DS record for reverse zones

sjbauer · May 01, 2014, 09:32:57 AM

Hello!
I see you have added some of the dnssec records to the forward zones. Is there a reason they were left out of the reverse zones? I tested this with version 2.22 that was downloaded fromt he store.

matt · May 01, 2014, 11:46:28 AM

I don't recall if there was a particular reason. Perhaps just an oversight.

I pushed NicTool down the road towards DNSSEC, but there's still more path left to travel.

Are you actually using DNSSEC records? If so, how?

sjbauer · May 02, 2014, 12:30:05 PM

Currently, I am using DS records in a /32 ipv6 reverse zone that I host to. This allows me to delegate / maintain the full dnssec hierarchy without combining all of the reverse /40s into the /32.

In order to actually sign the zones, I feed the zones to opendnssec to allow it maintain the individual zone ZSK and KSK.

Steve

matt · May 02, 2014, 01:26:52 PM

Log into mysql on your NicTool Server and run these queries:

Code Select

USE nictool;
UPDATE resource_record_type SET reverse=1 WHERE name='DS';

That will enable DS records in rDNS zones.

I have also made that change in the source, so that new installs will have that enabled by default.

sjbauer · May 02, 2014, 03:04:58 PM

I have done that already. There are a couple of other updates that need to be done as well. One needs to update NicToolClient/htdocs/zone.cgi around line 1520 to allow the options for DS to be entered.

Other things that I had to change was to edit the nt-script.js in the function getDnssecAlorithms() so that I could add Algorithm 8 which is RSA/SHA-256 which is what they recommend for signing zone now.

Steve

matt · May 02, 2014, 03:16:17 PM

Any chance I'll see a Pull Request for the changes on github?

sjbauer · May 05, 2014, 01:02:19 PM

Yes, you should see one now. I didn't have to update the javascript since you already had that updated in the head as compared to release 2.22.

Steve

matt · May 05, 2014, 01:28:04 PM

merged.

Thanks,
Matt