this is a short run-down of setting up dnssec, openpgpkey, dane and sshfp records if you already have a working bind installation
if you need a secondary DNS server that supports DNSSEC (the chances are high if you are not hosting two DNS servers yourself), take a look at https://freedns.afraid.org/ - it's free for basic usage (which is absolutely enough) and works like a charm!
this is outdated - check the webcast at 3:45:00 on http://livestream.com/heise/DNSSEC-Day for something better. or just google for bind9 in-line signing
you can test if everything went well with these testers: [http://dnssec-debugger.verisignlabs.com/] and [http://dnsviz.net/]
I haven't been there. will figure it out until then.
there are quite a lot of tools out there to generate dane records.
I like hash-slinger - the only downside is that if you are using SNI or something like smtp with STARTTLS, you have to specify the cert on the command-line. but as most other generators will completely fail this task in the case of SNI, this might be a good idea anyways.
if you have a few services that share the same cert, you can make it short:
echo -n 25,587,143,993,443 | xargs -n1 -I{} -d, tlsa --create --output rfc --usage 3 --selector 1 --mtype 1 --port {} --certificate /path/to/your/cert.crt example.com
one thing to remember:
for port 443, you will want to create additional records for subdomains you might be using (www?)
warning: if you add a www. TLSA record, you have to create a specific A record for www. too! a wildcard record does not seem to work any more at that point.
also: if you are using SNI, you should specify the cert of the domain you enter in the browser, not the default apache certificate. many validators currently fail on SNI.
this validator will fail on SNI: [https://www.had-pilot.com/dane/danelaw.html]
this one works with SNI: [https://check.sidnlabs.nl/dane/]
this one can validate smtp: [https://dane.sys4.de/]
#SSHFP
just run
ssh-keygen -r your-host-name.
this will give you the necessary records for your zone file.
on your host then run
ssh-keygen -r 127.0.0.1
just to validate if the keys match - just as a precaution that you haven't been MITM'ed while generating the keys ;)
when connecting to your host, you should use the ssh option VerifyHostKeyDNS yes from now on
#OPENPGPKEY DNS record
the script openpgp_record.sh published with this file will generate a DNS record for the key specified (I recommend specifying by key id, but email should work, too).
./openpgpkey_record.sh your-key-id
just paste it to your zone file, run zonesigner and republish the zone
if you are on an old bind version that does not support OPENPGPKEY-records: this is possible with TYPE61 records, too. you can use the generator at [https://www.huque.com/bin/openpgpkey]
| #!/bin/bash | |
| MAIL=$(gpg2 -k "$1" | grep uid | head -n1 | sed -E 's,^.*<(.*)>.*$,\1,') | |
| USER=$(echo "${MAIL}" | sed 's,@.*$,,') | |
| DOMAIN=$(echo "${MAIL}" | sed 's,^.*@,,') | |
| FQDN="$(echo -n ${USER} | openssl dgst -sha224 | cut -d "=" -f 2 | sed 's,^\s*,,')._openpgpkey.${DOMAIN}." | |
| KEYDATA=$( gpg --export --export-options export-minimal --armor $1 | head -n-2 | tail -n+4 | sed 's,^, ,') | |
| cat <<EOF | |
| ; OPENPGPKEY record for key $1 (${USER}@${DOMAIN}) | |
| $FQDN IN OPENPGPKEY ( | |
| ${KEYDATA} | |
| ); | |
| EOF | |