diff options
author | Tomasz Kramkowski <tk@the-tk.com> | 2018-07-18 23:46:06 +0100 |
---|---|---|
committer | Tomasz Kramkowski <tk@the-tk.com> | 2018-07-18 23:55:42 +0100 |
commit | c34ae6fed8503c6f8b27b4bd55cf26bb3f47ad23 (patch) | |
tree | a50e1f923f5101846e440fba4b076b14d8ac6b4b /content/posts/2016-04-04-dnssec.md | |
download | the-tk.com-c34ae6fed8503c6f8b27b4bd55cf26bb3f47ad23.tar.gz the-tk.com-c34ae6fed8503c6f8b27b4bd55cf26bb3f47ad23.tar.xz the-tk.com-c34ae6fed8503c6f8b27b4bd55cf26bb3f47ad23.zip |
init commit
Diffstat (limited to 'content/posts/2016-04-04-dnssec.md')
-rw-r--r-- | content/posts/2016-04-04-dnssec.md | 25 |
1 files changed, 25 insertions, 0 deletions
diff --git a/content/posts/2016-04-04-dnssec.md b/content/posts/2016-04-04-dnssec.md new file mode 100644 index 0000000..13c1d60 --- /dev/null +++ b/content/posts/2016-04-04-dnssec.md @@ -0,0 +1,25 @@ +$title "DNSSEC" +$tags information DNS DNSSEC + +As of today my domain finally supports DNSSEC. It was much simpler than I +thought it would be. It seems namecheap now officially allows you to publish DS +records in the parent zone of your domain (limited only to TLDs which support +it). This is one of the last things that I wanted to set up on my server. + +$pre + +In the end, the process was made very simple by the existence of +[this][cheatsheet] which details exactly how to set up DNSSEC on BIND 9.10 or +higher. + +Currently the KSK is SHARSA256 1024 bits and the ZSK is SHARSA256 2048 bits, I +am considering moving to using a 2048 bit KSK but I'm not sure if there will be +much of a benefit. I am using NSEC3 with a SHA-1 hash with the opt-out bit +unset and 100 iterations. + +In any case, you can now rest assured that if your resolver uses DNSSEC +(Google's resolvers will return a failure in case they find a DS record but the +DNSSEC validation fails) you will be receiving signed and verifiable data. Of +course, I doubt many people care. + +[cheatsheet]: https://kb.isc.org/getAttach/122/AA-01311/DNSSEC-QR-B4.pdf |