Author Topic: DNSSEC - How-to & Sub-Domains  (Read 1014 times)

0 Members and 1 Guest are viewing this topic.

DNSSEC - How-to & Sub-Domains
« on: March 17, 2023, 05:16:27 AM »
Greetings, I wish to share a tutorial on enabling/using DNSSEC in your CWP install. Now, this assumes that you are running your own dns server in CWP, I do not know how it would work with FreeDNS.

For those that would like more information on DNSSEC, please look

This builds on a previous thread from here:

I will add the steps from the above link here just for posterity's sake, in case the external link goes stale.

The following steps are for EL/centos/redhat

Note: In the examples below,  replace “domain.tld” with your domain name

Step 1:  First install haveged to generate keys
Code: [Select]
yum install -y haveged
systemctl enable haveged

Step 2: Change the Directory to /var/named
Code: [Select]
cd /var/named/
Step 3: Third generate ZSK Key
Code: [Select]
dnssec-keygen -L 3600 -a RSASHA256 -b 2048 -r /dev/urandom domain.tld
Step 4: Fourth generate KSK key
Code: [Select]
dnssec-keygen -L 3600 -r /dev/urandom -f KSK -a RSASHA256 -b 4096 domain.tld
Step 5:
add keys to domain zone file
Code: [Select]
cat /var/named/Kdomain.tld.+008+*.key >> /var/named/domain.tld.db
Step 6: sign the zone file
Code: [Select]
dnssec-signzone -A -3 $(head -c 1000 /dev/urandom | sha1sum | cut -b 1-16) -N INCREMENT -o domain.tld -t domain.tld.db
Step 7: edit named configuration file /etc/named.conf and add this line
Code: [Select]
dnssec-lookaside auto;** find this line, "dnssec-enable yes; dnssec-validation yes;" add "dnssec-lookaside auto;" after it

Step 8: In the same file as the previous step, /etc/named.conf, rename the zone file for the domain being enabled
Code: [Select]
// zone domain.tld
zone "domain.tld" {type master; file "/var/named/domain.tld.db";};
// zone_end domain.tld

Code: [Select]
// zone domain.tld
zone "domain.tld" {type master; file "/var/named/domain.tld.db.signed";};
// zone_end domain.tld

Step 9: Centos/el/RHEL Reload/Restart the named service
Code: [Select]
service named reload
systemctl reload named

In Step 5, this created a file in /var/named called dsset-domain.tld. and in this file you will find the keys that you will add to your domain registrar.
Code: [Select]
domain.tld. IN DS 54216 8 1 927FCC021E55B89F279C9D8580CC6615398630747
domain.tld. IN DS 54216 8 2 D564958A48549F123B1E38AhhhE0CF9C73F5E8F4F2CE2A2442C1893C 7878666F

line 1 Description: 54216=Key Tag, 8=Algorithm, 1=Digest Type, long string=Digest
Online 2, the SHA-256 key will generate a space just before the end, when adding it to your registrar, you may have to remove that space.

Now, there is an issue with the current implementation of DNSSEC in CWP, once it is enabled, adding a subdomain will not work. The subdomain will be created in the /var/named/domain.tld.db but not in  in /var/named/domain.tld.db.signed record, so the sub-domain will never propagate.
The workaround is to run Step 5 and Step 9 after a subdomain is created and after it is deleted.

Hope this helps,


Re: DNSSEC - How-to & Sub-Domains
« Reply #1 on: March 20, 2023, 07:17:44 AM »
******PLEASE NOTE: The workaround is supposed to be Steps 6 and Steps 9! ******

I can't it the post any now.