cme-dnsec-service

Overview

Some scripts to manage DNSSEC on BIND v9.19.1 to work with DNSSEC DS/CDS keys.

Description

To keep DNS secure https://datatracker.ietf.org/doc/html/rfc8078 provides a means for a child DNS server to be able to automatically update the parent with keys, when a CDS/CDNSKEY record changes.

These scripts monitor the bind logs for CDS and KSK publishing and updates the DS records accordingly.

Installation

Use the CME https://cme.flipkick.media or clone this repo to somewhere safe on your DNS server. Run the install.sh to install with default values. Then edit vim /etc/cme/cme-dnssec-monior.env and correct the values.

# get scripts
sudo git clone ssh://git.flipkick.media/cme/cme-bind-dnssec /usr/local/sbin/cme-bind-dnssec
sudo cp /usr/local/sbin/cme-bind-dnssec/cme-dnssec-monitor.service /etc/systemd/system/
sudo chown root:root /etc/systemd/system/cme-dnssec-monitor.service

#create config
sudo mkdir /etc/cme
cp cme-dnssec-monitor.env /etc/cme/
chown root:root -R /etc/cme
chmod 700 /etc/cme
chmod 600 /etc/cme/cme-dnssec-monitor.env

#setup service
sudo systemctl enable bind-dnssec-monitor.service
sudo systemctl start bind-dnssec-monitor.service
sudo systemctl restart named

Update

sudo cd /usr/local/sbin/cme-bind-dnssec
sudo git pull
sudo cp cme-dnssec-monitor.service /etc/systemd/system/
sudo systemctl daemon-reload
sudo systemctl restart cme-dnssec-monitor.service

Configuration

Views

If your server has a split horizon you can define the views by using the view name as part of the environment variables.

In the example config provided you can see a BIND setup with two views, externals-master and internals-master.

Note: You will need the associated keys and ACLs setup in BIND in order for the interface options to work correctly.

Logging

All logs are sent to syslog.

To follow the log:

journalctl -f -u cme-dnssec-monitor

Useful tools

Verisign Labs

Verisign Labs have a quick checklist style validator:

Verisign Labs DNSSEC Debugger

DNSViz

Using DNSViz you can visualise your DNS configuration for a given domain name:

CME

This forms part of the CME platform from flipkick.media

Copyright Notice

Licence

Please use freely and credit flipkick.media wherever you can. Donations always greatly appreciated ;)

Name		Name	Last commit message	Last commit date
Latest commit History 123 Commits
README.md		README.md
add		add
bad-dnsviz.png		bad-dnsviz.png
cds.sh		cds.sh
clean		clean
clean_keys.sh		clean_keys.sh
clean_zone.sh		clean_zone.sh
cme-dnssec		cme-dnssec
cme-dnssec-monitor.service		cme-dnssec-monitor.service
cme-external-cds-monitor.service		cme-external-cds-monitor.service
dnssec-monitor.env		dnssec-monitor.env
dnsvis.png		dnsvis.png
external-cds-monitor.sh		external-cds-monitor.sh
init		init
install		install
lib.sh		lib.sh
monitor		monitor
status		status
test_service.sh		test_service.sh
update		update
upload.sh		upload.sh

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Repository files navigation

cme-dnsec-service

Overview

Description

Installation

Update

Configuration

Views

Logging

Useful tools

Verisign Labs

DNSViz

CME

Copyright Notice

Licence

About

Releases

Packages

Languages

flipkickmedia/cme-dnssec-service

Folders and files

Latest commit

History

Repository files navigation

cme-dnsec-service

Overview

Description

Installation

Update

Configuration

Views

Logging

Useful tools

Verisign Labs

DNSViz

CME

Copyright Notice

Licence

About

Resources

Stars

Watchers

Forks

Releases

Packages 0

Languages

Packages