From 08ab958a76d33d2b3011f747fe9be5f525b8752a Mon Sep 17 00:00:00 2001 From: Sebastien Bourdeauducq Date: Mon, 27 Jun 2022 13:08:16 +0800 Subject: [PATCH] nixbld: use semi-automatic DNSSEC --- nixbld-etc-nixos/configuration.nix | 12 ++++-------- nixbld-etc-nixos/{ => named}/m-labs.zone | 11 ----------- 2 files changed, 4 insertions(+), 19 deletions(-) rename nixbld-etc-nixos/{ => named}/m-labs.zone (73%) diff --git a/nixbld-etc-nixos/configuration.nix b/nixbld-etc-nixos/configuration.nix index 49c7544d..13699b8c 100644 --- a/nixbld-etc-nixos/configuration.nix +++ b/nixbld-etc-nixos/configuration.nix @@ -145,13 +145,8 @@ in boot.kernel.sysctl."net.ipv6.conf.${netifLan}.accept_dad" = "0"; boot.kernel.sysctl."net.ipv6.conf.${netifWifi}.accept_dad" = "0"; - # https://www.digitalocean.com/community/tutorials/how-to-setup-dnssec-on-an-authoritative-bind-dns-server-2 - # dnssec-keygen -a ECDSAP384SHA384 -n ZONE m-labs.hk - # dnssec-keygen -f KSK -a ECDSAP384SHA384 -n ZONE m-labs.hk - # cat *.key >> m-labs.zone - # dnssec-signzone -A -3 $(head -c 1000 /dev/random | sha1sum | cut -b 1-16) -N INCREMENT -o m-labs.hk -t /etc/nixos/m-labs.zone - # cat dsset* --> update DS at registrar - # check results at https://dnsviz.net/ + # https://kb.isc.org/docs/dnssec-key-and-signing-policy + # chown named.named /etc/nixos/named services.bind = { enable = true; listenOn = [ "42.200.147.171" ]; @@ -163,7 +158,8 @@ in "XN--WBTZ5WPQAJ35CFXC.XN--J6W193G" = { name = "XN--WBTZ5WPQAJ35CFXC.XN--J6W193G"; master = true; - file = "/etc/nixos/m-labs.zone.signed"; + file = "/etc/nixos/named/m-labs.zone"; + extraConfig = ''dnssec-policy "default";''; }; }; }; diff --git a/nixbld-etc-nixos/m-labs.zone b/nixbld-etc-nixos/named/m-labs.zone similarity index 73% rename from nixbld-etc-nixos/m-labs.zone rename to nixbld-etc-nixos/named/m-labs.zone index 9bd273aa..e0fcf6a8 100644 --- a/nixbld-etc-nixos/m-labs.zone +++ b/nixbld-etc-nixos/named/m-labs.zone @@ -53,14 +53,3 @@ hestia AAAA 2001:470:f821:1:ef18:fbec:2162:2c4c vulcan AAAA 2001:470:f821:1:a9aa:5da6:d8ee:84db old-nixbld AAAA 2001:470:f821:1:021f:bcff:fe12:9170 franz AAAA 2001:470:f821:1:39a9:9221:da3d:f6e2 - -; This is a zone-signing key, keyid 18823, for XN--WBTZ5WPQAJ35CFXC.XN--J6W193G. -; Created: 20220626080122 (Sun Jun 26 16:01:22 2022) -; Publish: 20220626080122 (Sun Jun 26 16:01:22 2022) -; Activate: 20220626080122 (Sun Jun 26 16:01:22 2022) -XN--WBTZ5WPQAJ35CFXC.XN--J6W193G. IN DNSKEY 256 3 14 ZFDSxnY5Pg92E7XuNDkOxFQUtdFtXmV339GjVxguEPbzbdEtGRghNzef qLHVNOCUIfYxI5efxegmINMWEEPpiJSf55bzM6EYeWw+colfTQIJ0E/p 2iF7vSKxogkZf/zP -; This is a key-signing key, keyid 29869, for XN--WBTZ5WPQAJ35CFXC.XN--J6W193G. -; Created: 20220626080139 (Sun Jun 26 16:01:39 2022) -; Publish: 20220626080139 (Sun Jun 26 16:01:39 2022) -; Activate: 20220626080139 (Sun Jun 26 16:01:39 2022) -XN--WBTZ5WPQAJ35CFXC.XN--J6W193G. IN DNSKEY 257 3 14 f/dkVlLL8LNWnbVE1nvEls24e/2Jz62fca5ZlJWnRaKpzMNbXFSX6+HT rH10WL4rwLY8Aa8AsogMbj9D8OS6Xalv9NwQKvoSZ1TwXun3N2RoNoXp xC7NXtT9H6l7ZPFk