Sponsor:

Server and Web Integrator
Link:
Kloxo-MR logo
6.5.0 or 7.0.0
Click for "How to install"
Donation/Sponsorship:
Kloxo-MR is open-source.
Donate and or Sponsorship always welcome.
Click to:
Click Here
Please login or register. 2024-03-28, 17:38:19

Author Topic: How to secure your domain with DNSSEC in Kloxo  (Read 7270 times)

0 Members and 1 Guest are viewing this topic.

Offline Spacedust

  • Super Grand Master
  • ****
  • Posts: 4,050
  • Karma: +1/-0
    • View Profile
How to secure your domain with DNSSEC in Kloxo
« on: 2021-02-19, 23:11:40 »
1. Add such line to /etc/pdns/pdns.conf:

Code: [Select]
gmysql-dnssec=yes
2. Restart PowerDNS with service pdns restart.

3. Open phpMyAdmin under https://YOUR_IP:7777/thirdparty/phpMyAdmin/index.php and login as root.

4. Select powerdns database and click SQL tab.

5. Enter:

Code: [Select]
ALTER table cryptokeys add column published BOOL DEFAULT 1 after active;
If you have powerdns 4.7 run this too:

Code: [Select]
ALTER TABLE domains ADD options VARCHAR(64000) DEFAULT NULL;
ALTER TABLE domains ADD catalog VARCHAR(255) DEFAULT NULL;
ALTER TABLE domains MODIFY type VARCHAR(8) NOT NULL;
CREATE INDEX catalog_idx ON domains(catalog);

6. Go back to SSH terminal and type:

Code: [Select]
pdnsutil secure-zone yourdomain.com
7. Show DS keys:

Code: [Select]
pdnsutil show-zone yourdomain.com | grep CSK
Key ID is the number right after IN DNSKEY

Public key is the large string after 13 in a second line

8. Now go to your domain register e.g. online.net and in domain settings DNSSEC tab use such settings:

Quote
Key ID: 257 (or other as noted above)

Quote
Algorithm: 13/ ECDSAP256SHA256

Quote
Public key: copy the whole key (long string) after 13 and before ; from second line

You can verify on https://www.hardenize.com just enter domain name and hit ENTER

It should respond with:

Test passed
Everything seems to be well configured. Well done.

in DNSSEC section.

9. If you have subdomains with their own zones (e.g. extra subdomains via Kloxo) secure them too with:

Code: [Select]
pdnsutil secure-zone subdomain.yourdomain.com
10. Then list the subdomain zone with:

pdnsutil show-zone subdomain.yourdomain.com | grep DS

11. This will give you something like this, copy last 4 lines:

Code: [Select]
ID = 6 (CSK), flags = 257, tag = 20164, algo = 13, bits = 256     Active         Published  ( ECDSAP256SHA256 )
CSK DNSKEY = subdomain.yourdomain.com 777600 IN DNSKEY 257 3 13 lnOLSuqVqvCUVDgBHjxz5yhXlcX0kbbZ8sSdpBrb1bUAlAqelea47b36+YGrn4HHKE/fqk6tH0MNQdWNBZOtPg== ; ( ECDSAP256SHA256 )
DS = subdomain.yourdomain.com 777600 IN DS 20164 13 1 225e6a7160c9ce428c6212a122aa3d3d91af67c3 ; ( SHA1 digest )
DS = subdomain.yourdomain.com 777600 IN DS 20164 13 2 9f182e93515314797a310d574b681010b473830d8e7772993ee373353bb5cc01 ; ( SHA256 digest )
DS = subdomain.yourdomain.com 777600 IN DS 20164 13 4 649df82cb4d9049730fe554fdf44ccd3de97a486fb7fad526208ca92be3460eb98db55463d44e1712c8f352fcb32f8ce ; ( SHA-384 digest )

12. Now run this:

Code: [Select]
export EDITOR=vim
13. Finally run editor on main domain with:

Code: [Select]
pdnsutil edit-zone yourdomain.com
14. Press Insert and paste all DS records at the bottom, but in a form like this:

Code: [Select]
subdomain.yourdomain.com 777600 IN DNSKEY 257 3 13 lnOLSuqVqvCUVDgBHjxz5yhXlcX0kbbZ8sSdpBrb1bUAlAqelea47b36+YGrn4HHKE/fqk6tH0MNQdWNBZOtPg==
subdomain.yourdomain.com 777600 IN DS 20164 13 1 225e6a7160c9ce428c6212a122aa3d3d91af67c3
subdomain.yourdomain.com 777600 IN DS 20164 13 2 9f182e93515314797a310d574b681010b473830d8e7772993ee373353bb5cc01
subdomain.yourdomain.com 777600 IN DS 20164 13 4 649df82cb4d9049730fe554fdf44ccd3de97a486fb7fad526208ca92be3460eb98db55463d44e1712c8f352fcb32f8ce

15. Save the file with Esc and then :wq!

16. Press y to update serial, then a to apply.

17. If you multiple domains you need to paste all their keys to master domain.

18. Check if everything for your subdomain is working well here: https://dnssec-analyzer.verisignlabs.com/ (make sure no red or yellow warnings here) and here https://dns.google/
« Last Edit: 2023-12-02, 19:38:48 by Spacedust »

Offline azzureal

  • Master
  • **
  • Posts: 420
  • Karma: +1/-0
    • View Profile
Re: How to secure your domain with DNSSEC in Kloxo
« Reply #1 on: 2021-03-02, 16:38:33 »
thanks..

 


Top 10 Social Networking:    Facebook    Twitter    LinkedIn    Pinterest    Google Plus    Tumblr    Instagram    VK    Flickr    Vine
Click Here

Page created in 0.072 seconds with 20 queries.

web stats analysis