Return to Level1Techs.com

Infrastructure Series: BIND9 Authoritative DNS Guide "Please See Me Edition"

Oh my bad. They have probably have beefed up the automation since then.

idk? I haven’t actually set this up yet. I got a new switch so I’m immersed in that currently. I guess I’d just be sure that your current config handles everything through the entire life cycle of the ksk because relatively recently, it didn’t.


Also, btw, the current bind package in OpenBSD is 9.16.22 :slight_smile:

I feel that. Next step is a proper Xeon E5 v4+ system to do my IPS/IDS

For now my DNS records are complete

dig @9.9.9.9 utangard.net ANY +dnssec +multiline

; <<>> DiG 9.16.22 <<>> @9.9.9.9 utangard.net ANY +dnssec +multiline
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 31849
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 31, AUTHORITY: 0, ADDITIONAL: 9

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1232
;; QUESTION SECTION:
;utangard.net.		IN ANY

;; ANSWER SECTION:
utangard.net.		300 IN SOA ns1.utangard.net. hostmaster.utangard.net. (
				2021111397 ; serial
				14400      ; refresh (4 hours)
				900        ; retry (15 minutes)
				28800      ; expire (8 hours)
				240        ; minimum (4 minutes)
				)
utangard.net.		300 IN RRSIG SOA 14 2 300 (
				20211130195934 20211115185934 11487 utangard.net.
				mIjrsgWS+pQLdy87Su8Z0UbeOFP7NMoRaDPPZHeAyJsE
				+q/WawMqLH8G5PcypiVaTjicv3WufPMJ9rnCvlaQBtsC
				wLlGS71dP239BpK3IZhOhWNQ0acQmsx3yQ0GTSBn )
utangard.net.		300 IN TXT "oa1:btc" "recipient_address=18aPyZZ6kXN4jh3fd7Vf3vGkm9U6QDNcxe"
utangard.net.		300 IN TXT "oa1:xmr" "recipient_address=4373MaqnKswCRm1WrFJtXdEVDnnboGjSC7117Z2irZcyRvScZx8wToF54aDo8dqh7FU6MB4AgbeUKPLM9c2VRP4iAB6mH83"
utangard.net.		300 IN RRSIG TXT 14 2 300 (
				20211128192759 20211114091824 11487 utangard.net.
				+FwWGNfdtVOkLvZbwprB6pKSdLxi5BB6/nJVvp2/X7wy
				RxVQRa5DwaxJs6aLgsNC+P3DFkxEiLouwx1tY0QF7dxl
				0BWgKWhWERkuM26MJU/3qjWMhURvb1GYtP2bQfGW )
utangard.net.		300 IN SSHFP 4 1 (
				B334AC074053354BE6160D5FA58B9ACAF273C223 )
utangard.net.		300 IN SSHFP 4 2 (
				159C867AEBAB56ECAB6F0A6B33080338A1AD356CDDFD
				18DE604A4C7C71FA4FFA )
utangard.net.		300 IN SSHFP 2 2 (
				C64434A6FFA5975099C00BCB983470BED627716DE591
				C26C509CBC2A945F26BC )
utangard.net.		300 IN SSHFP 3 2 (
				3E53A430A6729186154A39611DDFDCD807D60E61E15C
				950A78364D790AB8B422 )
utangard.net.		300 IN SSHFP 1 1 (
				080F22AD4A9837057295431121B4B2E3A6E8D1AC )
utangard.net.		300 IN SSHFP 1 2 (
				4CC07F5D066C0405B04FAA01F2DBB1086B7F4C5ED571
				34EBB0110B2CA3BC8056 )
utangard.net.		300 IN SSHFP 2 1 (
				9A120DE7E960AD7D5EA126DE2F0B47323A52FE49 )
utangard.net.		300 IN SSHFP 3 1 (
				E8F126DAE356BE7C2AEDF5E4E9D94822C700FEAD )
utangard.net.		300 IN RRSIG SSHFP 14 2 300 (
				20211128192759 20211114091824 11487 utangard.net.
				d3rLX0FHW3caln8tyb54xEO3x9pOnQW/EF49eJ0ZdMGZ
				Ah2dShjn9b3NLCo9bYYbTnEBBjnl4RVTc5Pxm8b9dqWN
				VgLpZhgXq4cIdj+p4TaRVmmsYOSVFctISHQGdVAK )
utangard.net.		300 IN CAA 0 issue "comodo.com"
utangard.net.		300 IN RRSIG CAA 14 2 300 (
				20211128192759 20211114091824 11487 utangard.net.
				td9B9E/g5UkB3g2X5aQ9seMX1D87xAJvUtc/Hm7Ezw/s
				IzmABaN7acXBuFzyZ0EUoGg4w65u3oTN0iO1UKFFP8iX
				cDuPvoRuPPAWE5BVPKHKTt0ZBbhDDqVuyEt/p2/0 )
utangard.net.		300 IN AAAA 2600:3c04::f03c:92ff:fec6:2030
utangard.net.		300 IN RRSIG AAAA 14 2 300 (
				20211128192759 20211114091824 11487 utangard.net.
				DzqfB/qwH/y3UtdZUCOMW5qCMLI57BWVj1U8Nz+0AOgu
				E+mRzNt4RXgvz9KP9RbMnDcg29eKTMYIRAZbLmSbCVvK
				DIo8Ly4G70GX6d1QoKVpUtRuyvRrnheSCLyveoy8 )
utangard.net.		300 IN NS ns1.utangard.net.
utangard.net.		300 IN NS ns2.utangard.net.
utangard.net.		300 IN RRSIG NS 14 2 300 (
				20211128192759 20211114091824 11487 utangard.net.
				AWwEX+CDN3WGIh8FGd8dY7KWM6/gyIdD1CFGcsrGg0F3
				ATIcN/wK/9hP85srWto5miEYuiPAnzFy/sutL4+Q5bd6
				VhA6uJuzNU0bWhLdumsfHQlCrAQIvgGMEEksuLCO )
utangard.net.		300 IN A 192.53.120.164
utangard.net.		300 IN RRSIG A 14 2 300 (
				20211128192759 20211114091824 11487 utangard.net.
				qYVP1vVrC43PydPxj4jo8bw8XMn7bxf41qXodg9leg3m
				2HxFHAGNO6/Lwzsqt3dwdaWEpsG6gUxreBfDmgBq8MV7
				q1bfp8IWhgl3xLrunFEUH4U8b8DB+hB24iDnwY3i )
utangard.net.		600 IN DNSKEY 257 3 14 (
				lBVStWR+jJQC7t833te7kp3GRFEMbn4wl6m8K6KQ6btB
				fGrsefRGJra2KsHI4MsUtWJOvk0xs057w2319vhdLFce
				INzsD1zTvnKoxNXpCBDqGi+y4WF8Nho+JNXqhGct
				) ; KSK; alg = ECDSAP384SHA384 ; key id = 55295
utangard.net.		600 IN DNSKEY 256 3 14 (
				5tdCXp5Ru8CA18uc7NPxyKjvYZr+QEXx5PHKOQKfwjMd
				QUyHsAkTkNIJaNakzXONefYSGeERlrKKKttmBF8O4fpG
				XmzD4KE5GD9mQcvplj+1pgNNF7A+Xa2j5ETqr5Bo
				) ; ZSK; alg = ECDSAP384SHA384 ; key id = 11487
utangard.net.		600 IN RRSIG DNSKEY 14 2 600 (
				20211129101824 20211114091824 55295 utangard.net.
				Ihq+D4NeGFgFoG4zOite/JK8EnS46N8/MA/FyRNzlMJn
				Uaf/C1Em0yKDhun21lonfOxWiusOl81wW9UuezvNqnTx
				eu3qulF8ZluGOD0lnS5RNn52v0KKnB156FVLX27f )
utangard.net.		5 IN TYPE65534 \# 5 ( 0E2CDF0001 )
utangard.net.		5 IN TYPE65534 \# 5 ( 0ED7FF0001 )
utangard.net.		5 IN RRSIG TYPE65534 14 2 0 (
				20211129061524 20211114091824 11487 utangard.net.
				89/4xbx+O31d2CcA7Xmilo6iwm4QzmlcodXz/Pd3/Eb5
				akWY4JeYZZLLHqe2sbSAlYElU35fBjn46Zjg5UPLsHvr
				Tn19UXke1KQM/iPxKeumdvpdPuMElefL+SQFvvSV )
utangard.net.		240 IN NSEC *.utangard.net. A NS SOA TXT AAAA SSHFP RRSIG NSEC DNSKEY CAA TYPE65534
utangard.net.		240 IN RRSIG NSEC 14 2 240 (
				20211129061524 20211114091824 11487 utangard.net.
				/9FoYqSFek0+WEqrBeL3dBsRf6u1QaIwsMF3Y6Pks+99
				ClMD58PpMEztYjNgRygcigD+5GJoYu8RBqzSRYc5oY8n
				93CfpwIxSv40eN1QZbZeA5iQJqSRYUfNO5gv6rAu )

;; ADDITIONAL SECTION:
ns1.utangard.net.	300 IN A 23.239.20.9
ns2.utangard.net.	300 IN A 173.255.255.89
ns1.utangard.net.	300 IN AAAA 2600:3c01::f03c:92ff:fece:5fc0
ns2.utangard.net.	300 IN AAAA 2600:3c01::f03c:92ff:fe9e:3ef0
ns1.utangard.net.	300 IN RRSIG A 14 3 300 (
				20211127031107 20211114091824 11487 utangard.net.
				J4CCJTBCTav6Jy1OHK9idfPKySYITBKye7glnmeuzkiT
				7xhKVAmFUDZZciez5zq7X4wxLs0W9g0nTYmaH5YlDsKU
				koqll1CxnhxF91aQpXX+9AOJSpQom/V/4DHGjUjN )
ns2.utangard.net.	300 IN RRSIG A 14 3 300 (
				20211121205825 20211114091824 11487 utangard.net.
				R6a6DMBKYtEyL+186L7IXMlb16E+t4ZfbAES6tTH5kZ1
				krfH/cr1y6V+8p4MDZbOTRPTEo6te0OIvrLCrUzw9ShG
				+Ltc3mCKGhQZq03cZVht3GTMsLeaH1i5nPRWFDpw )
ns1.utangard.net.	300 IN RRSIG AAAA 14 3 300 (
				20211127031107 20211114091824 11487 utangard.net.
				oeZFAMsFUWOkAkedG8IKW5FR5Xyq32sgoOpFk92IC2N5
				3HlOSKdkVUwH/t+m6axwCGR5o2hULOF8B4W7VrdccuMv
				2QgygyPBFGNz7wNbThDTNalLtBeB9iJFV/XC1mx7 )
ns2.utangard.net.	300 IN RRSIG AAAA 14 3 300 (
				20211121205825 20211114091824 11487 utangard.net.
				KSRFnDCrqQzRQDdeCb+4us5wucXNAULSzrlxhShvV3mm
				nYjHd620ZehL83ij9QVDI3Z1EN8IaOQYA3FrApqe4OiL
				nafNAeEOs0BC97XDUbX3uQcojNPujQZtFUcW4V7u )

;; Query time: 80 msec
;; SERVER: 9.9.9.9#53(9.9.9.9)
;; WHEN: Mon Nov 15 20:13:10 MST 2021
;; MSG SIZE  rcvd: 3104

and NSEC3 is used for when stuff doesnt exist

dig @9.9.9.9 DoesNotExist.utangard.net ANY +dnssec +multiline

; <<>> DiG 9.16.22 <<>> @9.9.9.9 DoesNotExist.utangard.net ANY +dnssec +multiline
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 9122
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 8, AUTHORITY: 5, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1232
;; QUESTION SECTION:
;DoesNotExist.utangard.net. IN ANY

;; ANSWER SECTION:
DoesNotExist.utangard.net. 300 IN CAA 0 issue "comodo.com"
DoesNotExist.utangard.net. 300 IN RRSIG	CAA 14 2 300 (
				20211128192759 20211114091824 11487 utangard.net.
				WUyyYMVfdiHcvr3WGNmHEPkkmjfmk8MzgcuayrKgoMmZ
				YB1PHKeO6xcYiwsSmmBqnoiDuYQl4uMp5JU8uZtL6imt
				6vKQfDGPPlLL2dLQkRKtKExeZK6sR1DBzcqexuC3 )
DoesNotExist.utangard.net. 300 IN AAAA 2600:3c04::f03c:92ff:fec6:2030
DoesNotExist.utangard.net. 300 IN RRSIG	AAAA 14 2 300 (
				20211128192759 20211114091824 11487 utangard.net.
				sTCVAN2IZgA/ieVcylOhr0vjcL3Qa7+hjsc8vgSwF7hC
				J6e6MQQgTnBRc8aLQ8+6+OosPrHqplVADFdalZuimMZi
				MeDHQUTl2HtHfjxJ0de77H2WxmIOBTG4iImLSyx0 )
DoesNotExist.utangard.net. 300 IN A 192.53.120.164
DoesNotExist.utangard.net. 300 IN RRSIG	A 14 2 300 (
				20211128192759 20211114091824 11487 utangard.net.
				Uk9XFyBZ4pePOmOuCXnnR8SmuRRSrw8W6IX6ypAfSKiY
				TSvnDqSHjVDANwXSFOo2wJ35NgLmsu6mmwV6oF30B5lC
				9RA6u25+G0aALg8bLyy+PuAAsyFbr5vr5NTTgHun )
DoesNotExist.utangard.net. 240 IN NSEC 0bin.utangard.net. A AAAA RRSIG NSEC CAA
DoesNotExist.utangard.net. 240 IN RRSIG	NSEC 14 2 240 (
				20211128192759 20211114091824 11487 utangard.net.
				o24OlOzfAOrsrwoZh5GQ/tg+i42shVIEU7bnxRePqnFp
				R0oZs+jSXfBvbEqSdg6n8gCIj3+foR1ychL1D8rWYDUF
				1uTlv8CiUKUvAip5PpEwKnwsIcLb9KoKQtfQKVSF )

;; AUTHORITY SECTION:
utangard.net.		300 IN NS ns1.utangard.net.
utangard.net.		300 IN NS ns2.utangard.net.
utangard.net.		300 IN RRSIG NS 14 2 300 (
				20211128192759 20211114091824 11487 utangard.net.
				AWwEX+CDN3WGIh8FGd8dY7KWM6/gyIdD1CFGcsrGg0F3
				ATIcN/wK/9hP85srWto5miEYuiPAnzFy/sutL4+Q5bd6
				VhA6uJuzNU0bWhLdumsfHQlCrAQIvgGMEEksuLCO )
dns.utangard.net.	240 IN NSEC git.utangard.net. CNAME RRSIG NSEC
dns.utangard.net.	240 IN RRSIG NSEC 14 3 240 (
				20211130190445 20211115185934 11487 utangard.net.
				4Oz12iKRF3tjukdFzpFVCmrMnAZrUy9tUPeDmAI8xiAo
				v/Loomh0F8BAFs50XALEdXrVtZzw49j8VkYQ6XPrMSZQ
				JeA3bmquN5m+u/XtJfYHKd9bXcxAwKPe0MVXBRaJ )

;; Query time: 50 msec
;; SERVER: 9.9.9.9#53(9.9.9.9)
;; WHEN: Mon Nov 15 20:16:18 MST 2021
;; MSG SIZE  rcvd: 1087


So I think Ill worry about it closer to the 60 day mark of a ZSK rollover and see what happens

For the sake of what you’ve written though I will add this to the guide.

I’m going to make a new section. Maintenance tips

1 Like

I’ll probably have my own version set up by then so will be more helpful.

1 Like

And I guess I’ll be smacking into my rollover time to live so I’ll be more informative if there is much to do lol

RIP me in january

1 Like

@oO.o TFW your telling name cheap how to set glue records. Cuz their support staff messed up LOL

On the brightside. Im pretty sure my DNSSEC is automated


Now I have to figure this out :confused:

[[email protected] data]# dnssec-checkds utangard.net
KSK for DS utangard.net/014/11487 (SHA-256) missing from child
DS for KSK utangard.net/014/55295 (SHA-256) found in parent

This passes:

so Im confused. Do I need to enter the DS records into the child aka my zone file?

wtf it shows up

delv @10.31.82.3 utangard.net ANY +rtrace +multiline
;; fetch: utangard.net/ANY
;; fetch: utangard.net/DNSKEY
;; fetch: utangard.net/DS
;; fetch: net/DNSKEY
;; fetch: net/DS
;; fetch: ./DNSKEY
; fully validated
utangard.net.		258 IN RRSIG NS 14 2 300 (
				20211124191402 20211116061753 11487 utangard.net.
				awuV9wQivSUwXKy+AyxfIjjkzj1DIG28VraV2+KCjJfS
				IQeJsa+tDRVeuosifdPth417RJGVTM9QYe4O0P9pbigl
				Qqx7isOiFhhtHMdDutClRedmv7w+lx6mlJ7Vv9mI )
utangard.net.		258 IN NS ns1.utangard.net.
utangard.net.		258 IN NS ns2.utangard.net.
utangard.net.		258 IN RRSIG AAAA 14 2 300 (
				20211124191402 20211116061753 11487 utangard.net.
				e/djGRVoBNgpWU9YHHttxGDNVvRYDq9rFv9e/H1DVp8c
				/ZIwUJi4OkucGRPpZUb9/nG0Zmfsi+GoKxaLZRePPlx+
				iM+/sKnWVz0iVzj07gfdjDn6/lrDqczNTmJKFlTG )
utangard.net.		258 IN AAAA 2600:3c04::f03c:92ff:fec6:2030
utangard.net.		258 IN RRSIG A 14 2 300 (
				20211124191402 20211116061753 11487 utangard.net.
				b21EL7VI/BhfPWb0LOFkEKJmozaa+Qo9uRTETrPm2iXZ
				Rxp5/xLZ1MEGKtbEYjQuo1+l++3CcfrGoCNY36K3izS5
				/agqffNtRbH2HmtEy+2SqOZdFcYHwqHJPVVXizhn )
utangard.net.		258 IN A 192.53.120.164
utangard.net.		314 IN RRSIG DNSKEY 14 2 600 (
				20211201071753 20211116061753 55295 utangard.net.
				lIS1HuXjlEOmsOT7GZZmEQwQ5EwixmfjWkNIznVHuBot
				MpN41/93Qc8GMwz0Uo3ljX0bWGtqBo38Xe/o3AVmZL5J
				ENhX9nQt3Yo7JDHamqzSx/NisiV6ObYt5MxhoMiT )
utangard.net.		314 IN DNSKEY 257 3 14 (
				lBVStWR+jJQC7t833te7kp3GRFEMbn4wl6m8K6KQ6btB
				fGrsefRGJra2KsHI4MsUtWJOvk0xs057w2319vhdLFce
				INzsD1zTvnKoxNXpCBDqGi+y4WF8Nho+JNXqhGct
				) ; KSK; alg = ECDSAP384SHA384 ; key id = 55295
utangard.net.		314 IN DNSKEY 256 3 14 (
				5tdCXp5Ru8CA18uc7NPxyKjvYZr+QEXx5PHKOQKfwjMd
				QUyHsAkTkNIJaNakzXONefYSGeERlrKKKttmBF8O4fpG
				XmzD4KE5GD9mQcvplj+1pgNNF7A+Xa2j5ETqr5Bo
				) ; ZSK; alg = ECDSAP384SHA384 ; key id = 11487
utangard.net.		67798 IN RRSIG DS 8 2 86400 (
				20211124045959 20211117034959 40649 net.
				UiDDihKwbR6B+b2mdPjSOD+EWmFVEAf7G5yfyAD/ugXg
				qz/z+RDbY2hr0cA1xgh+D6fQpyCq+A4Ww2I4WPXUwJWY
				YHKs7sVCkWUzSzFTAhlcVwjDXxOFZq2LUePmQ6BSNGHH
				Khkbsyee7vncnIa+aCGYxgO83L92QMf6xfIGpGKAwtNq
				TyfK+ZZXhzY3/OCT1bgPPqcetN2oEt3NQ+wlfg== )
utangard.net.		67798 IN DS 55295 14 2 (
				44DEDBD65FEE43247099DBF83862B1E700C7C2EF39B2
				B1A9195CE6FB76A95E3A )
utangard.net.		67798 IN DS 11487 14 2 (
				4F891728CAF68F311712797A3DC6327D76930F7F7BD7
				D7BD662FC36158835EC0 )

FML

Why is this shit so esoteric

 dig @10.31.82.3 utangard.net ANY +cd

; <<>> DiG 9.16.23 <<>> @10.31.82.3 utangard.net ANY +cd
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 19581
;; flags: qr rd ra cd; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1472
;; QUESTION SECTION:
;utangard.net.			IN	ANY

;; ANSWER SECTION:
utangard.net.		93	IN	A	192.53.120.164
utangard.net.		93	IN	AAAA	2600:3c04::f03c:92ff:fec6:2030
utangard.net.		93	IN	NS	ns2.utangard.net.
utangard.net.		93	IN	NS	ns1.utangard.net.

;; Query time: 13 msec
;; SERVER: 10.31.82.3#53(10.31.82.3)
;; WHEN: Fri Nov 19 02:25:07 MST 2021
;; MSG SIZE  rcvd: 121
> dig @10.31.82.3 utangard.net ANY +dnssec +multi

; <<>> DiG 9.16.23 <<>> @10.31.82.3 utangard.net ANY +dnssec +multi
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 38686
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 7, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1472
;; QUESTION SECTION:
;utangard.net.		IN ANY

;; ANSWER SECTION:
utangard.net.		53 IN A	192.53.120.164
utangard.net.		53 IN RRSIG A 14 2 300 (
				20211124191402 20211116061753 11487 utangard.net.
				b21EL7VI/BhfPWb0LOFkEKJmozaa+Qo9uRTETrPm2iXZ
				Rxp5/xLZ1MEGKtbEYjQuo1+l++3CcfrGoCNY36K3izS5
				/agqffNtRbH2HmtEy+2SqOZdFcYHwqHJPVVXizhn )
utangard.net.		53 IN AAAA 2600:3c04::f03c:92ff:fec6:2030
utangard.net.		53 IN RRSIG AAAA 14 2 300 (
				20211124191402 20211116061753 11487 utangard.net.
				e/djGRVoBNgpWU9YHHttxGDNVvRYDq9rFv9e/H1DVp8c
				/ZIwUJi4OkucGRPpZUb9/nG0Zmfsi+GoKxaLZRePPlx+
				iM+/sKnWVz0iVzj07gfdjDn6/lrDqczNTmJKFlTG )
utangard.net.		53 IN NS ns1.utangard.net.
utangard.net.		53 IN NS ns2.utangard.net.
utangard.net.		53 IN RRSIG NS 14 2 300 (
				20211124191402 20211116061753 11487 utangard.net.
				awuV9wQivSUwXKy+AyxfIjjkzj1DIG28VraV2+KCjJfS
				IQeJsa+tDRVeuosifdPth417RJGVTM9QYe4O0P9pbigl
				Qqx7isOiFhhtHMdDutClRedmv7w+lx6mlJ7Vv9mI )

;; Query time: 20 msec
;; SERVER: 10.31.82.3#53(10.31.82.3)
;; WHEN: Fri Nov 19 02:25:47 MST 2021
;; MSG SIZE  rcvd: 541

At a loss for words … NOERROR. Validation good… Zero clue. Dont know if the error matters

I think there’s something called a dc or cd zone for the child?

I never set it up though.

Once I got all green checks I stopped.

Sigh I’ll look into it but I shoved it under things in terms if priority

So many esoteric things

Anyways moved my recursive resolved to a linode close to where I’m at. The recursive resolver is far faster now since it no longer has to do any back tracking through a proxy.

Its actually much nicer this way. Anonymized logs and connection

1 Like

Tbh, idk how many people/companies ever 100% implement dnssec. Seems like 90% of the way there gets you the club membership.

I’d drop them man. Being a registrar is basically a license to print money. If they can’t provide the handful of services that are even possible to provide around domain registration, I’d go with something else.

thats fair. I got them to fix it. they were quick about it. so im not to concerned rn. all green check marks

working on solidifying that pihole config and backing it up rn

probably dont need to in practicality either

1 Like

@oO.o

Its fixing itself slowly

https://dnsviz.net/d/www.utangard.net/responses/

Its just keep alives that are the problem and the old key will take a year to disappear even though its unused, cant be used and deleted from the response chain.

About the only problem right now is just from me doing maintenance due some other issues so 6 is Down on one

TLSA fully validates… NICE

image

1 Like

I still want to see if those BIND utils renew your ksk automagically or if you have to do it yourself.

1 Like

They did. They were due to for renewal on Dec 6th. Its renewed. The only not magical part is managing the DS key in NameCheap

1 Like

I’m telling you man, switch to something with a full API. Don’t stop when you’re so close to FULLY AUTOMATED.