Oh my bad. They have probably have beefed up the automation since then.
idk? I haven’t actually set this up yet. I got a new switch so I’m immersed in that currently. I guess I’d just be sure that your current config handles everything through the entire life cycle of the ksk because relatively recently, it didn’t.
Also, btw, the current bind package in OpenBSD is 9.16.22 
I feel that. Next step is a proper Xeon E5 v4+ system to do my IPS/IDS
For now my DNS records are complete
dig @9.9.9.9 < MY-TLD >.net ANY +dnssec +multiline
; <<>> DiG 9.16.22 <<>> @9.9.9.9 < MY-TLD >.net ANY +dnssec +multiline
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 31849
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 31, AUTHORITY: 0, ADDITIONAL: 9
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1232
;; QUESTION SECTION:
;< MY-TLD >.net. IN ANY
;; ANSWER SECTION:
< MY-TLD >.net. 300 IN SOA ns1.< MY-TLD >.net. hostmaster.< MY-TLD >.net. (
2021111397 ; serial
14400 ; refresh (4 hours)
900 ; retry (15 minutes)
28800 ; expire (8 hours)
240 ; minimum (4 minutes)
)
< MY-TLD >.net. 300 IN RRSIG SOA 14 2 300 (
20211130195934 20211115185934 11487 < MY-TLD >.net.
mIjrsgWS+pQLdy87Su8Z0UbeOFP7NMoRaDPPZHeAyJsE
+q/WawMqLH8G5PcypiVaTjicv3WufPMJ9rnCvlaQBtsC
wLlGS71dP239BpK3IZhOhWNQ0acQmsx3yQ0GTSBn )
< MY-TLD >.net. 300 IN TXT "oa1:btc" "recipient_address=18aPyZZ6kXN4jh3fd7Vf3vGkm9U6QDNcxe"
< MY-TLD >.net. 300 IN TXT "oa1:xmr" "recipient_address=4373MaqnKswCRm1WrFJtXdEVDnnboGjSC7117Z2irZcyRvScZx8wToF54aDo8dqh7FU6MB4AgbeUKPLM9c2VRP4iAB6mH83"
< MY-TLD >.net. 300 IN RRSIG TXT 14 2 300 (
20211128192759 20211114091824 11487 < MY-TLD >.net.
+FwWGNfdtVOkLvZbwprB6pKSdLxi5BB6/nJVvp2/X7wy
RxVQRa5DwaxJs6aLgsNC+P3DFkxEiLouwx1tY0QF7dxl
0BWgKWhWERkuM26MJU/3qjWMhURvb1GYtP2bQfGW )
< MY-TLD >.net. 300 IN SSHFP 4 1 (
B334AC074053354BE6160D5FA58B9ACAF273C223 )
< MY-TLD >.net. 300 IN SSHFP 4 2 (
159C867AEBAB56ECAB6F0A6B33080338A1AD356CDDFD
18DE604A4C7C71FA4FFA )
< MY-TLD >.net. 300 IN SSHFP 2 2 (
C64434A6FFA5975099C00BCB983470BED627716DE591
C26C509CBC2A945F26BC )
< MY-TLD >.net. 300 IN SSHFP 3 2 (
3E53A430A6729186154A39611DDFDCD807D60E61E15C
950A78364D790AB8B422 )
< MY-TLD >.net. 300 IN SSHFP 1 1 (
080F22AD4A9837057295431121B4B2E3A6E8D1AC )
< MY-TLD >.net. 300 IN SSHFP 1 2 (
4CC07F5D066C0405B04FAA01F2DBB1086B7F4C5ED571
34EBB0110B2CA3BC8056 )
< MY-TLD >.net. 300 IN SSHFP 2 1 (
9A120DE7E960AD7D5EA126DE2F0B47323A52FE49 )
< MY-TLD >.net. 300 IN SSHFP 3 1 (
E8F126DAE356BE7C2AEDF5E4E9D94822C700FEAD )
< MY-TLD >.net. 300 IN RRSIG SSHFP 14 2 300 (
20211128192759 20211114091824 11487 < MY-TLD >.net.
d3rLX0FHW3caln8tyb54xEO3x9pOnQW/EF49eJ0ZdMGZ
Ah2dShjn9b3NLCo9bYYbTnEBBjnl4RVTc5Pxm8b9dqWN
VgLpZhgXq4cIdj+p4TaRVmmsYOSVFctISHQGdVAK )
< MY-TLD >.net. 300 IN CAA 0 issue "comodo.com"
< MY-TLD >.net. 300 IN RRSIG CAA 14 2 300 (
20211128192759 20211114091824 11487 < MY-TLD >.net.
td9B9E/g5UkB3g2X5aQ9seMX1D87xAJvUtc/Hm7Ezw/s
IzmABaN7acXBuFzyZ0EUoGg4w65u3oTN0iO1UKFFP8iX
cDuPvoRuPPAWE5BVPKHKTt0ZBbhDDqVuyEt/p2/0 )
< MY-TLD >.net. 300 IN AAAA 2600:3c04::f03c:92ff:fec6:2030
< MY-TLD >.net. 300 IN RRSIG AAAA 14 2 300 (
20211128192759 20211114091824 11487 < MY-TLD >.net.
DzqfB/qwH/y3UtdZUCOMW5qCMLI57BWVj1U8Nz+0AOgu
E+mRzNt4RXgvz9KP9RbMnDcg29eKTMYIRAZbLmSbCVvK
DIo8Ly4G70GX6d1QoKVpUtRuyvRrnheSCLyveoy8 )
< MY-TLD >.net. 300 IN NS ns1.< MY-TLD >.net.
< MY-TLD >.net. 300 IN NS ns2.< MY-TLD >.net.
< MY-TLD >.net. 300 IN RRSIG NS 14 2 300 (
20211128192759 20211114091824 11487 < MY-TLD >.net.
AWwEX+CDN3WGIh8FGd8dY7KWM6/gyIdD1CFGcsrGg0F3
ATIcN/wK/9hP85srWto5miEYuiPAnzFy/sutL4+Q5bd6
VhA6uJuzNU0bWhLdumsfHQlCrAQIvgGMEEksuLCO )
< MY-TLD >.net. 300 IN A 192.53.120.164
< MY-TLD >.net. 300 IN RRSIG A 14 2 300 (
20211128192759 20211114091824 11487 < MY-TLD >.net.
qYVP1vVrC43PydPxj4jo8bw8XMn7bxf41qXodg9leg3m
2HxFHAGNO6/Lwzsqt3dwdaWEpsG6gUxreBfDmgBq8MV7
q1bfp8IWhgl3xLrunFEUH4U8b8DB+hB24iDnwY3i )
< MY-TLD >.net. 600 IN DNSKEY 257 3 14 (
lBVStWR+jJQC7t833te7kp3GRFEMbn4wl6m8K6KQ6btB
fGrsefRGJra2KsHI4MsUtWJOvk0xs057w2319vhdLFce
INzsD1zTvnKoxNXpCBDqGi+y4WF8Nho+JNXqhGct
) ; KSK; alg = ECDSAP384SHA384 ; key id = 55295
< MY-TLD >.net. 600 IN DNSKEY 256 3 14 (
5tdCXp5Ru8CA18uc7NPxyKjvYZr+QEXx5PHKOQKfwjMd
QUyHsAkTkNIJaNakzXONefYSGeERlrKKKttmBF8O4fpG
XmzD4KE5GD9mQcvplj+1pgNNF7A+Xa2j5ETqr5Bo
) ; ZSK; alg = ECDSAP384SHA384 ; key id = 11487
< MY-TLD >.net. 600 IN RRSIG DNSKEY 14 2 600 (
20211129101824 20211114091824 55295 < MY-TLD >.net.
Ihq+D4NeGFgFoG4zOite/JK8EnS46N8/MA/FyRNzlMJn
Uaf/C1Em0yKDhun21lonfOxWiusOl81wW9UuezvNqnTx
eu3qulF8ZluGOD0lnS5RNn52v0KKnB156FVLX27f )
< MY-TLD >.net. 5 IN TYPE65534 \# 5 ( 0E2CDF0001 )
< MY-TLD >.net. 5 IN TYPE65534 \# 5 ( 0ED7FF0001 )
< MY-TLD >.net. 5 IN RRSIG TYPE65534 14 2 0 (
20211129061524 20211114091824 11487 < MY-TLD >.net.
89/4xbx+O31d2CcA7Xmilo6iwm4QzmlcodXz/Pd3/Eb5
akWY4JeYZZLLHqe2sbSAlYElU35fBjn46Zjg5UPLsHvr
Tn19UXke1KQM/iPxKeumdvpdPuMElefL+SQFvvSV )
< MY-TLD >.net. 240 IN NSEC *.< MY-TLD >.net. A NS SOA TXT AAAA SSHFP RRSIG NSEC DNSKEY CAA TYPE65534
< MY-TLD >.net. 240 IN RRSIG NSEC 14 2 240 (
20211129061524 20211114091824 11487 < MY-TLD >.net.
/9FoYqSFek0+WEqrBeL3dBsRf6u1QaIwsMF3Y6Pks+99
ClMD58PpMEztYjNgRygcigD+5GJoYu8RBqzSRYc5oY8n
93CfpwIxSv40eN1QZbZeA5iQJqSRYUfNO5gv6rAu )
;; ADDITIONAL SECTION:
ns1.< MY-TLD >.net. 300 IN A 23.239.20.9
ns2.< MY-TLD >.net. 300 IN A 173.255.255.89
ns1.< MY-TLD >.net. 300 IN AAAA 2600:3c01::f03c:92ff:fece:5fc0
ns2.< MY-TLD >.net. 300 IN AAAA 2600:3c01::f03c:92ff:fe9e:3ef0
ns1.< MY-TLD >.net. 300 IN RRSIG A 14 3 300 (
20211127031107 20211114091824 11487 < MY-TLD >.net.
J4CCJTBCTav6Jy1OHK9idfPKySYITBKye7glnmeuzkiT
7xhKVAmFUDZZciez5zq7X4wxLs0W9g0nTYmaH5YlDsKU
koqll1CxnhxF91aQpXX+9AOJSpQom/V/4DHGjUjN )
ns2.< MY-TLD >.net. 300 IN RRSIG A 14 3 300 (
20211121205825 20211114091824 11487 < MY-TLD >.net.
R6a6DMBKYtEyL+186L7IXMlb16E+t4ZfbAES6tTH5kZ1
krfH/cr1y6V+8p4MDZbOTRPTEo6te0OIvrLCrUzw9ShG
+Ltc3mCKGhQZq03cZVht3GTMsLeaH1i5nPRWFDpw )
ns1.< MY-TLD >.net. 300 IN RRSIG AAAA 14 3 300 (
20211127031107 20211114091824 11487 < MY-TLD >.net.
oeZFAMsFUWOkAkedG8IKW5FR5Xyq32sgoOpFk92IC2N5
3HlOSKdkVUwH/t+m6axwCGR5o2hULOF8B4W7VrdccuMv
2QgygyPBFGNz7wNbThDTNalLtBeB9iJFV/XC1mx7 )
ns2.< MY-TLD >.net. 300 IN RRSIG AAAA 14 3 300 (
20211121205825 20211114091824 11487 < MY-TLD >.net.
KSRFnDCrqQzRQDdeCb+4us5wucXNAULSzrlxhShvV3mm
nYjHd620ZehL83ij9QVDI3Z1EN8IaOQYA3FrApqe4OiL
nafNAeEOs0BC97XDUbX3uQcojNPujQZtFUcW4V7u )
;; Query time: 80 msec
;; SERVER: 9.9.9.9#53(9.9.9.9)
;; WHEN: Mon Nov 15 20:13:10 MST 2021
;; MSG SIZE rcvd: 3104
and NSEC3 is used for when stuff doesnt exist
dig @9.9.9.9 DoesNotExist.< MY-TLD >.net ANY +dnssec +multiline
; <<>> DiG 9.16.22 <<>> @9.9.9.9 DoesNotExist.< MY-TLD >.net ANY +dnssec +multiline
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 9122
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 8, AUTHORITY: 5, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1232
;; QUESTION SECTION:
;DoesNotExist.< MY-TLD >.net. IN ANY
;; ANSWER SECTION:
DoesNotExist.< MY-TLD >.net. 300 IN CAA 0 issue "comodo.com"
DoesNotExist.< MY-TLD >.net. 300 IN RRSIG CAA 14 2 300 (
20211128192759 20211114091824 11487 < MY-TLD >.net.
WUyyYMVfdiHcvr3WGNmHEPkkmjfmk8MzgcuayrKgoMmZ
YB1PHKeO6xcYiwsSmmBqnoiDuYQl4uMp5JU8uZtL6imt
6vKQfDGPPlLL2dLQkRKtKExeZK6sR1DBzcqexuC3 )
DoesNotExist.< MY-TLD >.net. 300 IN AAAA 2600:3c04::f03c:92ff:fec6:2030
DoesNotExist.< MY-TLD >.net. 300 IN RRSIG AAAA 14 2 300 (
20211128192759 20211114091824 11487 < MY-TLD >.net.
sTCVAN2IZgA/ieVcylOhr0vjcL3Qa7+hjsc8vgSwF7hC
J6e6MQQgTnBRc8aLQ8+6+OosPrHqplVADFdalZuimMZi
MeDHQUTl2HtHfjxJ0de77H2WxmIOBTG4iImLSyx0 )
DoesNotExist.< MY-TLD >.net. 300 IN A 192.53.120.164
DoesNotExist.< MY-TLD >.net. 300 IN RRSIG A 14 2 300 (
20211128192759 20211114091824 11487 < MY-TLD >.net.
Uk9XFyBZ4pePOmOuCXnnR8SmuRRSrw8W6IX6ypAfSKiY
TSvnDqSHjVDANwXSFOo2wJ35NgLmsu6mmwV6oF30B5lC
9RA6u25+G0aALg8bLyy+PuAAsyFbr5vr5NTTgHun )
DoesNotExist.< MY-TLD >.net. 240 IN NSEC 0bin.< MY-TLD >.net. A AAAA RRSIG NSEC CAA
DoesNotExist.< MY-TLD >.net. 240 IN RRSIG NSEC 14 2 240 (
20211128192759 20211114091824 11487 < MY-TLD >.net.
o24OlOzfAOrsrwoZh5GQ/tg+i42shVIEU7bnxRePqnFp
R0oZs+jSXfBvbEqSdg6n8gCIj3+foR1ychL1D8rWYDUF
1uTlv8CiUKUvAip5PpEwKnwsIcLb9KoKQtfQKVSF )
;; AUTHORITY SECTION:
< MY-TLD >.net. 300 IN NS ns1.< MY-TLD >.net.
< MY-TLD >.net. 300 IN NS ns2.< MY-TLD >.net.
< MY-TLD >.net. 300 IN RRSIG NS 14 2 300 (
20211128192759 20211114091824 11487 < MY-TLD >.net.
AWwEX+CDN3WGIh8FGd8dY7KWM6/gyIdD1CFGcsrGg0F3
ATIcN/wK/9hP85srWto5miEYuiPAnzFy/sutL4+Q5bd6
VhA6uJuzNU0bWhLdumsfHQlCrAQIvgGMEEksuLCO )
dns.< MY-TLD >.net. 240 IN NSEC git.< MY-TLD >.net. CNAME RRSIG NSEC
dns.< MY-TLD >.net. 240 IN RRSIG NSEC 14 3 240 (
20211130190445 20211115185934 11487 < MY-TLD >.net.
4Oz12iKRF3tjukdFzpFVCmrMnAZrUy9tUPeDmAI8xiAo
v/Loomh0F8BAFs50XALEdXrVtZzw49j8VkYQ6XPrMSZQ
JeA3bmquN5m+u/XtJfYHKd9bXcxAwKPe0MVXBRaJ )
;; Query time: 50 msec
;; SERVER: 9.9.9.9#53(9.9.9.9)
;; WHEN: Mon Nov 15 20:16:18 MST 2021
;; MSG SIZE rcvd: 1087
So I think Ill worry about it closer to the 60 day mark of a ZSK rollover and see what happens
For the sake of what you’ve written though I will add this to the guide.
I’m going to make a new section. Maintenance tips
I’ll probably have my own version set up by then so will be more helpful.
And I guess I’ll be smacking into my rollover time to live so I’ll be more informative if there is much to do lol
RIP me in january
I think there’s something called a dc or cd zone for the child?
I never set it up though.
Once I got all green checks I stopped.
Sigh I’ll look into it but I shoved it under things in terms if priority
So many esoteric things
Anyways moved my recursive resolved to a linode close to where I’m at. The recursive resolver is far faster now since it no longer has to do any back tracking through a proxy.
Its actually much nicer this way. Anonymized logs and connection
Tbh, idk how many people/companies ever 100% implement dnssec. Seems like 90% of the way there gets you the club membership.
I’d drop them man. Being a registrar is basically a license to print money. If they can’t provide the handful of services that are even possible to provide around domain registration, I’d go with something else.
thats fair. I got them to fix it. they were quick about it. so im not to concerned rn. all green check marks
working on solidifying that pihole config and backing it up rn
probably dont need to in practicality either
I still want to see if those BIND utils renew your ksk automagically or if you have to do it yourself.
They did. They were due to for renewal on Dec 6th. Its renewed. The only not magical part is managing the DS key in NameCheap
I’m telling you man, switch to something with a full API. Don’t stop when you’re so close to FULLY AUTOMATED.
Hope this one stays up for a VERY long time. Im digesting it in pieces to make sure, like you said (warned), I understand, not just can “do” it as I go. I’m revisiting how I setup recursive resolver on my Pi-hole with unbound. I hope to use my domain name to set up Bitwarden for my wife and myself I think is the current goal… but exposing a self-hosted version of Bitwarden make me leary of not having enough protection exposing a home server to the web for personal use without certs, vpn tunnel etc as I do not own a proxy to run through. May just have to pay for there service while I line these things up.
BIND is one of the oldest DNS servers. Its simple but needs a good bit more modernization still.
Its a ridiculously great way to understand this very critical piece of what you dont see going on in the background all the time. The internet is held together with spit & baling wire
Its a amazing article and seeing it ALL in one place versus peacing it all together really helps me understand it AND the importance of security at EACH step of the process. I really enjoyed it and will be reading it several times till my stupid TBI brain gets it LOL. All of this new stuff (coding and scripting) of reading different files IE (password protected ones) and script formatting is starting to make much more sense.
Just like firewall rules… it takes me much longer, but its still rewarding and I enjoy documenting my progress for future reference till I can really absorb it.
I rebuilt the home server cleanly on proxmox 7 with the new kernel, set up ZFS, samba shares, plex, gpu pass thru for plex transcoding, setting up networking card IE 10G and only really had to reference a few things and took me a hour or two. I remember the first time it took me a week lol. I also finally got around to setting up mail notification from proxmox and zed for zfs.
I hope to use cockpit in the future or grafana to visualize what’s happening in my system and network.
Thank you for the amazing content. You too @ThatGuyB and even though it’s beyond me often I appreciate @oO.o @SgtAwesomesauce and @Novasty. I hope I can make sense of some of your work as well on the future.
@PhaseLockedLoop I did have one question. Does OPNsense by default “block” all incomming traffic unless there is a established connection? I attempted to look up this information without much success.
to follow up @HaaStyleCat
I know @oO.o talked a ton in this thread about stuff. Personally I only see two true DNS server software that are the ones you want to learn. BIND or PowerDNS
I appreciate the feedback. I was super unsure how this would be recieved because of its sheer size and the depth I really dug into it with. I was initially quite excited to share it all but I do feel like BSD based stuff like BIND does fall into a Niche.
One of my principal problems with the modern web is how much we abstracted each kind of developer. They dont need to understand the systems they are building their systems on and everything is just in time delivered. Its a recipe for disaster in my opinion. @SgtAwesomesauce might have more input on his opinion about the dev and IT sector becoming both a place where you must know everything and know nothing.
Firewall rules take everyone longer. Its one of those things where digging in and understanding packet flow TRULLY helps you write them.
If there is demand ive thought abou ta thread similar to this one in depth about IPtables. Things you can with the basic firewalls. I wont be covering pftables as its similar but way way more esoteric.
Go with cockpit and avoid massive logging software. Its not worth it on a home lab. Its so cool to see but it takes so much power to run and maintain.
Yes sir thats how a firewall works.
CHAIN INCOMING DROP (excluding anti lockout rules and pregenerated ones by OPNSense on the mangle chain)
CHAIN OUTGOING ACCEPT
CHAIN FORWARDING DROP
The exact terminology is different but yeah. Theres stuff in the manual but its way to expansive. You can see it in the UI.
OPNsense is something I worked with @SgtAwesomesauce on and im sure he can attest to you its way easier to operate with someone over Voice to explain it. I recommend being on the L1 discord for explanations and walkthroughs of interfaces like OPNsense and PFsense
it’s already a disaster.
I’ve needed to explain how to follow a python stack trace to senior developers at my company.
A FUCKING STACK TRACE.
Yeah, just the debug cadence of voice is much faster than text. it’s that way in anything.
Worth mentioning, I hate technology some days. AWS has multiple outages a year. The Iron hasn’t had an outage as long as I’ve been alive.
That’s okay. Try explaining Ohms law to a senior electrical engineer and they can’t even understand it anymore they are so out of practice and need a computer.
Traceback and exeception handling is fun. What was it throwing?
Just some? Actually I’ll correct my point of view. I hate how we are using and designing technology. I don’t hate tech.
But yeah it’s definitely a disaster.
So my programming was taught old school. Sketch it out and diagrams on paper then write the code.
I’ve noticed this isn’t done anymore or at the very least not minimally thought out which is bothersome.
they weren’t passing the right arguments when calling a function. 
