Install Cisco IOS XRv in GNS3


, , , ,

Software / Application:

  1. VirtualBox (
  2. GNS3 (

We also need Cisco IOS XRv Router image. For lab we use iosxrv-demo-6.0.0.vmdk which is free to use. The only limitation is it has AAA hardcoded users & rate limit of 2 Mbps. For full features please check the following link:

To download the image please visit You need Cisco CCO account.


1. Create a new VM


2. For the VM please choose:

  1. Name: xrv-1
  2. Type: Other
  3. Version: Other/Unknown (64-bit)

Continue reading

Sign expiring zone (DNSSEC)


Following script will check the expiry of RRSIG and if it’s expiring within 7 days; it will sign your zone again.


declare -i expire_date
declare -i currert_date
declare -i d1
declare -i diff

expire_date="$(date +%s -d $(dig +short +dnssec SOA | awk '$2 == 7 { print $0}' | cut -d' ' -f5 | cut -c1-8))"
echo "Expire date: $expire_date"
#expire_date="$(dig +short +dnssec SOA | awk '$2 == 7 { print $0}' | cut -d' ' -f5 | cut -c1-8)"
currert_date="$(date +%s)"
echo "Current date: $currert_date"

echo "Days to expire: $diff"

if [ "$diff" -gt "7" ]
echo "RRSIG will not expiring within one week. No need to sign the zone"
echo "RRSIG will expire next week. Sign DNS Zone......"
sudo ldns-signzone /etc/nsd/ZONES/ /etc/nsd/KSK/ /etc/nsd/ZSK/ -f /etc/nsd/SIGNED/
echo "Reload NSD......"
/etc/init.d/nsd reload

Enable IPv6 in OpenVPN



In my earlier post (OpenVPN in Ubuntu 14.04) I have gone through the steps to install OpenVPN in Ubuntu; that was only for IPv4. To enable IPv6 in OpenVPN do the followings:

OpenVPN Server IP : 2001:df2:ee00:ee00::10/64

2001:df2:ee00:abcd::/64 has been routed to the OpenVPN server host. That mean users connected via OpenVPN will get one prefix from 2001:df2:ee00:abcd::/64 block.

Step 1: We need to edit OpenVPN configuration file and enable IPv6 tunnel service

vi /etc/openvpn/server.conf

Add the following :

server-ipv6 2001:0df2:ee00:abcd::/64
push tun-ipv6
ifconfig-ipv6 2001:0df2:ee00:abcd::1 2001:0df2:ee00:abcd::2
push "route-ipv6 2001:0df2:ee00:ee00::2/64"
push "route-ipv6 2000::/3"

Step 2: Enable IPv6 forwarding:

echo 1 > /proc/sys/net/ipv6/conf/all/forwarding

Step 3: Reload OpenVPN Service

/etc/init.d/openvpn restart

Try connect your OpenVPN client. Test the IPv6 reachablity by accessing

1. To make IPv6 forwarding persistent remember, in /etc/sysctl.conf uncomment:
net.ipv6.conf.all.forwarding = 1

2. Make sure that you route 2001:df2:ee00:abcd::/64 to you OpenVPN Server. I have done this from my cisco router

ipv6 route 2001:df2:ee00:abcd::/64 2001:df2:ee00:ee00::10

NSD with DNSSEC (Forward & Reverse DNS)


, ,

In previous two blogs (1st part2nd part) I explain how to setup NSD as primary DNS server and BIND as secondary. Now let’s see how can we implement DNSEC with it.

1. You can put all the key in single folder; but for better understanding I put necessary information in 4 folders:
ZONES: All zone files, SIGNED: All signed zone files, ZSK: All ZSK keys, KSK: All KSK Keys
sudo mkdir /etc/nsd/SIGNED /etc/nsd/KSK /etc/nsd/ZSK

2. Time to install ldns, a NLnet Labs’ project:
sudo apt-get install ldnsutils

3. Create ZSK /etc/nsd/ZSK
cd /etc/nsd/ZSK
sudo ldns-keygen -a RSASHA1_NSEC3 -b 1024

Create KSK
cd /etc/nsd/KSK
sudo ldns-keygen -a RSASHA1_NSEC3 -b 2048 -k

ldns-keygen will create 3 files: a .key file with the public DNSKEY, a .private file with the private keydata and a .ds with the DS record of the DNSKEY record.

4. Edit /etc/nsd/nsd.conf to change the path for the signed zones:
zonesdir: "/etc/nsd/SIGNED"

more changes:

name: “”
zonefile: “”

5. Now use the ldns-signzone command to sign and to create a new file ready for DNSSEC queries.

sudo ldns-signzone /etc/nsd/ZONES/ \
/etc/nsd/KSK/ \
/etc/nsd/ZSK/ \
-f /etc/nsd/SIGNED/

This will create a signed zone file under /etc/nsd/SIGNED folder.

Continue reading



, ,

In this part we will install BIND and secondary name server. For primary name server installation please check INSTALL NSD AS PRIMARY DNS SERVER & BIND AS SECONDARY NAME SERVER (PART 1)

1. Update package library and install BIND

sudo apt-get update
sudo apt-get install bind9 bind9utils bind9-doc

2. All the configuration files are in /etc/bind/ folder. Most of the cases the default options work fine. The only thing I did is add the TSIG key for zone transfer.

3. First create they key file

key {
algorithm hmac-md5;
secret "N1aqkdyRDOOM01NYt3Vat3v+QmonX8bsNoSdBUyKNB0=";

Make sure you copy the secret properly

4. Add the key in named.conf file

sudo vi named.conf

#TSIG key kompella->martini
include "/etc/bind/";

server {
keys {; };

5. Add the related zone in named.conf.default-zones file:

zone "" IN {
type slave;
file "/var/cache/bind/";
masters {; };

zone "" IN {
type slave;
file "/var/cache/bind/";
masters {; };

6. Save and reload BIND service.

sudo /etc/init.d/bind9 restart

7. Test the zone transfer:
dig axfr @ soa -k

If all are on; you can see all the zone entry.

Continue reading