December 8, 2017 · DNS Gandi

Setting up DNSSEC on Gandi Live DNS

Gandi launched a new platform called Live DNS just over a year ago, it has been improving all the time. Is is part of their V5 upgrade. One of the main reasons my brother and I ran our own DNS Servers (we slaved for each other) was for DNSSEC Support. While not in the Gandi GUI at the moment; through the V5 DNS API you can now tell Gandi to sign your zone on their name servers. You then add the DS records to the registry. The main V5 GUI is beta so you will need to make sure you have an account in old system (V4) or this won't work. This is because you can't currently add DS records in the V5 interface while using Gandi name servers but this is supposed to be fixed in the next couple of weeks.

This guide assumes you are already using the new V5 Live DNS Service and you have your DNS records setup.

To beign...

Run the following using replacing YOUR-API-KEY-HERE with the one that can be found in the "Security" section in v5 admin panel. You will need to be able to make authenticated requests to the API. Replace example.com with your domain

curl -v -X POST -H 'Content-Type: application/json' \
-d '{"flags": 257}' -H "X-Api-Key: YOUR-API-KEY-HERE" \
https://dns.api.gandi.net/api/v5/domains/example.com/keys

If all goes well you should see a message saying:

* Connection #0 to host dns.api.gandi.net left intact
{"message": "Domain Key Created"}

The most important thing to look for is the location as the image below shows.

gandi-2-live-dns

We need this to get the DS record. To continue copy the location URL and then use the command

curl -H"X-Api-Key: YOUR-API" https://dns.api.gandi.net/api/v5/domains/domain.uk/keys/XXXX

All being well you will get a long record shown. simply copy the public_key part. This is your DS record. In Gandi V4 simply click the domain and then Manage DNSSEC. Add the DS key. The command above will give you the algorythm version, make sure you select it using the drop down.

Once they key is added go back ot the maange DNSSEC screen. You will see a fingerprint. If everything has worked the digest field in your control panel and the fingerprint field should match from the command you ran above.

  • LinkedIn
  • Tumblr
  • Reddit
  • Google+
  • Pinterest
  • Pocket
Comments powered by Disqus