[Dnsmasq-discuss] dnskey

Simon Kelley simon at thekelleys.org.uk
Thu Jan 30 09:46:12 GMT 2014 

On 29/01/14 19:30, e9hack wrote:
> How must I define a dnskey? Help shows:
> --dnskey=<domain>,<algo>,<key>      Specify trust anchor DNSKEY
>
> I retrieve the trust anchor DNSKEY for the de zone with dig +multiline de dnskey
>
> ; <<>> DiG 9.7.6-P4 <<>> +multiline de dnskey
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 29712
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0
>
> ;; QUESTION SECTION:
> ;de.			IN DNSKEY
>
> ;; ANSWER SECTION:
> de.			835 IN DNSKEY 256 3 8 (
> 				AwEAAZ3qQoezSnp7jBTIOEp7FGWi7ONawnSRKH+YKCIN
> 				2lfos1JTOA4+3tEKaJ8RJ2PYExqsQqvD/JpMAmD26BrM
> 				UGUm4CXvbDy3bHcTP4dEuDCehZEbjDZIrK5zBaueS8qA
> 				5rnLbe9s/mFxexIiXl8FaCLeXqxWI6S0F5uJYOKqBxAF
> 				) ; key id = 60408
> de.			835 IN DNSKEY 257 3 8 (
> 				AwEAAYbcKo2IA8l6arSIiSC+l97v2vgNXrxjBJK+XkX5
> 				FYMPDfr2QgtUMHfjLPfMKiSxEXT0uL+SucI1ohv5I0C/
> 				pgz9e9NFDhMCpHLPA5s9LIzQMHEs7Y+idlsRnBKe9Kw/
> 				B1RxzSZKxMd8UyAeA6j0vlZIKrokc1nr4ouvDhoYR3JD
> 				d7vCcvV08EIuaPgL0ijUYk071OOjRFG+waRZnVPAwFZs
> 				gDIgBJqDl/nRVRBI8k3YFVPka6Rls/EIDYloqG+X5VZC
> 				/VXbBb7fams8misz3MsLeVy/fiH0j8SJMAZSbQxqo+/z
> 				WUJogl4Tyb5TbT1LRTfbyxII2zQ/ATXocWOohSU=
> 				) ; key id = 24220
>
> ;; Query time: 14 msec
> ;; SERVER: 192.168.101.1#53(192.168.101.1)
> ;; WHEN: Wed Jan 29 19:21:18 2014
> ;; MSG SIZE  rcvd: 444
>
> The second key is the trust anchor DNSKEY, right?
>
> If I set something like this:
> --dnskey=de,8,AwEAAYbcKo2IA8l6arSIiSC+l97v2vgNXrxjBJK+XkX5FYMPDfr2QgtUMHfjLPfMKiSxEXT0uL+SucI1ohv5I0C/pgz9e9NFDhMCpHLPA5s9LIzQMHEs7Y+idlsRnBKe9Kw/B1RxzSZKxMd8UyAeA6j0vlZIKrokc1nr4ouvDhoYR3JDd7vCcvV08EIuaPgL0ijUYk071OOjRFG+waRZnVPAwFZsgDIgBJqDl/nRVRBI8k3YFVPka6Rls/EIDYloqG+X5VZC/VXbBb7fams8misz3MsLeVy/fiH0j8SJMAZSbQxqo+/zWUJogl4Tyb5TbT1LRTfbyxII2zQ/ATXocWOohSU=
>
> I get the error 'bad DNSKEY'.
>
> Regards,
> Hartmut
>

You need the flags field, 257 too

  --dnskey=de,257,8,AwEAAYbcKo.........

(I missed out the "protocol" field, since it's defined to always and 
forever have value "3")

I'm about to add a new file to the git repo, called trust-anchors.conf, 
which has the root trust anchors in it.

Just add

conf-file=/path/to/trust-anchors.conf

to your existing configuration, and all you trust will be anchored.

Cheers,

Simon.


>
> _______________________________________________
> Dnsmasq-discuss mailing list
> Dnsmasq-discuss at lists.thekelleys.org.uk
> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
>

More information about the Dnsmasq-discuss mailing list