Run hsd as a root server only at 127.0.0.2:53 and let knot-resolver do recursion (recommended):
hsd --no-wallet --no-rs --no-sig0 --ns-host 127.0.0.2 --ns-port 53
Add hsd KSK /var/lib/knot-resolver/root.keys
buffrr
/ hsd.knot-resolver.md
Created
December 11, 2021 03:18
buffrr
/ dnssec-zone.md
Created
November 16, 2021 19:29
Quick guide for using Knot DNS to dnssec sign a zone
buffrr
/ x509-dane.md
Last active
March 2, 2024 05:39
Generate an x509 certificate and a TLSA record with openssl
Creating a self-signed certificate for example.com (if you already have a certificate you can skip this step):
openssl req -x509 -newkey rsa:4096 -sha256 -days 365 -nodes \
-keyout cert.key -out cert.crt -extensions ext -config \
<(echo "[req]";
echo distinguished_name=req;
echo "[ext]";
echo "keyUsage=critical,digitalSignature,keyEncipherment";
buffrr
/ hsd-blacklies.md
Last active
March 18, 2021 01:02
Experimental HSD root server + external dnssec resolver
This is a proof of concept branch for fixing NSEC proofs in HSD.
Here is some example configurations for running a standalone HSD root server with an external dnssec recursive resolver! You can let bind or external unbound resolver do most of the work for resolving and validating dnssec. HSD will only be responsible for serving the root zone.
Install hsd using the blacklies branch:
git clone https://github.com/buffrr/hsd
cd hsd && git checkout blacklies
buffrr
/ keybase.md
Created
February 16, 2020 02:19
I hereby claim:
- I am buffrr on github.
- I am buffrr (https://keybase.io/buffrr) on keybase.
- I have a public key ASD5-DnOfECmyq8VITgfgYxbQNcsqqUG9mgrJCEdkx0YSwo
To claim this, I am signing this object: