1
0
Fork 0

nixbld: use semi-automatic DNSSEC

This commit is contained in:
Sebastien Bourdeauducq 2022-06-27 13:08:16 +08:00
parent 3909d7428d
commit 08ab958a76
2 changed files with 4 additions and 19 deletions

View File

@ -145,13 +145,8 @@ in
boot.kernel.sysctl."net.ipv6.conf.${netifLan}.accept_dad" = "0"; boot.kernel.sysctl."net.ipv6.conf.${netifLan}.accept_dad" = "0";
boot.kernel.sysctl."net.ipv6.conf.${netifWifi}.accept_dad" = "0"; boot.kernel.sysctl."net.ipv6.conf.${netifWifi}.accept_dad" = "0";
# https://www.digitalocean.com/community/tutorials/how-to-setup-dnssec-on-an-authoritative-bind-dns-server-2 # https://kb.isc.org/docs/dnssec-key-and-signing-policy
# dnssec-keygen -a ECDSAP384SHA384 -n ZONE m-labs.hk # chown named.named /etc/nixos/named
# dnssec-keygen -f KSK -a ECDSAP384SHA384 -n ZONE m-labs.hk
# cat *.key >> m-labs.zone
# dnssec-signzone -A -3 $(head -c 1000 /dev/random | sha1sum | cut -b 1-16) -N INCREMENT -o m-labs.hk -t /etc/nixos/m-labs.zone
# cat dsset* --> update DS at registrar
# check results at https://dnsviz.net/
services.bind = { services.bind = {
enable = true; enable = true;
listenOn = [ "42.200.147.171" ]; listenOn = [ "42.200.147.171" ];
@ -163,7 +158,8 @@ in
"XN--WBTZ5WPQAJ35CFXC.XN--J6W193G" = { "XN--WBTZ5WPQAJ35CFXC.XN--J6W193G" = {
name = "XN--WBTZ5WPQAJ35CFXC.XN--J6W193G"; name = "XN--WBTZ5WPQAJ35CFXC.XN--J6W193G";
master = true; master = true;
file = "/etc/nixos/m-labs.zone.signed"; file = "/etc/nixos/named/m-labs.zone";
extraConfig = ''dnssec-policy "default";'';
}; };
}; };
}; };

View File

@ -53,14 +53,3 @@ hestia AAAA 2001:470:f821:1:ef18:fbec:2162:2c4c
vulcan AAAA 2001:470:f821:1:a9aa:5da6:d8ee:84db vulcan AAAA 2001:470:f821:1:a9aa:5da6:d8ee:84db
old-nixbld AAAA 2001:470:f821:1:021f:bcff:fe12:9170 old-nixbld AAAA 2001:470:f821:1:021f:bcff:fe12:9170
franz AAAA 2001:470:f821:1:39a9:9221:da3d:f6e2 franz AAAA 2001:470:f821:1:39a9:9221:da3d:f6e2
; This is a zone-signing key, keyid 18823, for XN--WBTZ5WPQAJ35CFXC.XN--J6W193G.
; Created: 20220626080122 (Sun Jun 26 16:01:22 2022)
; Publish: 20220626080122 (Sun Jun 26 16:01:22 2022)
; Activate: 20220626080122 (Sun Jun 26 16:01:22 2022)
XN--WBTZ5WPQAJ35CFXC.XN--J6W193G. IN DNSKEY 256 3 14 ZFDSxnY5Pg92E7XuNDkOxFQUtdFtXmV339GjVxguEPbzbdEtGRghNzef qLHVNOCUIfYxI5efxegmINMWEEPpiJSf55bzM6EYeWw+colfTQIJ0E/p 2iF7vSKxogkZf/zP
; This is a key-signing key, keyid 29869, for XN--WBTZ5WPQAJ35CFXC.XN--J6W193G.
; Created: 20220626080139 (Sun Jun 26 16:01:39 2022)
; Publish: 20220626080139 (Sun Jun 26 16:01:39 2022)
; Activate: 20220626080139 (Sun Jun 26 16:01:39 2022)
XN--WBTZ5WPQAJ35CFXC.XN--J6W193G. IN DNSKEY 257 3 14 f/dkVlLL8LNWnbVE1nvEls24e/2Jz62fca5ZlJWnRaKpzMNbXFSX6+HT rH10WL4rwLY8Aa8AsogMbj9D8OS6Xalv9NwQKvoSZ1TwXun3N2RoNoXp xC7NXtT9H6l7ZPFk