:

```
$ cp example.com.zone example.com.zone.signed
$ dnskey -k example.com. csk-example.com.pem >> example.com.zone.signed
$ nsec < example.com.zone.signed >> example.com.zone.signed
$ rrsig csk-example.com.pem < example.com.zone.signed >> example.com.zone.signed
$ { dnskey -k example.com. csk-example.com.pem
    nsec example.com.zone.signed
    rrsig csk-example.com.pem example.com.zone.signed
  } >> example.com.zone.signed
```

This may be wrapped up into a shell script at some point.


@@ 58,7 62,7 @@ for registrar configuration).

```
$ ds example.com. ksk.pem
example.com.    86400   IN      DS      5207 13 2 10a30f9f11818844a7df830b85e125c9868bd2917fb21907f7f3569bdf8934d7
example.com.    IN      DS      5207 13 2 10a30f9f11818844a7df830b85e125c9868bd2917fb21907f7f3569bdf8934d7
```

## dnskey


@@ 67,9 71,9 @@ This tool generates a `DNSKEY` record from a private key.

```
$ dnskey -k example.com. ksk.pem
example.com.    86400   IN      DNSKEY  257 3 13 0KcqMTP78j9XbR4FoglT9t03IIMtsRO321K01QlNAXuYmI/YlLU9elwEwYfAtPJ1GMCpXiJWrCd2Di1nATypCA==
example.com.    IN      DNSKEY  257 3 13 0KcqMTP78j9XbR4FoglT9t03IIMtsRO321K01QlNAXuYmI/YlLU9elwEwYfAtPJ1GMCpXiJWrCd2Di1nATypCA==
$ dnskey example.com. zsk.pem
example.com.    86400   IN      DNSKEY  256 3 13 FH+S2VOGBc7NAZU/1yL271VjUDzYEh3Ehv4Ii2GoFVTFwcHA/o3kdZS5N+l2CVK4N+6bqsiHwcqtmydSMVcziQ==
example.com.    IN      DNSKEY  256 3 13 FH+S2VOGBc7NAZU/1yL271VjUDzYEh3Ehv4Ii2GoFVTFwcHA/o3kdZS5N+l2CVK4N+6bqsiHwcqtmydSMVcziQ==
```

## nsec


@@ 78,10 82,11 @@ This tool generates `NSEC` records for a zone, linking the domain
names together.

```
$ { cat <<EOF; dnskey -k example.com. ksk.pem; dnskey example.com. zsk.pem; } | nsec
example.com.		86400	IN	SOA	ns1.example.com. root.example.com. 2020040900 7200 900 1209600 1200
abc.example.com.	86400	IN	A	1.2.3.4
def.example.com.	86400	IN	A	5.6.7.8
$ { cat <<'EOF'; dnskey -k example.com. ksk.pem; dnskey example.com. zsk.pem; } | nsec
$TTL 86400
example.com.		IN	SOA	ns1.example.com. root.example.com. 2020040900 7200 900 1209600 1200
abc.example.com.	IN	A	1.2.3.4
def.example.com.	IN	A	5.6.7.8
EOF
example.com.    1200    IN      NSEC    abc.example.com. SOA RRSIG NSEC DNSKEY
abc.example.com.        1200    IN      NSEC    def.example.com. A RRSIG NSEC


@@ 93,14 98,15 @@ def.example.com.        1200    IN      NSEC    example.com. A RRSIG NSEC
This tool signs the records in a zone, generating `RRSIG` records.

```
$ { cat <<EOF; dnskey -k example.com. ksk.pem; dnskey example.com. zsk.pem; } > example.com.zone
example.com.		86400	IN	SOA	ns1.example.com. root.example.com. 2020040900 7200 900 1209600 1200
abc.example.com.	86400	IN	A	1.2.3.4
def.example.com.	86400	IN	A	5.6.7.8
$ { cat <<'EOF'; dnskey -k example.com. ksk.pem; dnskey example.com. zsk.pem; } > example.com.zone
$TTL 86400
example.com.		IN	SOA	ns1.example.com. root.example.com. 2020040900 7200 900 1209600 1200
abc.example.com.	IN	A	1.2.3.4
def.example.com.	IN	A	5.6.7.8
EOF
$ rrsig -k ksk.pem < example.com.zone
$ rrsig -k ksk.pem example.com.zone
example.com.    86400   IN      RRSIG   DNSKEY 13 2 86400 20200510061125 20200410061125 5207 example.com. aM2PVY7JIgyVZIzE8J2c427ju3VRCPjdIeDwkCqa9ITI4n9WrCL50dLL5NC7E1vSERA6FUNybV0skjXoX6mLbA==
$ rrsig -z zsk.pem < example.com.zone
$ rrsig -z zsk.pem example.com.zone
example.com.    86400   IN      RRSIG   SOA 13 2 86400 20200510061143 20200410061143 28335 example.com. QR8IwdtcyApF13FP7dOpoQDOpcXasa2zBdlvLWl8X6j5d3COv13B/mV2/T5uPMIEFJEBvapIHsk0XUuHPzbe3g==
abc.example.com.        86400   IN      RRSIG   A 13 3 86400 20200510061143 20200410061143 28335 example.com. MaSqG7b1NBDDfNWWXHQ6mVdamT50jzIF8YZpbWZ38w4PfIvSBLrx1zW7NgxiUcTv/2DhGrhFfuZENF8Y07eNPw==
def.example.com.        86400   IN      RRSIG   A 13 3 86400 20200510061143 20200410061143 28335 example.com. Izl/hwxnmwtmYTDVXMJIhsCLQGM2Icdz54Ap5akxHrhooAsxG8rHz4HikAureBSTVm+gO3hZ2+Cx2w7sIBr4Og==