Add DNSKEY-record to a zone in PowerDNS:
root@authdns01:~# pdnsutil secure-zone deref Securing zone with default key size Adding CSK (257) with algorithm ecdsa256 Zone deref secured Adding NSEC ordering information
Then we can try to sign a subdomain:
root@authdns01:~$ pdnsutil secure-zone svealiden.deref
Securing zone with default key size
Adding CSK (257) with algorithm ecdsa256
Zone svealiden.deref secured
Adding NSEC ordering information
Let’s check the DNSKEY of both:
root@authdns01:~# dig +short deref dnskey @192.168.1.71 257 3 13 s4PVoj6Zcg+cV36sjhO5YazfXABOtw4XcphhRZG94dqjokGBZf2y450v hDBGH69NVp7oN6Cdq/RJyJIzEQJOQQ== root@authdns01:~# dig +short svealiden.deref dnskey @192.168.1.71 257 3 13 KYnKZmELQgIKrevye+b2Wmv+6Gw89Uvu2Hlox+0+uWH9gPnVOdQOfKB1 UmayuLrqdLnp8UoneL2tAHCU0uLimA==
All righty. So far so good. Let’s make sure we have RRSIG for stuff:
root@authdns01:~# dig deref ns +dnssec @192.168.1.71 ;; QUESTION SECTION: ;deref. IN NS ;; AUTHORITY SECTION: deref. 3600 IN SOA ns.svealiden.se. cjp.deref.se. 2021072502 10800 3600 604800 3600 deref. 3600 IN RRSIG SOA 13 1 3600 20210805000000 20210715000000 10485 deref. MPfYev987qD2PE0L5HRDfXabDhKDbCPBwtAaGVtr5Kw+ibKb4AEn3Rjv cQ2um+qPoKOaTeN7pJ4q/dmK7ybwvw== deref. 3600 IN NSEC svealiden.deref. SOA RRSIG NSEC DNSKEY deref. 3600 IN RRSIG NSEC 13 1 3600 20210805000000 20210715000000 10485 deref. 81joG7RSmkAU/N6jLg+QG4UrW1oUc/ojNzcuGiQbC9LGIZFggrzlGdw8 ldiwUI6JSthtbpCuLyFRiGi9ad1YuQ==
Okey, the same for svealiden.deref?
root@authdns01:~# dig svealiden.deref ns +dnssec @192.168.1.71 ;; QUESTION SECTION: ;svealiden.deref. IN NS ;; AUTHORITY SECTION: svealiden.deref. 3600 IN SOA ns.svealiden.se. cjp.deref.se. 2021072501 10800 120 604800 3600 svealiden.deref. 3600 IN RRSIG SOA 13 2 3600 20210805000000 20210715000000 24037 svealiden.deref. OMgnE5XpmMsaMb3zMVhEgDJdyAm34W2sTH94YqhsAeDswJkZA2fmmkFd uWtKPXY65RmLqplKxlTXpLZxt3c0Hw== svealiden.deref. 3600 IN NSEC svealiden.deref. A SOA MX RRSIG NSEC DNSKEY svealiden.deref. 3600 IN RRSIG NSEC 13 2 3600 20210805000000 20210715000000 24037 svealiden.deref. lY1BRtNWm48ssKw+QQq3NZI8adUm+hHdsj1OqQIQRL3FkdP1PJ7kXrmH 1q1hqVZkaoJFpkgX10rqxFym4mVwoA==
So could I get the private key behind both the TLD and the subdomain?
root@authdns01:~# pdnsutil export-zone-key deref 1 Private-key-format: v1.2 Algorithm: 13 (ECDSAP256SHA256) PrivateKey: EH+Vz8ySECRETSECRETSECRETQcDFbooSw=
So far so good. Couldn’t figure out which key ID svealiden.deref used but this helped:
root@authdns01:~# pdnsutil list-keys svealiden.deref Zone Type Size Algorithm ID Location Keytag ---------------------------------------------------------------------------------- svealiden.deref CSK 256 ECDSAP256SHA256 4 cryptokeys 24037 root@authdns01:~# pdnsutil export-zone-key svealiden.deref 4 Private-key-format: v1.2 Algorithm: 13 (ECDSAP256SHA256) PrivateKey: 5gSqJikSECRETSECRETSECRETqEL+x1mM=
Well this was all nice and well but I was kind of hoping I could do this more manually. Like generating a ZSK, then a KSK and so on. I’ll have to see which tools I could use to do that. Just as a learning exercise. Well at least now I can enable DNSSEC for my own local TLD.