Solved - Bind DNSSEC localdomain

Started by RamSense, December 16, 2023, 06:54:42 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
December 16, 2023, 06:54:42 PM Last Edit: December 17, 2023, 06:59:38 PM by RamSense
I have Bind running and Adguard home. In Adguard I get a green-lock when an external domain of mine is validated with dnssec.
Is there an how to, on thow to do this with localdomain in bind? for localdomain.com ?
I would like this to avoid dns sniffing on local connections, has someone experience with this?

thanks for the help!
Deciso DEC850v2
December 17, 2023, 08:27:30 AM #1 Last Edit: December 17, 2023, 12:35:06 PM by RamSense
Ok, a bit further i think. I found this guide and explanation: https://ftp.isc.org/isc/dnssec-guide/dnssec-guide.pdf

With chapter 4 - 4.1.3 and cheking with the delv command I got another result:

Quotedelv @192.168.1.1 -a /var/cache/localdomain.com.key +root=localdomain.com localdomain.com. SOA +multiline
;; /var/cache/localdomain.com.key:1: option 'trusted-keys' is deprecated
;; validating localdomain.com/SOA: got insecure response; parent indicates it should be secure
;; insecurity proof failed resolving 'localdomain.com/SOA/IN': 192.168.1.1#53
;; resolution failed: insecurity proof failed

first line trusted-keys is deprecated i found elsewhere: From version 9.16.0, the 'trusted-keys' and 'managed-keys' statements are deprecated, and only the replacement options 'static-key' and 'initial-key' should be used (within the 'trust-anchors' statement). If the trust anchors aren't available in DNSKEY format, but only in DS format (as with new root trust anchors announced but not yet published by IANA), you can use them with the options 'static-ds' and 'initial-ds'..

but when i use static-key, initial-key, static-ds or initial-ds, it does not recognize it. (opnsense bind does not yet support it?) so i sticked to trusted-keys

but i do not get the:
fully validated
result. what am I missing?

QuoteIN DNSKEY => empty (?)

dig DNSKEY localdomain.com @localhost +multiline

;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 30932
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;localdomain.com.      IN DNSKEY

;; AUTHORITY SECTION:
localdomain.com.      3158 IN   SOA localhost. info.localdomain.com. (
            2312171219 ; serial
            21600      ; refresh (6 hours)
            3600       ; retry (1 hour)
            3542400    ; expire (5 weeks 6 days)
            3600       ; minimum (1 hour)
            )

;; Query time: 0 msec
;; SERVER: ::1#53(localhost) (UDP)
;; WHEN: Sun Dec 17 12:31:17 CET 2023
;; MSG SIZE  rcvd: 104
Deciso DEC850v2
December 17, 2023, 06:58:07 PM #2
Got the
; fully validated

now back. Again one step further. Looks like it took some time to propogate, what I did not expect using bind and a domain locally.

now trying to get the
flags: ad

got it now also. solved
Deciso DEC850v2
Print
Go Up Pages1
User actions