I am up for more. I am generally very thisty for the “new things out there”. So after successfully enabling IPv6 from yesterday’s post I was thinking “hey there is already DNSSEC out there – let me use it”.
First things first
On here is a site whether your resolvers supports EDNS, that are DNS packets bigger then 512 bytes. DNSSEC requires that. I had a big problem with that. I am running OpenWRT Backfire 10.03 on my WRT54GL. Unfortunately flash space is a premium on that – I quickly grabbed my old WRAP board with a 128MB CompacyFlash and installed OpenWRT as well, just the x86 version.
I figured I had two options, either to use DNSMasq or Bind with DNSSEC support. DNSMasq supports according to this forum’s post EDNS.
After some time I figured that OpenDNS does not support EDNS at all. So I disabled it as a forwarder.
Next problem was with DNSMasq. Configuring Bind to query the root nameservers is not a big deal and I just didnt spend the time to get up2speed with DNSMasq.
Ok, but when I did a query with
$dig . dnskey
;; Truncated, retrying in TCP mode.
. I realized that the solution was already there.
Finally, when I did the “test dig” as
dig +bufsize=1024 rs.dns-oarc.net txt
all was good, no more truncated. And in the end I got what I wanted to achieve:
root@miniserver:/etc/config# dig +bufsize=1024 +short rs.dns-oarc.net txt
"18.104.22.168 DNS reply size limit is at least 3843"
"Tested at 2011-01-08 16:43:42 UTC"
"22.214.171.124 sent EDNS buffer size 4096"
OpenWRT only offers Bind in version 9.6.1 patchlevel 2, which is in regards to DNSSEC quite old. Long story short, I installed quite recent Bind 9.7.1 and enabled DNSSEC on there. Done in 5 minutes – see the links above.
A lots has changed, some websites were writing in regards to DNSSEC. Bind can for example also update automatically the root-key for “.”… oi!
I noticed that .com also has valid DNSSEC data and I have a .com domain. .co.uk has some data, but dig doesnt show they can be authenticated against (“ad” bit is not set.)