Skip to content
GitLab
Explore
Sign in
Primary navigation
Search or go to…
Project
Wiki Replica
Manage
Activity
Members
Labels
Plan
Issues
Issue boards
Milestones
Wiki
Code
Merge requests
Repository
Branches
Commits
Tags
Repository graph
Compare revisions
Snippets
Build
Pipelines
Jobs
Pipeline schedules
Artifacts
Deploy
Releases
Package registry
Container Registry
Model registry
Operate
Environments
Terraform modules
Monitor
Incidents
Service Desk
Analyze
Value stream analytics
Contributor analytics
CI/CD analytics
Repository analytics
Model experiments
Help
Help
Support
GitLab documentation
Compare GitLab plans
Community forum
Contribute to GitLab
Provide feedback
Keyboard shortcuts
?
Snippets
Groups
Projects
Show more breadcrumbs
Cecylia Bocovich
Wiki Replica
Commits
05dd82f0
Verified
Commit
05dd82f0
authored
3 years ago
by
anarcat
Browse files
Options
Downloads
Patches
Plain Diff
update and clarify dnssec update procedure
parent
5452f437
No related branches found
Branches containing commit
No related tags found
No related merge requests found
Changes
1
Hide whitespace changes
Inline
Side-by-side
Showing
1 changed file
howto/dns.md
+12
-8
12 additions, 8 deletions
howto/dns.md
with
12 additions
and
8 deletions
howto/dns.md
+
12
−
8
View file @
05dd82f0
...
...
@@ -88,9 +88,11 @@ To fix this error, you need to [visit joker.com](https://joker.com/) and authent
with the password in
`hosts-extra-info`
in tor-passwords, along with
the 2FA dance. Then:
1.
click on the gear next to the domain affected
2.
edit the DNSSEC section
3.
click "more" to add a record
1.
click on the "modify" button next to the domain affected (was
first a gear but is now a pen-like icon thing)
2.
find the DNSSEC section
3.
click the "modify" button to edit records
4.
click "more" to add a record
The new key should already be present on the DNS master (currently
`nevii`
) in:
...
...
@@ -103,14 +105,18 @@ It is in the format (from [rfc4034](https://tools.ietf.org/html/rfc4034)):
For example:
torproject.net. IN DS 53722 8 2 6d3d2be639594ffe34d4c5b9214fe5ddf81b8ee1c8505f5ec1a800dc4a809a91; Pub: 2019-05-25 17:40:08; Act: 2019-05-25 17:40:08; Inact: 2021-09-11 17:40:08; Del: 2021-09-11 17:40:08; Rev: 2021-08-12 17:40:08
torproject.com. IN DS 28234 8 2 260a11137e3fca013b90da649d50e9c5eb71b814cc1797ea81ee7c91c17b398a; Pub: 2019-05-25 17:40:07; Act: 2019-05-25 17:40:07; Inact: 2021-11-16 17:40:07; Del: 2021-11-16 17:40:07; Rev: 2021-10-02 17:40:07
torproject.com. IN DS 57040 8 2 ebdf81e6b773f243cdee2879f0d12138115d9b14d560276fcd88e9844777d7e3; Pub: 2021-06-13 17:40:07; Act: 2021-06-13 17:40:07; Inact: 2023-10-16 17:40:07; Del: 2023-10-16 17:40:07; Rev: 2023-09-01 17:40:07
Note that there are
*two*
keys there: one (the oldest) should already
be in Joker. you need to add the new one.
With the above, you would have the following in Joker:
*
`alg`
: 8
*
`digest`
:
6d3d2be639594ffe34d4c5b9214fe5ddf81b8ee1c8505f5ec1a800dc4a809a91
*
`digest`
:
ebdf81e6b773f243cdee2879f0d12138115d9b14d560276fcd88e9844777d7e3
*
`type`
: 2
*
`keytag`
: 5
3722
*
`keytag`
: 5
7040
And click "save".
...
...
@@ -204,7 +210,6 @@ of a zone:
Notice how the
`38.in-addr.arpa`
zone is not signed? This zone can
therefore not be signed with DNSSEC.
### DNS - delegation and signature expiry is WARNING
If you get a warning like this:
...
...
@@ -231,7 +236,6 @@ If it's not delegated, it's because you forgot step 8 in the zone
addition procedure. Ask your upstream or registrar to delegate the
zone and run the checks again.
# Discussion
## Design
...
...
This diff is collapsed.
Click to expand it.
Preview
0%
Loading
Try again
or
attach a new file
.
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Save comment
Cancel
Please
register
or
sign in
to comment
