Inklings: a tumblelog

Setting up DNSSEC with EURid (for OpenDNSSEC users)

For most registries, setting up DNSSEC is straightforward: you configure the domain in OpenDNSSEC, wait while the updated zone propagates, and then when the domain’s state is ‘ready’, you export the delegation signer (DS) records:

% sudo ods-ksmutil key export --zone --ds

Which will give you something like the following:

;ready KSK DS record (SHA1):   3600    IN  DS  42 8 1 deadbeefdeadbeefdeadbeefdeadbeefdeadbeef

;ready KSK DS record (SHA256):   3600    IN  DS  42 8 2 deadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef

EURid, however, doesn’t support DS records, so instead you have to provide the public key associated with the domain in question. This is what ods-ksmutil key export prints out by default without the --ds flag:

% sudo ods-ksmutil key export --zone

Running that will give you something like the following:

;ready KSK DNSKEY record:    3600    IN  DNSKEY  257 3 8 PUBLICKEY===

In that, ‘257’ indicates that the public key is for the key-signing key (KSK); ‘3’ is the protocol; ‘8’ indicates the algorithm, which in this case is ‘RSA/SHA-256’; and finally the base64-encoded public key. You will need to provide this information to the registrar, and they will submit it to EURid. When the key has been submitted, get they keytag of the KSK:

% sudo ods-ksmutil key list --zone --verbose

Give OpenDNSSEC the ds-seen notification:

% sudo ods-ksmutil key ds-seen --zone --keytag 42

And you’re done.