{"id":20877367,"url":"https://github.com/flatcap/dnssec-bin","last_synced_at":"2025-05-12T15:32:55.884Z","repository":{"id":32546416,"uuid":"36128622","full_name":"flatcap/dnssec-bin","owner":"flatcap","description":"📋 DNSSEC generation/management scripts","archived":false,"fork":false,"pushed_at":"2023-03-26T17:52:34.000Z","size":85,"stargazers_count":4,"open_issues_count":0,"forks_count":0,"subscribers_count":4,"default_branch":"main","last_synced_at":"2024-05-02T02:16:32.679Z","etag":null,"topics":["dns","dnssec","scipts"],"latest_commit_sha":null,"homepage":"","language":"Shell","has_issues":false,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"other","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/flatcap.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE.md","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2015-05-23T15:11:59.000Z","updated_at":"2024-05-02T02:16:32.680Z","dependencies_parsed_at":"2022-07-12T16:09:41.027Z","dependency_job_id":null,"html_url":"https://github.com/flatcap/dnssec-bin","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/flatcap%2Fdnssec-bin","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/flatcap%2Fdnssec-bin/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/flatcap%2Fdnssec-bin/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/flatcap%2Fdnssec-bin/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/flatcap","download_url":"https://codeload.github.com/flatcap/dnssec-bin/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":225141812,"owners_count":17427362,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["dns","dnssec","scipts"],"created_at":"2024-11-18T06:56:50.368Z","updated_at":"2024-11-18T06:56:51.034Z","avatar_url":"https://github.com/flatcap.png","language":"Shell","readme":"# dnssec-bin\n\nGenerate [DNSSEC](https://en.wikipedia.org/wiki/Domain_Name_System_Security_Extensions) signatures and manage key rollover\n\n## Introduction\n\nI own two domains, `flatcap.org` and `russon.org`.\nMy registrar for these domains is \u003chttps://www.gkg.net/\u003e.\nI manage my own DNS (BIND 9) on my VPS at \u003chttps://www.linode.com/\u003e.\n\n## Caveats\n\nThese are my DNSSEC scripts.  They work for me.\nIf they work for you, or you can learn something useful, great.\nIf not, sorry.\n\nI think my scripts work correctly and safely, but I'm not a DNSSEC expert.\n\n## How does DNSSEC work?\n\nDNSSEC relies on two pairs of private/public keys and a SALT.\n\n- Key Signing Key (KSK) - regenerated every three months\n- Zone Signing Key (ZSK) - regenerated every month\n- [SALT](https://en.wikipedia.org/wiki/Salt_%28cryptography%29) is a random string - regenerated daily\n\nWhen you've generated the KSK, you upload its fingerprint to your registrar.\nThis is used to sign the delegation from the parent zone. e.g.\nKSK fingerprint for flatcap.org is used to sign the flatcap.org link in the .org zone file\n\nThe KSK is used to sign the ZSK which is then combined with the SALT to create a signed zone file.\nThis signed zone is then given to BIND.\n\n## What do the scripts do?\n\n| Script                   | Description                                                                                 |\n| ------------------------ | ------------------------------------------------------------------------------------------- |\n| cron.sh                  | Called by cron(8) at 05:00 every day                                                        |\n| generate-dns-glue        | Local reference to our DNS servers                                                          |\n| generate-root-certs      | Local reference to the root DNS servers                                                     |\n| generate-ssh-fingerprint | Put SSH fingerprints in DNS records                                                         |\n| generate-gpg             | Generate PKA/DANE Records for GPG                                                           |\n| generate-tlsa            | [DANE](https://en.wikipedia.org/wiki/DNS-based_Authentication_of_Named_Entities) references |\n| generate-dkim            | [DKIM](https://en.wikipedia.org/wiki/DomainKeys_Identified_Mail) records                    |\n|                          |                                                                                             |\n| generate-ksk             | Create a new Key Signing Key                                                                |\n| generate-zsk             | Create a new Zone Signing Key                                                               |\n| sign-zone                | Sign a domain zone using the KSK                                                            |\n| ds-sync.pl               | Send KSK DS Records to domain's registrar                                                   |\n|                          |                                                                                             |\n| clean                    | Delete all generated files                                                                  |\n| delete-old-keys          | Delete keys that expired                                                                    |\n| disable-dnssec           | Remove all DNSSEC info from the zones and restart BIND                                      |\n| fix-perms                | Set the file permissions on /var/named                                                      |\n| log.sh                   | Logging helpers                                                                             |\n| set-to-publish-date      | Set the key files' timestamp to match the 'publish' date                                    |\n| show-keys                | List all the currently active keys                                                          |\n| show-signed              | Quick info about the signed zones                                                           |\n| update-serials           | Update the zone's serial number                                                             |\n\n## Links\n\nSome sites where I learnt what I needed to know:\n\n- \u003chttps://grepular.com/Understanding_DNSSEC\u003e\n- \u003chttps://www.digitalocean.com/community/tutorials/how-to-setup-dnssec-on-an-authoritative-bind-dns-server--2\u003e\n- \u003chttp://www.nlnetlabs.nl/publications/dnssec_howto/\u003e\n\nTesting your domain:\n\n- \u003chttp://dnssec-debugger.verisignlabs.com/\u003e\n- \u003chttp://dnsviz.net/\u003e\n- \u003chttp://www.dnssy.com/\u003e\n- \u003chttps://wander.science/projects/dns/dnssec-resolver-test/\u003e\n\n## License\n\nCopyright \u0026copy; Richard Russon (flatcap).\nDistributed under the GPLv3 \u003chttp://fsf.org/\u003e\n\n## See also\n\n- [flatcap.org](https://flatcap.org)\n- [GitHub](https://github.com/flatcap/dnssec-bin)\n\n","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fflatcap%2Fdnssec-bin","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fflatcap%2Fdnssec-bin","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fflatcap%2Fdnssec-bin/lists"}