home.social

#ldns — Public Fediverse posts

Live and recent posts from across the Fediverse tagged #ldns, aggregated by home.social.

  1. Je retombe sur des mesures de durée de la signature de l'entièreté de la racine du #DNS que j'avais fait il y a environ 2 ans sur mon Raspberry Pi 3B+, avec un OS 32 bits et #ldns pour signer :

    — Avec des clés RSA 2048 bits comme c'est le cas dans la nature : médiane à 77s
    — Avec des clés ECDSA 256bits : temps médian de 3s

    Et la racine est une zone de taille assez raisonnable (dans les 20000 lignes à l'époque, avec env. 2900 signatures à créer)

    #DNSSEC

  2. Looks like either #nsd does not know HIP RR from RFC 8005 or I made an error.

    #ldns-verify-zone does not complain so I guess my RR is correct 🤔

    #DNS

  3. Good to know:

    "The DNSKEY RR has no special TTL requirements." (RFC 4034 section 2, does not seem to have been updated)

    #ldns takes the SOA TTL. Seems a reasonnable choice 🤔

    #DNSSEC

  4. I wish #ldns-signzone had an option to tell it to not touch a DNSKEY RRSIG in the zone file he signs :')

  5. Ok, let's not go to NSEC3 territory: too much of a hassle.

    Here's the plan:
    - Sign zone using only the ZSK with #ldns
    - Edit signed zone file to add KSK DNSKEY RR
    - Change DNSKEY RRSIG with precomputed RRSIG for our RRset

    That way, I should be able to generate in advance DNSKEY RRSIG for my zone, using the KSK private key only once in a while (to generate in advance RRSIG for 3-4 months), instead of having to use it every time

    #dnssec

  6. It's today!

    Consider following those really nice folks @nlnetlabs, they are creating software to make the a safer, better place.

    If you know what , , , (...) means, they're surely the ones you'd like to follow!