💾 Archived View for thebackupbox.net › ~epoch › blog › dnssec captured on 2024-12-17 at 10:14:12. Gemini links have been rewritten to link to archived content
⬅️ Previous capture (2024-07-09)
-=-=-=-=-=-=-
yadifa DNSSEC
unlike with bind,
you do NOT manually create your keys and tell yadifa where they are.
it isn't this obvious from the documentation.
https://github.com/isc-projects/isc-dnssec-guide/blob/master/src/troubleshooting_common-problems.xml
I was trying to use zsk and ksk at the same time but the checkers kept saying the dnssec rrset wasn't covered
by the keys I had in the DS records
I disabled ksk and it worked after that.
fuck if I know.
I re-enabled ksk and it is working.
it randomly stopped working one day. I figure it was key-rotation based.
I'm not sure if setting rotation schedule to insane (every minute I think) helped
but I did that, and found I had a second 257 key and so I ran
a script to generate the stuff
for a new DS record and put that in to namecheap.
then the checkers I used bitched about the "old" key so I deleted that DS record
then deleted the key from /var/lib/yadifa/keys
and then had to restart unbound to get the cache cleared
and then dnssec was working again.
[I gave up on yadifa]
I switched to using knot for authoritative DNS.
It usually works good, but sometimes after power outages (no UPS here)
it'll get stuck but not fail hard. Logs say something about a full journal.
May 5 02:47:48 enzo knotd[2204]: notice: [thebackupbox.net.] journal is full, flushing
something like that.
since I'm too lazy to read all of the documentation I just stopped knotd
found its journal and timers dir
then deleted those.
and started it back up.
and shit seems to start working magically again.
probably can break stuff doing it this way.