Disabling DNSSEC on a Domain

classic Classic list List threaded Threaded
7 messages Options
Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Disabling DNSSEC on a Domain

Craig Whitmore
A have been trying to automate this all and have a number of questions…

  1. http://doc.powerdns.com/dnssec-operational-doctrine.html say to use "pdnssec disable-dnssec" but there is no command so what the "proper" way of making a domain insecure (the opposite of secure-zone basically. remove-zone-key on all the keys will work? And then update SOA serial and remove anything in the domainmetadata table?


2) pdnssec [options] [show-zone] [secure-zone] [rectify-zone] [add-zone-key] [deactivate-zone-key] [remove-zone-key] [activate-zone-key]
         [import-zone-key] [export-zone-key] [set-nsec3] [set-presigned] [unset-nsec3] [unset-presigned] [export-zone-dnskey]

secure-zone                     Add KSK and two ZSKs

Should be

secure-zone  ZONE       Add KSK and two ZSKs

3) do I have to run rectify-zone every time I add/change an entry. I add an entry into the database and then read the SOA and increase it and update it to be bigger.

insert into records (domain_id,name,content,type,ttl,prio) values ("1","test44.spam.co.nz","114.23.33.130","A",86400,NULL);
update records set content = "ns1.spam.co.nz [hidden email] 4000 28800 7200 604800 86400" where id = "1";


mysql> select * from records where id = "38";
+----+-----------+-------------------+------+---------------+-------+------+-------------+-----------+------+
| id | domain_id | name              | type | content       | ttl   | prio | change_date | ordername | auth |
+----+-----------+-------------------+------+---------------+-------+------+-------------+-----------+------+
| 38 |         1 | test44.spam.co.nz | A    | 114.23.33.130 | 86400 | NULL |        NULL | NULL      | NULL |
+----+-----------+-------------------+------+---------------+-------+------+-------------+-----------+------+
1 row in set (0.00 sec)

Update not showing at all until I run pdnssec rectify-zone spam.co.nz
And the data now looks like


select * from records where id = "38";
+----+-----------+-------------------+------+---------------+-------+------+-------------+----------------------------------+------+
| id | domain_id | name              | type | content       | ttl   | prio | change_date | ordername                        | auth |
+----+-----------+-------------------+------+---------------+-------+------+-------------+----------------------------------+------+
| 38 |         1 | test44.spam.co.nz | A    | 114.23.33.130 | 86400 | NULL |        NULL | qi3g5evlihaplneaqgjgnncntd9ms95b |    1 |
+----+-----------+-------------------+------+---------------+-------+------+-------------+----------------------------------+------+
1 row in set (0.00 sec)

And I can dig the new entry..

Thanks
Craig













_______________________________________________
Pdns-users mailing list
[hidden email]
http://mailman.powerdns.com/mailman/listinfo/pdns-users
Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Disabling DNSSEC on a Domain

Chris Russell

Hi Craig,

 

Ø  3) do I have to run rectify-zone every time I add/change an entry. I add an entry into the database and then read the SOA and increase it and update it to be bigger.

 

I asked this question a few weeks back, you should not need to run rectify-zone *IF* you complete the ordername field when inserting the record.

 

FYI, you seem to be able to put put duplicates in this field (ie:  if you had ipv4/ipv6 A and Quad A records for the same rr, rectify-zone generally sets ordername to be the same value)

 

Not sure if this is expected or not though J - does validate correctly though.

 

 

 

Thanks

 

Chris

 



Knowledge I.T.
‘Unifying Business Technology’
www.knowledgeit.co.uk


Knowledge Limited, Company Registration: 1554385
Registered Office: New Century House, Crowther Road, Washington, Tyne & Wear. NE38 0AQ
Leeds Office: Viscount Court, Leeds Road, Rothwell, Leeds. LS26 0GR

Tel: 0845 142 0020. Fax: 0845 142 0021

E-Mail Disclaimer: This e-mail message is intended to be received only by persons entitled to receive the confidential information it may contain. E-mail messages to clients of Knowledge IT may contain information that is confidential and legally privileged. Please do not read, copy, forward, or store this message unless you are an intended recipient of it. If you have received this message in error, please forward it to the sender and delete it completely from your computer system.

Please consider the environment before printing this email.

_______________________________________________
Pdns-users mailing list
[hidden email]
http://mailman.powerdns.com/mailman/listinfo/pdns-users
Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Disabling DNSSEC on a Domain

Craig Whitmore
In reply to this post by Craig Whitmore
Replying to my own post.. but I found the "answer" I think about question 3

I have to as far as I can tell..

pdnssec hash-zone-record spam.co.nz test105.spam.co.nz

Get the hash and then use

insert into records (domain_id,name,content,type,ttl,prio,ordername,auth)
values ("1","test44.spam.co.nz","114.23.33.130","A",86400,NULL,"the hash
found","1");

And then increase the SOA serial number..

rectify-zone each time I add data is much easier I think maybe?

Correct?



On 14/06/11 8:56 PM, "Craig Whitmore" <[hidden email]> wrote:

>


_______________________________________________
Pdns-users mailing list
[hidden email]
http://mailman.powerdns.com/mailman/listinfo/pdns-users
Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Disabling DNSSEC on a Domain

bert hubert-2
In reply to this post by Craig Whitmore
On Tue, Jun 14, 2011 at 08:56:41PM +1200, Craig Whitmore wrote:
> A have been trying to automate this all and have a number of questionsŠ
>
> 1. http://doc.powerdns.com/dnssec-operational-doctrine.html say to use
> "pdnssec disable-dnssec" but there is no command so what the "proper" way of
> making a domain insecure (the opposite of secure-zone basically.
> remove-zone-key on all the keys will work? And then update SOA serial and
> remove anything in the domainmetadata table?

Almost. disable-dnssec would deactivate all keys, and unset 'presigned'.
Implemented this in 2216 which is now building.

> 2) pdnssec [options] [show-zone] [secure-zone] [rectify-zone] [add-zone-key]
> secure-zone                     Add KSK and two ZSKs
> secure-zone  ZONE       Add KSK and two ZSKs

Fixed, thanks!

> 3) do I have to run rectify-zone every time I add/change an entry. I add an
> entry into the database and then read the SOA and increase it and update it
> to be bigger.

This is described here:
http://doc.powerdns.com/dnssec-modes.html#dnssec-direct-database

In your case, you should be setting the 'auth' field too, which would
probably fix the problem.

        Bert

_______________________________________________
Pdns-users mailing list
[hidden email]
http://mailman.powerdns.com/mailman/listinfo/pdns-users
Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Disabling DNSSEC on a Domain

bert hubert-2
In reply to this post by Craig Whitmore
On Tue, Jun 14, 2011 at 09:22:20PM +1200, Craig Whitmore wrote:

> I have to as far as I can tell..
>
> pdnssec hash-zone-record spam.co.nz test105.spam.co.nz
>
> Get the hash and then use
>
> insert into records (domain_id,name,content,type,ttl,prio,ordername,auth)
> values ("1","test44.spam.co.nz","114.23.33.130","A",86400,NULL,"the hash
> found","1");
>
> And then increase the SOA serial number..
>
> rectify-zone each time I add data is much easier I think maybe?

This is a personal choice - you can set the hash value, or have PowerDNS do
it for you. But indeed, you found both solutions correctly ;-)

        Bert
_______________________________________________
Pdns-users mailing list
[hidden email]
http://mailman.powerdns.com/mailman/listinfo/pdns-users
Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Disabling DNSSEC on a Domain

Craig Whitmore
In reply to this post by bert hubert-2


On 14/06/11 9:33 PM, "bert hubert" <[hidden email]> wrote:

>On Tue, Jun 14, 2011 at 08:56:41PM +1200, Craig Whitmore wrote:
>> A have been trying to automate this all and have a number of questions?
>>
>> 1. http://doc.powerdns.com/dnssec-operational-doctrine.html say to use
>> "pdnssec disable-dnssec" but there is no command so what the "proper"
>>way of
>> making a domain insecure (the opposite of secure-zone basically.
>> remove-zone-key on all the keys will work? And then update SOA serial
>>and
>> remove anything in the domainmetadata table?

Tested and works but shouldn't you delete the cryptokeys for the domain in
the database as well or something bad happens.

If I enable . All good..

ID = 18 (KSK), tag = 41954, algo = 8, bits = 2048 Active: 1
KSK DNSKEY = spam.co.nz IN DNSKEY 257 3 8
AwEAAeqMcemGL0stYFsyPSoqTTj2h/xOnLnP3REKmX3zp9mD3AFPabynZAn5NREYfUl97u2kIKq
KrBsW1TEm2yp8067EqgyZtUqiRyGl8lv5h+uInnpjmC4cHMLsvxt+S5b7vTcmwl8J2r3aGVe050
I2sALq8YEjnPWHiw5qLOQRoY72REa77fXyzoOW3hQKfTlJcco8gu363sYn4gYM9AFy/PJVXeUWq
WdTvyVmGbqapLISLnb9w+DCLa8N4RkbTIsImPy90e2qN6RYLUA1CoUaYuCtxUfqJC5OLE+deDJB
DwQ/+bGZSWORyJvbkOeq+xRfrDqJ4Gt98RZM3DwEvD8irDU=
DS = spam.co.nz IN DS 41954 8 1 73ecd73829cbce5a79117f6f1a452ec41a8ad821
DS = spam.co.nz IN DS 41954 8 2
fdd6e221ac2cf1e9e13c5af283851089b905be67eab7f0a0a3f4f10555caaac8

ID = 19 (ZSK), tag = 38065, algo = 8, bits = 1024 Active: 1
ID = 20 (ZSK), tag = 28923, algo = 8, bits = 1024 Active: 0


Then disable and then enable again.

ID = 18 (KSK), tag = 41954, algo = 8, bits = 2048 Active: 0
KSK DNSKEY = spam.co.nz IN DNSKEY 257 3 8
AwEAAeqMcemGL0stYFsyPSoqTTj2h/xOnLnP3REKmX3zp9mD3AFPabynZAn5NREYfUl97u2kIKq
KrBsW1TEm2yp8067EqgyZtUqiRyGl8lv5h+uInnpjmC4cHMLsvxt+S5b7vTcmwl8J2r3aGVe050
I2sALq8YEjnPWHiw5qLOQRoY72REa77fXyzoOW3hQKfTlJcco8gu363sYn4gYM9AFy/PJVXeUWq
WdTvyVmGbqapLISLnb9w+DCLa8N4RkbTIsImPy90e2qN6RYLUA1CoUaYuCtxUfqJC5OLE+deDJB
DwQ/+bGZSWORyJvbkOeq+xRfrDqJ4Gt98RZM3DwEvD8irDU=
DS = spam.co.nz IN DS 41954 8 1 73ecd73829cbce5a79117f6f1a452ec41a8ad821
DS = spam.co.nz IN DS 41954 8 2
fdd6e221ac2cf1e9e13c5af283851089b905be67eab7f0a0a3f4f10555caaac8

ID = 21 (KSK), tag = 60754, algo = 8, bits = 2048 Active: 1
KSK DNSKEY = spam.co.nz IN DNSKEY 257 3 8
AwEAAZ6aEkCc9D9UomiVim7NmHNTkVgOuphNdbRvjPt0Vd2XGt4dCUiICF2uErZUIADb5TC08d4
nS2Wo4W0sN8CjQj3ij4IKCAeKoQiejxvBsLp5nVqf8RS9dRN8FLvbPsfBjVPFB4MKSfWz9VpMnn
BMlJyWOgRaExKY0FR4Ydy3qH3aiHVq+jw941N/bXiQcYzWHzY4VhluD+T+nW4N1IuEp/6rs0tIY
bXp/GRm1VoxADY3wfv2VmLI6MZ0zLSf5UEYu+/vVFkJGLAGDuDKH8jEYc4Bu4h8fFHYycQisHEE
BbCSoXmbvWudjFd3CX0QF2fODtEZQWJuEkBTfbsJxLcvEzk=
DS = spam.co.nz IN DS 60754 8 1 78650a091d44b6a7a8878fcdd2971d283b3ea364
DS = spam.co.nz IN DS 60754 8 2
8ef196e23b9ba831438763962618db627202027a53ac4f3d605ce6aab8c87e57

ID = 19 (ZSK), tag = 38065, algo = 8, bits = 1024 Active: 0
ID = 20 (ZSK), tag = 28923, algo = 8, bits = 1024 Active: 0


Older KSK is there (deactivated)
New KSK in there (good)
2 ZSK's (both deactivated)


ordername is not blanked out for the domain either for each RR but that’s
less important as it won't make any difference (maybe)


Thanks
Craig



_______________________________________________
Pdns-users mailing list
[hidden email]
http://mailman.powerdns.com/mailman/listinfo/pdns-users
Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Disabling DNSSEC on a Domain

Lodos
In reply to this post by Craig Whitmore
( do I have to run rectify-zone every time I add/change an entry. I add an entry into the database and then read the SOA and increase it and update it to be bigger. )

After some searching about same question here is my exact solution :)

I am going to create an MYSQL UDF and execute the pdnssec command via MYSQL for each record insert or record update.

Viva MYSQL UDF ! Viva MYSQL TRIGGERs !!!
Loading...