Maddy: Difference between revisions
imported>Onny mNo edit summary |
imported>Onny Add notes on verify DNSSEC setup |
||
| Line 151: | Line 151: | ||
Replace the domain <code>mta-sts.example.org</code> and the domain <code>mx1.example.org</code> with the ones you're using. | Replace the domain <code>mta-sts.example.org</code> and the domain <code>mx1.example.org</code> with the ones you're using. | ||
Using a TLSA (DANE) record is recommended to bind TLS-certificates to a server. You can generate the key using following command | Using a TLSA (DANE) record is recommended to bind TLS-certificates to a server. Your nameserver needs DNSSEC support for it. You can generate the key using following command | ||
<syntaxhighlight lang="console"> | <syntaxhighlight lang="console"> | ||
| Line 157: | Line 157: | ||
</syntaxhighlight> | </syntaxhighlight> | ||
Add the key to a new TLSA record in your nameserver | |||
{{file|/etc/nixos/configuration.nix|nix|<nowiki> | {{file|/etc/nixos/configuration.nix|nix|<nowiki> | ||
| Line 171: | Line 171: | ||
# nix shell nixpkgs#dnsutils --command dig _25._tcp.mx1.example.org TLSA +short | # nix shell nixpkgs#dnsutils --command dig _25._tcp.mx1.example.org TLSA +short | ||
3 1 1 7f59d873a70e224b184c95a4eb54caa9621e47d48b4a25d312d83d96 e3498238 | 3 1 1 7f59d873a70e224b184c95a4eb54caa9621e47d48b4a25d312d83d96 e3498238 | ||
</syntaxhighlight> | |||
Check if DNSSEC is working correctly for your new TLSA record | |||
<syntaxhighlight lang="console"> | |||
# nix shell nixpkgs#dnsutils --command delv _25._tcp.mx1.example.org TLSA @1.1.1.1 | |||
; fully validated | |||
_25._tcp.mx1.example.org. 10800 IN TLSA 3 1 1 7f59d873a70e224b184c95a4eb54caa9621e47d48b4a25d312d83d96 e3498238 | |||
_25._tcp.mx1.example.org. 10800 IN RRSIG TLSA 13 5 10800 20230601000000 20230511000000 39688 example.org. He9VYZ35xTC3fNo8GJa6swPrZodSnjjIWPG6Th2YbsOEKTV1E8eGtJ2A +eyBd9jgG+B3cA/jw8EJHmpvy/buCw== | |||
</syntaxhighlight> | </syntaxhighlight> | ||