Re: DNSSEC Questions

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] 

On 2/12/19 7:26 PM, Paul R. Ganci wrote:
Last weekend I had my DNSSEC keys expire. I discovered that they had expired the hard way... namely randomly websites could not be found and email did not get delivered. It seems that the keys were only valid for what I estimate was about 30 days. It is a real PITA to have update the keys, restart named and then update Godaddy with new digests.
DNSSEC keys do not expire. Signatures do expire. How long a signature is good for depends upon the software generating the signature, some lets you specify. ldns I believe defaults to 60 days but I am not sure.
The keys are in DNSSKEY records that are signed by your Key Signing Key and must be resigning before the signature expires or they will no longer validate.
Likewise, the other records in the zone must be resigned by your Zone Signing Key before their signatures expire.
The first part of the problem is fairly manageable in the sense I already have a script that partially can do the job of updating the DNS server. However from what I can tell the only way I can update the DNSSEC of my 8 domains is via the Godaddy control panel GUI. So a couple of questions.
1.) Is anyone aware of anyway to update Godaddy DNSSEC data via a Centos 7 bash shell? I will contact Godaddy but I suspect I am SOL but thought I would ask here thinking somebody else may have already run into this issue.
That I don't know, I use ldns to sign my zone files and upload them to my own authoritative nameserver.
2.) Assuming the answer to DNSSEC is no, can I at least have the keys last longer than they do by default. I am presently creating the keys via: 

 > dnssec-keygen -a NSEC3RSASHA1 -b 2048 -n ZONE zone

 > dnssec-keygen -f KSK -a NSEC3RSASHA1 -b 4096 -n ZONE zone
It's not the keys that are the issue, but the RRSIG record that contains a start and expiration time for the records.
If you upload signed zone files to godaddy, make sure to resign once a week or so so that the RRSIG gets updated. 

man ldns-signzone
It has switches for setting the start and expiration date of signatures. By default I believe it uses current timestamp for start and +60 days for end, though it may be +30 days. 
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
https://lists.centos.org/mailman/listinfo/centos
[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]

  Powered by Linux