DNSSEC with bind 9(.11) on debian 10(.1)

Since I needed hours to configure dnssec (because of one little failure), I made here a little write-up (in short).

 

Configuration

# vi /etc/bind/named.conf.local
add
file “/var/lib/bind/example.com.zone.signed”;
key-directory “/var/lib/bind/”;
auto-dnssec maintain;
inline-signing yes;
to your domain

# vi /etc/bind/named.conf.options
add
dnssec-enable yes;
dnssec-validation auto;
dnssec-lookaside auto;

The keys

# cd /var/lib/bind/
(because the directory must me writable by bind and /etc/bind/ shouldn’t)

create the zone signing key (zsk)
dnssec-keygen -a RSASHA256 -b 2048 example.com
create the key signing key (ksk)
dnssec-keygen -a RSASHA256 -b 4096 -f KSK example.com

change permissions and the owner
(all keys must be readable by bind)
# chmod 644 Kexample.com*.key
# chmod 600 Kexample.com*.private
# chown bind Kexample.com*

you have now 4 keys – two pairs of zsk and ksk. you have to add the public keys which contain the DNSKEY record to the zonefile. the following will do this:
# for key in `ls Kexample.com*.key`
do
echo “\$INCLUDE $key”>> example.com.zone
done

Signing

sign the key
# dnssec-signzone -A -3 $(head -c 1000 /dev/urandom | sha256sum | cut -b 1-16) -N INCREMENT -o example.com -t example.com.zone

Restart

# /etc/init.d/bind9 restart

Testing

# dig DNSKEY example.com. @localhost +multiline
if everything went right you should see the two keys. if not, you have done something wrong.

some good DNSSEC testing sites:
https://dnssec-analyzer.verisignlabs.com/
http://dnsviz.net/
https://mxtoolbox.com/DNSKey.aspxdnsviz
dnsviz

Registrar

when we ran the dnssec-signzone command apart from the .signed zone file, a file named dsset-example.com was also created, this contains the DS records.
# cat dsset-example.com.
go to the registrar of your domain and enter those DS records

Update zone files

    1. make changes to the example.com.zone file
    2. # rndc freeze example.com
    3. delete all example.com.signet* files (i have not found another way)
    4. resign the key
      # dnssec-signzone -A -3 $(head -c 1000 /dev/urandom | sha256sum | cut -b 1-16) -N INCREMENT -o example.com -t example.com.zone
    5. # rndc reload example.com
    6. # rndc thaw example.com

Subdomains

…are automatically signed with your domain

Troubleshooting

if you get an error like:
No response was received until the UDP payload size was decreased, indicating that the server might be attempting to send a payload that exceeds the path maximum transmission unit (PMTU) size.
on dnsviz.net, and you have a firewall kike pfsense before the dns-server, try to disable scrubbing:
Disable Firewall Scrub (Diables th PF srubbing option with can sometimes interfere with NFS traffic.)
another solution, with pfsense, is here: https://melkfl.es/article/2018/07/edns/
another, but last option, is to reduce the udp-package-size in bind’s named.conf.options
# vi /etc/bind/named.conf.options
add
edns-udp-size 512;
max-udp-size 512;

If you like this write-up or I missed something, please let me know.

Posted in Debian, Linux, Security | Tagged , , , , , , , , , | Leave a comment

Ausschnitt aus dem Film ‘The Network’ von 1976

“Edward George Ruddy ist heute gestorben. Edward George Ruddy war der Vorsitzende des Aufsichtsrats des Union Broadcasting Systems, er ist heute morgen um 11 einem akuten Herzanfall erlegen und wehe uns, wir sind in grossen Schwierigkeiten. Tja, ein kleiner, reicher Mann mit weissen Haaren ist gestorben. Was hat das mit dem Reispreis zu tun werdet ihr fragen und was soll das heissen, wehe uns?

Weiterlesen …

Posted in Uncategorized | Leave a comment

Loudness Equalizer aka Pulseaudio Dynamic Range Compression (LADSPA swh-plugins)

Dynamic range compression (DRC) or simply compression reduces the volume of loud sounds or amplifies quiet sounds by narrowing or “compressing” an audio signal’s dynamic range. Compression is commonly used in sound recording and reproduction and broadcasting and on instrument amplifiers. Audio compression reduces loud sounds which are above a certain threshold while quiet sounds remain unaffected. The dedicated electronic hardware unit or audio software used to apply compression is called a compressor. In recorded and live music, compression parameters may be adjusted by an audio engineer to change the way the effect sounds.

Common names: audio compressor, automatic gain control, volume normalization, sound normalizer, loudness equalization, loudness equalizer

Linux Audio Developers Plugin API

Posted in Uncategorized | Tagged | Leave a comment

WICHTIGE MITTEILUNG zum Netzwerkausfall vom 8.-11. Okt. von TheBC

Kurzinfo: Wir waren 84 Stunden und 35 Minuten offline. Die Schuldige ist Swisscom.

Mehr Infos …

Posted in Uncategorized | 2 Comments