December 8, 2018 · DNS Gandi

Setting up DNSSEC on Gandi Live DNS

Gandi launched a new platform called Live DNS a couple of years ago, it has been improving all the time. Is is part of their V5 upgrade. While Gandi have now added this to their GUI the V5 DNS API can be used to automate setting up signing your zone on their name servers. In business setup's this is useful or if like me you just like to learn. This guide is designed for a technical audience.

DNSSEC happens in two stages. First you generate your gets and get your DS record. You then add the DS records to the registry.

This guide assumes you are already using the new V5 Live DNS Service and you have your DNS records setup.

What is DNSSEC?

DNSSEC basically uses cryptography to validate that the answer a DNS server gives is genuine and has not been spoofed.

To setup DNSSEC:

Run the following using replacing YOUR-API-KEY-HERE with the one that can be found in the "Security" section in v5 admin panel. You will need to be able to make authenticated requests to the API. Replace example.com with your domain

curl -v -X POST -H 'Content-Type: application/json' \
-d '{"flags": 257}' -H "X-Api-Key: YOUR-API-KEY-HERE" \
https://dns.api.gandi.net/api/v5/domains/example.com/keys

If all goes well you should see a message saying:

* Connection #0 to host dns.api.gandi.net left intact
{"message": "Domain Key Created"}

The most important thing to look for is the location as the image below shows.

gandi-2-live-dns

We need this to get the DS record. To continue copy the location URL and then use the command

curl -H"X-Api-Key: YOUR-API" https://dns.api.gandi.net/api/v5/domains/domain.uk/keys/XXXX

All being well you will get a long record shown. simply copy the public_key part. This is your DS record. In Gandi V4 simply click the domain and then Manage DNSSEC. Add the DS key. The command above will give you the algorithm version, make sure you select it using the drop down.

Once they key is added go back to the manage DNSSEC screen. You will see a fingerprint. If everything has worked the digest field in your control panel and the fingerprint field should match from the command you ran above.

  • LinkedIn
  • Tumblr
  • Reddit
  • Google+
  • Pinterest
  • Pocket
Comments powered by Disqus