forked from M-Labs/it-infra
nixbld: use semi-automatic DNSSEC
This commit is contained in:
parent
3909d7428d
commit
08ab958a76
|
|
@ -145,13 +145,8 @@ in
|
||||||
boot.kernel.sysctl."net.ipv6.conf.${netifLan}.accept_dad" = "0";
|
boot.kernel.sysctl."net.ipv6.conf.${netifLan}.accept_dad" = "0";
|
||||||
boot.kernel.sysctl."net.ipv6.conf.${netifWifi}.accept_dad" = "0";
|
boot.kernel.sysctl."net.ipv6.conf.${netifWifi}.accept_dad" = "0";
|
||||||
|
|
||||||
# https://www.digitalocean.com/community/tutorials/how-to-setup-dnssec-on-an-authoritative-bind-dns-server-2
|
# https://kb.isc.org/docs/dnssec-key-and-signing-policy
|
||||||
# dnssec-keygen -a ECDSAP384SHA384 -n ZONE m-labs.hk
|
# chown named.named /etc/nixos/named
|
||||||
# dnssec-keygen -f KSK -a ECDSAP384SHA384 -n ZONE m-labs.hk
|
|
||||||
# cat *.key >> m-labs.zone
|
|
||||||
# dnssec-signzone -A -3 $(head -c 1000 /dev/random | sha1sum | cut -b 1-16) -N INCREMENT -o m-labs.hk -t /etc/nixos/m-labs.zone
|
|
||||||
# cat dsset* --> update DS at registrar
|
|
||||||
# check results at https://dnsviz.net/
|
|
||||||
services.bind = {
|
services.bind = {
|
||||||
enable = true;
|
enable = true;
|
||||||
listenOn = [ "42.200.147.171" ];
|
listenOn = [ "42.200.147.171" ];
|
||||||
|
|
@ -163,7 +158,8 @@ in
|
||||||
"XN--WBTZ5WPQAJ35CFXC.XN--J6W193G" = {
|
"XN--WBTZ5WPQAJ35CFXC.XN--J6W193G" = {
|
||||||
name = "XN--WBTZ5WPQAJ35CFXC.XN--J6W193G";
|
name = "XN--WBTZ5WPQAJ35CFXC.XN--J6W193G";
|
||||||
master = true;
|
master = true;
|
||||||
file = "/etc/nixos/m-labs.zone.signed";
|
file = "/etc/nixos/named/m-labs.zone";
|
||||||
|
extraConfig = ''dnssec-policy "default";'';
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
|
||||||
|
|
@ -53,14 +53,3 @@ hestia AAAA 2001:470:f821:1:ef18:fbec:2162:2c4c
|
||||||
vulcan AAAA 2001:470:f821:1:a9aa:5da6:d8ee:84db
|
vulcan AAAA 2001:470:f821:1:a9aa:5da6:d8ee:84db
|
||||||
old-nixbld AAAA 2001:470:f821:1:021f:bcff:fe12:9170
|
old-nixbld AAAA 2001:470:f821:1:021f:bcff:fe12:9170
|
||||||
franz AAAA 2001:470:f821:1:39a9:9221:da3d:f6e2
|
franz AAAA 2001:470:f821:1:39a9:9221:da3d:f6e2
|
||||||
|
|
||||||
; This is a zone-signing key, keyid 18823, for XN--WBTZ5WPQAJ35CFXC.XN--J6W193G.
|
|
||||||
; Created: 20220626080122 (Sun Jun 26 16:01:22 2022)
|
|
||||||
; Publish: 20220626080122 (Sun Jun 26 16:01:22 2022)
|
|
||||||
; Activate: 20220626080122 (Sun Jun 26 16:01:22 2022)
|
|
||||||
XN--WBTZ5WPQAJ35CFXC.XN--J6W193G. IN DNSKEY 256 3 14 ZFDSxnY5Pg92E7XuNDkOxFQUtdFtXmV339GjVxguEPbzbdEtGRghNzef qLHVNOCUIfYxI5efxegmINMWEEPpiJSf55bzM6EYeWw+colfTQIJ0E/p 2iF7vSKxogkZf/zP
|
|
||||||
; This is a key-signing key, keyid 29869, for XN--WBTZ5WPQAJ35CFXC.XN--J6W193G.
|
|
||||||
; Created: 20220626080139 (Sun Jun 26 16:01:39 2022)
|
|
||||||
; Publish: 20220626080139 (Sun Jun 26 16:01:39 2022)
|
|
||||||
; Activate: 20220626080139 (Sun Jun 26 16:01:39 2022)
|
|
||||||
XN--WBTZ5WPQAJ35CFXC.XN--J6W193G. IN DNSKEY 257 3 14 f/dkVlLL8LNWnbVE1nvEls24e/2Jz62fca5ZlJWnRaKpzMNbXFSX6+HT rH10WL4rwLY8Aa8AsogMbj9D8OS6Xalv9NwQKvoSZ1TwXun3N2RoNoXp xC7NXtT9H6l7ZPFk
|
|
||||||
Loading…
Reference in New Issue