-- Leo's gemini proxy

-- Connecting to gemini.mingmengtou.org:1965...

-- Connected

-- Sending request

-- Meta line: 20 text/gemini;lang=en-GB

neil in gemini space


implementing dnssec for a domain - 2022-02-17


the gemini community debates about TLS nudged me to look into implementing dnssec for more of my domains.


dnssec uses digital signatures to validate dns records: validates that a dns response came from an authoritative dns server unaltered.


some of my domains use cloudflare for registrar, dns hosting, and dnssec but that process is transparent to me. it does not require set-up other than a click of the activate button.


my other domains use cloudns for dns services and required me to implement dnssec myself; actually not too onerous a task once i got my head round it:-)


implementing dnssec for neiltimms.me


login to dns host (cloudns)

select zone neiltimms.me

activate DNSSec for zone (neiltimms.me and sub-domains)

wait for process to complete (seconds)

login to registrar (GoDaddy)

navigate to DNS management and DNSSec (3dot pull-down to far right of DNS RecordsDS record so not immediately obvious)

complete: Key Tag, Algorithm, Digest Type, Digest using field information from DNS provider


dns hosting services will often extract fields from the DS record along with hints about how to use these with a registar when we implement dnnsec. the DS record contains the necessary information if we know what field is what:


neiltimms.me. 3600 IN DS 24058 13 2 D8874D491CCE2DC7951D5E542064F132FDA5B65E10EC3C73D949FCE8CFBE34F9

- host label=neiltimms.me

- time to live=3600

- record class=IN

- record type=DS

- keytag=24058

- algorithm=13

- digest type=2

- digest=D8874D491CCE2DC7951D5E542064F132FDA5B65E10EC3C73D949FCE8CFBE34F9



cloudns has specific procedures for particular registrars (such as GoDaddy) to mitigate issues with the registrar processes. i didn't encounter any issues with GoDaddy with neiltimms.me. when i implemented dnssec for another domain i did have problems with godaddy: the cloudns workaround worked:-)


checks


dig DS neiltimms.me

2022-02-17 - DNS Viz, a tool suite for analysis and visualization of Domain Name System (DNS) behavior.

2022-02-17 - DANE SMTP Validator. in this case to see the DNSSec green tick:-).


changelog 2022-02-23


[add]


- decode some DS record fields.

- godaddy issues description expanded.


[change]


- in checks section: remove +short from dig command, not portable!


return to gemini.mingmengtou.org index page.

---

neil.gemini@mingmengtou.org

content licensed CC-BY-SA 4.0 unless stated.

creative commons licence.

-- Response ended

-- Page fetched on Thu May 2 06:31:10 2024