Saucepan

User Tools

Site Tools

Trace: dns_exfiltration best_practice dot_doh dig troubleshooting dhcp ddns cloud_network_automation dog dnssec
dns:dnssec

This is an old revision of the document!

Table of Contents

DNSSEC

When in doubt, set ZSK to 1 month lifespan, KSK to 1 year lifespan, Algorithm to RSA-SHA-256

Root cert “.” - RSA/SHA-256 (8). You want KSK (type 257). In NIOS, DON'T FORGET TO SET THE ALGORITHM CORRECTLY. 

AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kvArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+eoZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfdRUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU=

Get DNSSEC Keys

dig +nocomments +nostats +nocmd +noquestion -t dnskey .

You will get something like this but you will find some whitespace added to the keys that you have to remove (example below has it shown) 

.                       62739   IN      DNSKEY  257 3 8 AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3 +/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kv ArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF 0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+e oZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfd RUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwN R1AkUTV74bU=
.                       62739   IN      DNSKEY  256 3 8 AwEAAbF1LAxEQPtClEQno48k6u7JjCOfVfwdENOxQUrX0JbpN5DnKGMA KIfdiWa5oDeKQ3OoQ58yCC8vjtaaGFDgpJxoLwqzhBYHPGFgins5HIER cCQPGAJKWu/ku4XLh+Fu7UyBubDCelxKTbnj26EwbochltRqGIE8hbwS XEzRNo4g+NXkaRMq2FFbaBtEE82yTmZUgFRYAFUvfGTPWblyZGtkepVu HyNb0w/u24dpsz+uyCZZR04cHfRrWOKvqD3lDOwC4+sqd6f7F841R0N2 tqSh/WDUZzWdvPBaBOz0FWFLb9porIeZ3Jm08tAMHa+3SGRXfK4RAmxV CmIQQypGabE=
.                       62739   IN      DNSKEY  256 3 8 AwEAAcVnO2jZFx4756Rb/yAhJnsl72eemsObU43nclmXwqdJlp+kC5WQ jGYkqLT5xkaUCPhkr4NKLLrIBZXeSGazc6gx/yrrMtUpXcQvax6kfDJP Tu974OmeEbtjyyP7ZG5tUfSwNWt/4EuxDNmZTESG8jU0ZLjYIB11pK0g SXQbMVPyIyGtFGHMPx6UxWn6zUzpECWRFbqEvkA6Y13zeJ1jG2Rki/zs 7a/o13FTl/kI9013Eh6l6Kc2zxbc14GS8fpM0/xQIrZZyeiXj/2C4Rcs PeqWuNj9m0qSQrbrCZtLHb20U8x1uue4iwSX9y7LpwZd6vjYd1d6dgBa 1Xxgc/TC+m8=

Remember,

  • 256 or 257: Flags that mean the DNSKEY is a ZSK (256) or a KSK (257)
  • 3: The protocol that must be equal to 3
  • 8: Algorithm. 8 = RSA/SHA-256
  • AwEAAd7…; Public key

Disabling DNSSEC

Remove the DS records at the parent (via registrar)

Then wait until DS is no longer being published by parent nameserver. Wait, wait, wait. Maybe a week. Take TTL into account.

Once all TTL have expired, no one should try to validate the zone any more.

Only at that moment it is safe for you to stop unsigning it, which means stop publishing DNSKEY, RRSIG and NSEC/NSEC3 records.

dns/dnssec.1679868841.txt.gz · Last modified: by bstafford