Author Topic: How to secure your domain with DNSSEC in Kloxo (Read 3313 times)

Spacedust · « **on:** 2021-02-19, 23:11:40 »

1. Add such line to /etc/pdns/pdns.conf:

gmysql-dnssec=yes
2. Restart PowerDNS with service pdns restart.

3. Open phpMyAdmin under https://YOUR_IP:7777/thirdparty/phpMyAdmin/index.php and login as root.

4. Select powerdns database and click SQL tab.

5. Enter:

Code: [Select]

ALTER table cryptokeys add column published BOOL DEFAULT 1 after active;
6. Go back to SSH terminal and type:

Code: [Select]

pdnsutil secure-zone yourdomain.com
7. Show DS keys:

Code: [Select]

pdnsutil show-zone yourdomain.com | grep CSK
Key ID is the number right after IN DNSKEY

Public key is the large string after 13 in a second line

8. Now go to your domain register e.g. online.net and in domain settings DNSSEC tab use such settings:

Quote

Key ID: 257 (or other as noted above)

Quote

Algorithm: 13/ ECDSAP256SHA256

Quote

Public key: copy the whole key (long string) after 13 and before ; from second line

You can verify on https://www.hardenize.com just enter domain name and hit ENTER

It should respond with:

Test passed
Everything seems to be well configured. Well done.

in DNSSEC section.

9. If you have subdomains with their own zones (e.g. extra subdomains via Kloxo) secure them too with:

Code: [Select]

pdnsutil secure-zone subdomain.yourdomain.com
10. Then list the subdomain zone with:

pdnsutil show-zone subdomain.yourdomain.com | grep DS

11. This will give you something like this, copy last 4 lines:

Code: [Select]

ID = 6 (CSK), flags = 257, tag = 20164, algo = 13, bits = 256     Active         Published  ( ECDSAP256SHA256 )
CSK DNSKEY = subdomain.yourdomain.com 777600 IN DNSKEY 257 3 13 lnOLSuqVqvCUVDgBHjxz5yhXlcX0kbbZ8sSdpBrb1bUAlAqelea47b36+YGrn4HHKE/fqk6tH0MNQdWNBZOtPg== ; ( ECDSAP256SHA256 )
DS = subdomain.yourdomain.com 777600 IN DS 20164 13 1 225e6a7160c9ce428c6212a122aa3d3d91af67c3 ; ( SHA1 digest )
DS = subdomain.yourdomain.com 777600 IN DS 20164 13 2 9f182e93515314797a310d574b681010b473830d8e7772993ee373353bb5cc01 ; ( SHA256 digest )
DS = subdomain.yourdomain.com 777600 IN DS 20164 13 4 649df82cb4d9049730fe554fdf44ccd3de97a486fb7fad526208ca92be3460eb98db55463d44e1712c8f352fcb32f8ce ; ( SHA-384 digest )

12. Now run this:

Code: [Select]

export EDITOR=vim
13. Finally run editor on main domain with:

Code: [Select]

pdnsutil edit-zone yourdomain.com
14. Press Insert and paste all DS records at the bottom, but in a form like this:

Code: [Select]

subdomain.yourdomain.com 777600 IN DNSKEY 257 3 13 lnOLSuqVqvCUVDgBHjxz5yhXlcX0kbbZ8sSdpBrb1bUAlAqelea47b36+YGrn4HHKE/fqk6tH0MNQdWNBZOtPg==
subdomain.yourdomain.com 777600 IN DS 20164 13 1 225e6a7160c9ce428c6212a122aa3d3d91af67c3
subdomain.yourdomain.com 777600 IN DS 20164 13 2 9f182e93515314797a310d574b681010b473830d8e7772993ee373353bb5cc01
subdomain.yourdomain.com 777600 IN DS 20164 13 4 649df82cb4d9049730fe554fdf44ccd3de97a486fb7fad526208ca92be3460eb98db55463d44e1712c8f352fcb32f8ce

15. Save the file with Esc and then :wq!

16. Press y to update serial, then a to apply.

17. If you multiple domains you need to paste all their keys to master domain.

18. Check if everything for your subdomain is working well here: https://dnssec-analyzer.verisignlabs.com/ (make sure no red or yellow warnings here) and here https://dns.google/

azzureal · « **Reply #1 on:** 2021-03-02, 16:38:33 »

thanks..

Author Topic: How to secure your domain with DNSSEC in Kloxo (Read 3313 times)

Spacedust

How to secure your domain with DNSSEC in Kloxo

azzureal

Re: How to secure your domain with DNSSEC in Kloxo