-- Leo's gemini proxy
-- Connecting to gemini.mingmengtou.org:1965...
-- Connected
-- Sending request
-- Meta line: 20 text/gemini;lang=en-GB
the gemini community debates about TLS nudged me to look into implementing dnssec for more of my domains.
dnssec uses digital signatures to validate dns records: validates that a dns response came from an authoritative dns server unaltered.
some of my domains use cloudflare for registrar, dns hosting, and dnssec but that process is transparent to me. it does not require set-up other than a click of the activate button.
my other domains use cloudns for dns services and required me to implement dnssec myself; actually not too onerous a task once i got my head round it:-)
login to dns host (cloudns)
select zone neiltimms.me
activate DNSSec for zone (neiltimms.me and sub-domains)
wait for process to complete (seconds)
login to registrar (GoDaddy)
navigate to DNS management and DNSSec (3dot pull-down to far right of DNS RecordsDS record so not immediately obvious)
complete: Key Tag, Algorithm, Digest Type, Digest using field information from DNS provider
dns hosting services will often extract fields from the DS record along with hints about how to use these with a registar when we implement dnnsec. the DS record contains the necessary information if we know what field is what:
neiltimms.me. 3600 IN DS 24058 13 2 D8874D491CCE2DC7951D5E542064F132FDA5B65E10EC3C73D949FCE8CFBE34F9
- host label=neiltimms.me
- time to live=3600
- record class=IN
- record type=DS
- keytag=24058
- algorithm=13
- digest type=2
- digest=D8874D491CCE2DC7951D5E542064F132FDA5B65E10EC3C73D949FCE8CFBE34F9
cloudns has specific procedures for particular registrars (such as GoDaddy) to mitigate issues with the registrar processes. i didn't encounter any issues with GoDaddy with neiltimms.me. when i implemented dnssec for another domain i did have problems with godaddy: the cloudns workaround worked:-)
dig DS neiltimms.me
- decode some DS record fields.
- godaddy issues description expanded.
- in checks section: remove +short from dig command, not portable!
---
neil.gemini@mingmengtou.org
content licensed CC-BY-SA 4.0 unless stated.
-- Response ended
-- Page fetched on Thu May 2 06:31:10 2024