John Shaft · @shaft
1280 followers · 2612 posts · Server piaille.frGood to know:
"The DNSKEY RR has no special TTL requirements." (RFC 4034 section 2, does not seem to have been updated)
#ldns takes the SOA TTL. Seems a reasonnable choice 🤔
John Shaft · @shaft
1279 followers · 2555 posts · Server piaille.frI wish #ldns-signzone had an option to tell it to not touch a DNSKEY RRSIG in the zone file he signs :-)
John Shaft · @shaft
1279 followers · 2554 posts · Server piaille.frOk, let's not go to NSEC3 territory: too much of a hassle.
Here's the plan:
- Sign zone using only the ZSK with #ldns
- Edit signed zone file to add KSK DNSKEY RR
- Change DNSKEY RRSIG with precomputed RRSIG for our RRset
That way, I should be able to generate in advance DNSKEY RRSIG for my zone, using the KSK private key only once in a while (to generate in advance RRSIG for 3-4 months), instead of having to use it every time
ϺΛDИVTTΛH :fosstodon: · @madnuttah
146 followers · 1218 posts · Server fosstodon.orgIt's #FollowerFriday today!
Consider following those really nice folks @nlnetlabs, they are creating #opensource software to make the #internet a safer, better place.
If you know what #krill, #unbound, #nsd, #ldns (...) means, they're surely the ones you'd like to follow!
#followerfriday #opensource #internet #krill #unbound #nsd #ldns #dns #dnssec
Julien M. · @julm
485 followers · 4935 posts · Server framapiaf.org> The #drill command supports #HTTPS #RR (type 65) in the latest git revision [1]. To use it, build #ldns with --enable-rrtype-svcb-https
https://stackoverflow.com/a/68064522