Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/flatcap/dnssec-bin
📋 DNSSEC generation/management scripts
https://github.com/flatcap/dnssec-bin
dns dnssec scipts
Last synced: about 6 hours ago
JSON representation
📋 DNSSEC generation/management scripts
- Host: GitHub
- URL: https://github.com/flatcap/dnssec-bin
- Owner: flatcap
- License: other
- Created: 2015-05-23T15:11:59.000Z (over 9 years ago)
- Default Branch: main
- Last Pushed: 2023-03-26T17:52:34.000Z (over 1 year ago)
- Last Synced: 2024-05-02T02:16:32.679Z (7 months ago)
- Topics: dns, dnssec, scipts
- Language: Shell
- Homepage:
- Size: 83 KB
- Stars: 4
- Watchers: 4
- Forks: 0
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
- License: LICENSE.md
Awesome Lists containing this project
README
# dnssec-bin
Generate [DNSSEC](https://en.wikipedia.org/wiki/Domain_Name_System_Security_Extensions) signatures and manage key rollover
## Introduction
I own two domains, `flatcap.org` and `russon.org`.
My registrar for these domains is .
I manage my own DNS (BIND 9) on my VPS at .
## Caveats
These are my DNSSEC scripts. They work for me.
If they work for you, or you can learn something useful, great.
If not, sorry.
I think my scripts work correctly and safely, but I'm not a DNSSEC expert.
## How does DNSSEC work?
DNSSEC relies on two pairs of private/public keys and a SALT.
- Key Signing Key (KSK) - regenerated every three months
- Zone Signing Key (ZSK) - regenerated every month
- [SALT](https://en.wikipedia.org/wiki/Salt_%28cryptography%29) is a random string - regenerated daily
When you've generated the KSK, you upload its fingerprint to your registrar.
This is used to sign the delegation from the parent zone. e.g.
KSK fingerprint for flatcap.org is used to sign the flatcap.org link in the .org zone file
The KSK is used to sign the ZSK which is then combined with the SALT to create a signed zone file.
This signed zone is then given to BIND.
## What do the scripts do?
| Script | Description |
| ------------------------ | ------------------------------------------------------------------------------------------- |
| cron.sh | Called by cron(8) at 05:00 every day |
| generate-dns-glue | Local reference to our DNS servers |
| generate-root-certs | Local reference to the root DNS servers |
| generate-ssh-fingerprint | Put SSH fingerprints in DNS records |
| generate-gpg | Generate PKA/DANE Records for GPG |
| generate-tlsa | [DANE](https://en.wikipedia.org/wiki/DNS-based_Authentication_of_Named_Entities) references |
| generate-dkim | [DKIM](https://en.wikipedia.org/wiki/DomainKeys_Identified_Mail) records |
| | |
| generate-ksk | Create a new Key Signing Key |
| generate-zsk | Create a new Zone Signing Key |
| sign-zone | Sign a domain zone using the KSK |
| ds-sync.pl | Send KSK DS Records to domain's registrar |
| | |
| clean | Delete all generated files |
| delete-old-keys | Delete keys that expired |
| disable-dnssec | Remove all DNSSEC info from the zones and restart BIND |
| fix-perms | Set the file permissions on /var/named |
| log.sh | Logging helpers |
| set-to-publish-date | Set the key files' timestamp to match the 'publish' date |
| show-keys | List all the currently active keys |
| show-signed | Quick info about the signed zones |
| update-serials | Update the zone's serial number |
## Links
Some sites where I learnt what I needed to know:
-
-
-
Testing your domain:
-
-
-
-
## License
Copyright © Richard Russon (flatcap).
Distributed under the GPLv3
## See also
- [flatcap.org](https://flatcap.org)
- [GitHub](https://github.com/flatcap/dnssec-bin)