This guide explains how you can configure DNSSEC on BIND9 (version 9.7.3 that comes with Debian Squeeze/Ubuntu 11.10) on Debian Squeeze and Ubuntu 11.10. It covers how to enable DNSSEC on authoritative nameservers (master and slave) and on resolving nameservers, creation of keys (KSKs and ZSKs), signing of zones, key rolling with rollerd, zone file checking with donuts, creation of trust anchors, using DLV (DNSSEC look-aside validation), and getting your DS records into the parent's zone.
I do not issue any guarantee that this will work for you!
1 Preliminary Note
I'm using three Debian Squeeze servers here:- server1.example.com (Master DNS server, authoritative): IP address 192.168.0.100
- server2.example.com (Slave DNS server, authoritative): IP address 192.168.0.101
- server3.example.com (resolving DNS server, not authoritative): IP address 192.168.0.102
I'm using the zone example.org throughout this tutorial to demonstrate the DNSSEC setup. That zone is already set up and working (through "normal" DNS) on the master (server1) and slave (server2).
server1 (master):
The BIND configuration directory is /etc/bind on Debian Squeeze/Ubuntu 11.10. That directory looks as follows:cd /etc/bind/
ls -l
ls -l
root@server1:/etc/bind# ls -l
total 60
-rw-r--r-- 1 root root 665 Jan 15 2011 bind.keys
-rw-r--r-- 1 root root 237 Jan 15 2011 db.0
-rw-r--r-- 1 root root 271 Jan 15 2011 db.127
-rw-r--r-- 1 root root 237 Jan 15 2011 db.255
-rw-r--r-- 1 root root 353 Jan 15 2011 db.empty
-rw-r--r-- 1 root root 270 Jan 15 2011 db.local
-rw-r--r-- 1 root root 2994 Jan 15 2011 db.root
-rw-r--r-- 1 root bind 463 Jan 15 2011 named.conf
-rw-r--r-- 1 root bind 490 Jan 15 2011 named.conf.default-zones
-rw-r--r-- 1 root bind 167 Apr 13 10:06 named.conf.local
-rw-r--r-- 1 root bind 572 Jan 15 2011 named.conf.options
-rw-r--r-- 1 root bind 722 Apr 13 10:06 pri.example.org
-rw-r----- 1 bind bind 77 Feb 7 2011 rndc.key
drwxr-s--- 2 root bind 4096 Feb 7 2011 slave
-rw-r--r-- 1 root root 1317 Jan 15 2011 zones.rfc1918
root@server1:/etc/bind#
As you see, my example.org zone file is named pri.example.org. Yours might be named differently, so you have to adjust the zone name in the commands from this tutorial.total 60
-rw-r--r-- 1 root root 665 Jan 15 2011 bind.keys
-rw-r--r-- 1 root root 237 Jan 15 2011 db.0
-rw-r--r-- 1 root root 271 Jan 15 2011 db.127
-rw-r--r-- 1 root root 237 Jan 15 2011 db.255
-rw-r--r-- 1 root root 353 Jan 15 2011 db.empty
-rw-r--r-- 1 root root 270 Jan 15 2011 db.local
-rw-r--r-- 1 root root 2994 Jan 15 2011 db.root
-rw-r--r-- 1 root bind 463 Jan 15 2011 named.conf
-rw-r--r-- 1 root bind 490 Jan 15 2011 named.conf.default-zones
-rw-r--r-- 1 root bind 167 Apr 13 10:06 named.conf.local
-rw-r--r-- 1 root bind 572 Jan 15 2011 named.conf.options
-rw-r--r-- 1 root bind 722 Apr 13 10:06 pri.example.org
-rw-r----- 1 bind bind 77 Feb 7 2011 rndc.key
drwxr-s--- 2 root bind 4096 Feb 7 2011 slave
-rw-r--r-- 1 root root 1317 Jan 15 2011 zones.rfc1918
root@server1:/etc/bind#
My example.org zone looks as follows (nothing special, a normal BIND zone):
cat pri.example.org
$TTL 3600 |
cat named.conf.local
zone "example.org" { |
server2 (slave):
I've configured the slave to store its slave zone file (called sec.example.org) in the /etc/bind/slave directory, as you can see in the /etc/bind/named.conf.local file:cat /etc/bind/named.conf.local
zone "example.org" { |
As you see, nothing special here - a normal BIND setup.
2 Enabling DNSSEC On The Master (server1)
server1 (master):
I will use the dnssec-tools package in this tutorial as it comes with some handy tools such as zonesigner and rollerd that make DNSSEC management a lot easier.
We can install it (and some other recommended packages) as follows:
apt-get install dnssec-tools libnet-dns-sec-perl libmailtools-perl libcrypt-openssl-random-perl
Now go to the /etc/bind directory:cd /etc/bind
Open named.conf.options...vi named.conf.options
... and add dnssec-enable yes;, dnssec-validation yes;, and dnssec-lookaside auto; to the options section: options { |
dnssec-lookaside auto; makes that named reads the DLV key from bind.keys the first time it executes. This is the dlv.isc.org key.
Normally, there should be a fully signed path from the root zone (.) down to your own zone, which means that your parent zones (e.g. .org for example.org) must be signed as well. Unfortunately, not all TLDs have been signed yet. If any of your parents aren't signed, the chain is broken, and you cannot use the root zone's key as a trusted anchor in your BIND configuration.
That's why DNSSEC look-aside validation (DLV) was invented. In short, DLV serves as an alternative repository for trusted keys where you can submit your zone keys if there's no fully signed path to your zone. The most prominent DLV repository is dlv.isc.org (ISC is the company that makes BIND). Both the root zone key and the dlv.isc.org key are included in /etc/bind/bind.keys (if not, please update BIND...
apt-get install bind9
... and check again). You can find out more about DNSSEC look-aside validation (DLV) on https://www.isc.org/solutions/dlv and https://dlv.isc.org/about/background. If you want to submit your keys to the dlv.isc.org repository, you can register on https://dlv.isc.org/.
You can find a list of signed TLDs on http://stats.research.icann.org/dns/tld_report/ and http://www.tldwithdnssec.se/. If your TLD is signed, the preferred method is to submit your keys to your registry so that they can create a DS record for your zone. You don't need a DLV record then.
In BIND 9.8 and 9.9, the root zone key from bind.keys can be loaded with dnssec-validation auto; - unfortunately, in BIND 9.7 (which we use) there's no auto option for dnssec-validation (that's why we use dnssec-validation yes;) which means the root zone key isn't loaded (see https://www.isc.org/bind-keys). To overcome this issue, we can either add the root zone key from bind.keys...
cat bind.keys
[...] |
vi named.conf.options
options { |
/etc/init.d/bind9 restart
Now let's sign our example.org zone. We do this with the handy zonesigner tool which is a wrapper around dnssec-keygen and dnssec-signzone. Take a look atman zonesigner
to learn more about its options. (You can specify default values for zonesigner and rollerd in /etc/dnssec-tools/dnssec-tools.conf so that you don't have to specify so many options on the command line - normally the default values in /etc/dnssec-tools/dnssec-tools.conf should be ok.) We can sign our zone as follows:
zonesigner -genkeys -usensec3 -zone example.org pri.example.org
We use NSEC3 here to avoid zone walking.root@server1:/etc/bind# zonesigner -genkeys -usensec3 -zone example.org pri.example.org
if zonesigner appears hung, strike keys until the program completes
(see the "Entropy" section in the man page for details)
Generating key pair...++++++ .................................................++++++
Generating key pair..............++++++ .........++++++
Generating key pair............................................
.........................................................................
..........................................+++ ......................
.........................................................................
.................................+++
Verifying the zone using the following algorithms: RSASHA256.
Zone signing complete:
Algorithm: RSASHA256: KSKs: 1 active, 0 stand-by, 0 revoked
ZSKs: 1 active, 1 stand-by, 0 revoked
zone signed successfully
example.org:
KSK (cur) 27916 -b 2048 04/13/12 (example.org-signset-00003)
ZSK (cur) 31560 -b 1024 04/13/12 (example.org-signset-00001)
ZSK (pub) 29958 -b 1024 04/13/12 (example.org-signset-00002)
zone will expire in 4 weeks, 3 days, 0 seconds
DO NOT delete the keys until this time has passed.
root@server1:/etc/bind#
As you see, zonesigner has created three key pairs (private/public key pair), a key-signing key (KSK) with the ID 27916 and two zone-signing keys (ZSKs) with the IDs 31560 (active) and 29958 (passive), one active and one passive. We need two ZSKs for key rollovers later on. You can learn more about KSKs and ZSKs on https://dlv.isc.org/about/background; http://www.nlnetlabs.nl/publications/dnssec_howto/#x1-400005 has some good infos about key rollovers and why two ZSKs are needed. if zonesigner appears hung, strike keys until the program completes
(see the "Entropy" section in the man page for details)
Generating key pair...++++++ .................................................++++++
Generating key pair..............++++++ .........++++++
Generating key pair............................................
.........................................................................
..........................................+++ ......................
.........................................................................
.................................+++
Verifying the zone using the following algorithms: RSASHA256.
Zone signing complete:
Algorithm: RSASHA256: KSKs: 1 active, 0 stand-by, 0 revoked
ZSKs: 1 active, 1 stand-by, 0 revoked
zone signed successfully
example.org:
KSK (cur) 27916 -b 2048 04/13/12 (example.org-signset-00003)
ZSK (cur) 31560 -b 1024 04/13/12 (example.org-signset-00001)
ZSK (pub) 29958 -b 1024 04/13/12 (example.org-signset-00002)
zone will expire in 4 weeks, 3 days, 0 seconds
DO NOT delete the keys until this time has passed.
root@server1:/etc/bind#
Let's take a look at the /etc/bind directory now:
ls -l
root@server1:/etc/bind# ls -l
total 100
-rw-r--r-- 1 root root 665 Jan 15 2011 bind.keys
-rw-r--r-- 1 root root 237 Jan 15 2011 db.0
-rw-r--r-- 1 root root 271 Jan 15 2011 db.127
-rw-r--r-- 1 root root 237 Jan 15 2011 db.255
-rw-r--r-- 1 root root 353 Jan 15 2011 db.empty
-rw-r--r-- 1 root root 270 Jan 15 2011 db.local
-rw-r--r-- 1 root root 2994 Jan 15 2011 db.root
-rw-r--r-- 1 root bind 167 Apr 13 10:19 dsset-example.org.
-rw-r--r-- 1 root bind 1910 Apr 13 10:19 example.org.krf
-rw-r--r-- 1 root bind 605 Apr 13 10:19 Kexample.org.+008+27916.key
-rw------- 1 root bind 1776 Apr 13 10:19 Kexample.org.+008+27916.private
-rw-r--r-- 1 root bind 431 Apr 13 10:19 Kexample.org.+008+29958.key
-rw------- 1 root bind 1012 Apr 13 10:19 Kexample.org.+008+29958.private
-rw-r--r-- 1 root bind 431 Apr 13 10:19 Kexample.org.+008+31560.key
-rw------- 1 root bind 1012 Apr 13 10:19 Kexample.org.+008+31560.private
-rw-r--r-- 1 root bind 463 Jan 15 2011 named.conf
-rw-r--r-- 1 root bind 490 Jan 15 2011 named.conf.default-zones
-rw-r--r-- 1 root bind 167 Apr 13 10:18 named.conf.local
-rw-r--r-- 1 root bind 1389 Apr 13 10:17 named.conf.options
-rw-r--r-- 1 root bind 723 Apr 13 10:19 pri.example.org
-rw-r--r-- 1 root bind 5912 Apr 13 10:19 pri.example.org.signed
-rw-r----- 1 bind bind 77 Feb 7 2011 rndc.key
drwxr-s--- 2 root bind 4096 Feb 7 2011 slave
-rw-r--r-- 1 root root 1317 Jan 15 2011 zones.rfc1918
root@server1:/etc/bind#
You should see your three key pairs Kexample.org.+008+total 100
-rw-r--r-- 1 root root 665 Jan 15 2011 bind.keys
-rw-r--r-- 1 root root 237 Jan 15 2011 db.0
-rw-r--r-- 1 root root 271 Jan 15 2011 db.127
-rw-r--r-- 1 root root 237 Jan 15 2011 db.255
-rw-r--r-- 1 root root 353 Jan 15 2011 db.empty
-rw-r--r-- 1 root root 270 Jan 15 2011 db.local
-rw-r--r-- 1 root root 2994 Jan 15 2011 db.root
-rw-r--r-- 1 root bind 167 Apr 13 10:19 dsset-example.org.
-rw-r--r-- 1 root bind 1910 Apr 13 10:19 example.org.krf
-rw-r--r-- 1 root bind 605 Apr 13 10:19 Kexample.org.+008+27916.key
-rw------- 1 root bind 1776 Apr 13 10:19 Kexample.org.+008+27916.private
-rw-r--r-- 1 root bind 431 Apr 13 10:19 Kexample.org.+008+29958.key
-rw------- 1 root bind 1012 Apr 13 10:19 Kexample.org.+008+29958.private
-rw-r--r-- 1 root bind 431 Apr 13 10:19 Kexample.org.+008+31560.key
-rw------- 1 root bind 1012 Apr 13 10:19 Kexample.org.+008+31560.private
-rw-r--r-- 1 root bind 463 Jan 15 2011 named.conf
-rw-r--r-- 1 root bind 490 Jan 15 2011 named.conf.default-zones
-rw-r--r-- 1 root bind 167 Apr 13 10:18 named.conf.local
-rw-r--r-- 1 root bind 1389 Apr 13 10:17 named.conf.options
-rw-r--r-- 1 root bind 723 Apr 13 10:19 pri.example.org
-rw-r--r-- 1 root bind 5912 Apr 13 10:19 pri.example.org.signed
-rw-r----- 1 bind bind 77 Feb 7 2011 rndc.key
drwxr-s--- 2 root bind 4096 Feb 7 2011 slave
-rw-r--r-- 1 root root 1317 Jan 15 2011 zones.rfc1918
root@server1:/etc/bind#
There's also the file dsset-example.org. which contains the DS records that have to be set up at your registry for your zone:
cat dsset-example.org.
example.org. IN DS 27916 8 1 20390B300F17E32838B309254E572FCC7CB139B3 |
cat example.org.krf
zone "example.org" |
cat pri.example.org.signed
; File written on Fri Apr 13 10:19:34 2012 |
We can use donuts to check if there are any problems with the signed zone file:
donuts --level 8 -v pri.example.org.signed example.org
If everything is ok, you shouldn't see any warnings or errors:root@server1:/etc/bind# donuts --level 8 -v pri.example.org.signed example.org
--- loading rule file /usr/share/dnssec-tools/donuts/rules/check_nameservers.txt
rules: MEMORIZE_NS_ADDRS DNS_SERVERS_MATCH_DATA
--- loading rule file /usr/share/dnssec-tools/donuts/rules/dns.errors.txt
rules: DNS_SOA_REQUIRED MEMORIZE_NS_CNAME_RECORDS DNS_NS_NO_CNAME
--- loading rule file /usr/share/dnssec-tools/donuts/rules/dnssec.rules.txt
rules: DNSSEC_RRSIG_TTL_MATCH_ORGTTL DNSSEC_MEMORIZE_NS_RECORDS DNSSEC_CHECK_IF_NSEC3
DNSSEC_MISSING_NSEC_RECORD DNSSEC_MISSING_RRSIG_RECORD DNSSEC_RRSIG_NOT_SIGNING_RRSIG DNSSEC_RRSIG_FOR_NS_GLUE_RECORD
DNSSEC_NSEC_FOR_NS_GLUE_RECORD DNSSEC_RRSIG_SIGEXP DNSSEC_NSEC_TTL DNSSEC_NSEC3_TTL DNSSEC_DNSKEY_MUST_HAVE_SAME_NAME
DNSSEC_DNSKEY_PROTOCOL_MUST_BE_3 DNSSEC_BOGUS_NS_MEMORIZE DNSSEC_MISSING_RRSIG_RECORD DNSSEC_RRSIG_TTL_MUST_MATCH_RECORD
DNSSEC_MISSING_NSEC_RECORD DNSSEC_RRSIG_SIGNER_NAME_MATCHES DNSSEC_NSEC_RRSEC_MUST_NOT_BE_ALONE DNSSEC_MEMORIZE_KEYS
DNSSEC_RRSIGS_VERIFY DNSSEC_TWO_ZSKS DNSSEC_OPENSSL_KEY_ISSUES
--- loading rule file /usr/share/dnssec-tools/donuts/rules/nsec_check.rules.txt
rules: DNSSEC_NSEC_MEMORIZE DNSSEC_NSEC3_MEMORIZE DNSSEC_NSEC3_CHECK DNSSEC_NSEC_CHECK
--- loading rule file /usr/share/dnssec-tools/donuts/rules/parent_child.rules.txt
rules: DNS_MULTIPLE_NS DNSSEC_SUB_NOT_SECURE DNSSEC_DNSKEY_PARENT_HAS_VALID_DS DNSSEC_DS_CHILD_HAS_MATCHING_DNSKEY
--- loading rule file /usr/share/dnssec-tools/donuts/rules/recommendations.rules.txt
rules: DNS_REASONABLE_TTLS DNS_NO_DOMAIN_MX_RECORDS
--- Analyzing individual records in pri.example.org.signed
--- Analyzing records for each name in pri.example.org.signed
results on testing example.org:
rules considered: 38
rules tested: 30
records analyzed: 28
names analyzed: 6
errors found: 0
root@server1:/etc/bind#
Let's check the contents of our KSK (we will need this later on to create a trust anchor on our resolver server3 to do some testing before we submit the DS records to the registry):--- loading rule file /usr/share/dnssec-tools/donuts/rules/check_nameservers.txt
rules: MEMORIZE_NS_ADDRS DNS_SERVERS_MATCH_DATA
--- loading rule file /usr/share/dnssec-tools/donuts/rules/dns.errors.txt
rules: DNS_SOA_REQUIRED MEMORIZE_NS_CNAME_RECORDS DNS_NS_NO_CNAME
--- loading rule file /usr/share/dnssec-tools/donuts/rules/dnssec.rules.txt
rules: DNSSEC_RRSIG_TTL_MATCH_ORGTTL DNSSEC_MEMORIZE_NS_RECORDS DNSSEC_CHECK_IF_NSEC3
DNSSEC_MISSING_NSEC_RECORD DNSSEC_MISSING_RRSIG_RECORD DNSSEC_RRSIG_NOT_SIGNING_RRSIG DNSSEC_RRSIG_FOR_NS_GLUE_RECORD
DNSSEC_NSEC_FOR_NS_GLUE_RECORD DNSSEC_RRSIG_SIGEXP DNSSEC_NSEC_TTL DNSSEC_NSEC3_TTL DNSSEC_DNSKEY_MUST_HAVE_SAME_NAME
DNSSEC_DNSKEY_PROTOCOL_MUST_BE_3 DNSSEC_BOGUS_NS_MEMORIZE DNSSEC_MISSING_RRSIG_RECORD DNSSEC_RRSIG_TTL_MUST_MATCH_RECORD
DNSSEC_MISSING_NSEC_RECORD DNSSEC_RRSIG_SIGNER_NAME_MATCHES DNSSEC_NSEC_RRSEC_MUST_NOT_BE_ALONE DNSSEC_MEMORIZE_KEYS
DNSSEC_RRSIGS_VERIFY DNSSEC_TWO_ZSKS DNSSEC_OPENSSL_KEY_ISSUES
--- loading rule file /usr/share/dnssec-tools/donuts/rules/nsec_check.rules.txt
rules: DNSSEC_NSEC_MEMORIZE DNSSEC_NSEC3_MEMORIZE DNSSEC_NSEC3_CHECK DNSSEC_NSEC_CHECK
--- loading rule file /usr/share/dnssec-tools/donuts/rules/parent_child.rules.txt
rules: DNS_MULTIPLE_NS DNSSEC_SUB_NOT_SECURE DNSSEC_DNSKEY_PARENT_HAS_VALID_DS DNSSEC_DS_CHILD_HAS_MATCHING_DNSKEY
--- loading rule file /usr/share/dnssec-tools/donuts/rules/recommendations.rules.txt
rules: DNS_REASONABLE_TTLS DNS_NO_DOMAIN_MX_RECORDS
--- Analyzing individual records in pri.example.org.signed
--- Analyzing records for each name in pri.example.org.signed
results on testing example.org:
rules considered: 38
rules tested: 30
records analyzed: 28
names analyzed: 6
errors found: 0
root@server1:/etc/bind#
cat Kexample.org.+008+27916.key
; This is a key-signing key, keyid 27916, for example.org. |
vi named.conf.local
... and replace pri.example.org with pri.example.org.signed: zone "example.org" { |
/etc/init.d/bind9 restart
3 Modifying A Signed Zone (server1)
server1 (master):
If you want to modify the example.org zone (e.g. add/update/delete records), you don't modify pri.example.org.signed, but the unsigned version pri.example.org. After you are finished with your modifications, runzonesigner -zone example.org pri.example.org
This will increase the serial number of the zone file (so you don't have to increase it manually) and create a new pri.example.org.signed file. 4 Enabling DNSSEC On The Slave (server2)
server2 (slave):
Go to the /etc/bind directory:cd /etc/bind
Do the same changes to named.conf.options that you did on the master (set dnssec-enable yes;, dnssec-validation yes; and dnssec-lookaside auto; in the options area and include /etc/bind/bind.keys):vi named.conf.options
options { |
vi named.conf.local
... and change sec.example.org to sec.example.org.signed: zone "example.org" { |
/etc/init.d/bind9 restart
If you have modified the zone file name in named.conf.local, there should now be two zone files for example.org in the slave/ directory, one with the old name and one with the new name:ls -l slave/
root@server2:/etc/bind# ls -l slave/
total 16
-rw-r--r-- 1 bind bind 5578 Apr 13 10:24 sec.example.org
-rw-r--r-- 1 bind bind 5578 Apr 13 10:30 sec.example.org.signed
root@server2:/etc/bind#
Delete the one with the old name (it's unused now):total 16
-rw-r--r-- 1 bind bind 5578 Apr 13 10:24 sec.example.org
-rw-r--r-- 1 bind bind 5578 Apr 13 10:30 sec.example.org.signed
root@server2:/etc/bind#
rm -f slave/sec.example.org
That's all for the slave - as you see, no keys have to be created or transferred (well, they are transferred as part of the signed zone).5 Enabling DNSSEC On The Resolving DNS (server3)
server3 (resolver):
To make resolving, non-authoritative name servers speak and understand DNSSEC, you essentially just have to do the same changes to named.conf.options as on the master and slave, i.e. set dnssec-enable yes;, dnssec-validation yes; and dnssec-lookaside auto; in the options area and include /etc/bind/bind.keys:cd /etc/bind
vi named.conf.options
vi named.conf.options
options { |
/etc/init.d/bind9 restart
That would normally be sufficient for a resolver. Now I want to test DNSSEC on the master and slave (test means I haven't submitted the DS records to the registry yet) with the dig command from this resolver, therefore I have to change the configuration a bit.
First I modify /etc/resolv.conf so that this box is the resolver's own client:
vi /etc/resolv.conf
Remove or comment out all other nameservers so that the only nameserver is 127.0.0.1: nameserver 127.0.0.1 |
vi named.conf.options
... and add the IP addresses of the master and the slave DNS server to the forwarders section AND add a managed-keys section that includes the KSK from the example.org zone (see chapter 2) (this is our trust anchor right now so that we can test; after the DS records have been set up at your registry, this trust anchor isn't needed anymore because we have the root zone key in our configuration - in the bind.keys file): options { |
/etc/init.d/bind9 restart
Now we can test the example.org zone with DNSSEC:dig +dnssec example.org
If everything goes well, you should get an answer to the ad flag set (ad = authenticated data):root@server3:/etc/bind# dig +dnssec example.org
; <<>> DiG 9.7.3 <<>> +dnssec example.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 756
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 3, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;example.org. IN A
;; ANSWER SECTION:
example.org. 3600 IN A 1.2.3.4
example.org. 3600 IN RRSIG A 8 2 3600 20120514071934 20120413071934 31560 example.org.
oGCbVz6tro67wrwDKeG5UOugTjGxXaC1BODdLZtNHo4NAk9iuTQIOdWb ITsNotXqx8qpwhVpxSXEqcjqdyAKH3530A/lxntEDJzAfzLP7s
FIQfpY n2WedeFox6J9U1uNmkg45ddIsWE67AGC8emmsxj2+WieGJ4BpiIvaZgu OuI=
;; AUTHORITY SECTION:
example.org. 86400 IN NS server1.example.com.
example.org. 86400 IN NS server2.example.com.
example.org. 86400 IN RRSIG NS 8 2 86400 20120514071934 20120413071934 31560 example.org.
OYzDYsxaKvzEmI+DCtgbjycy1I1l+O+42UwyR/YAKzEEwRTswIbj/cjb mBb7HmWJVHkqLHw/xWPt9MwjSPyJZyGQtVgrHhmxZSf1vNByqHFU
evUh g1qsRBwFQfoayDKQWC77MkCn6qzYa5W4VxChDYP2rCkgaCuYnWLPm3o8 2RY=
;; Query time: 4 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Fri Apr 13 10:37:42 2012
;; MSG SIZE rcvd: 453
root@server3:/etc/bind#
Congratulations! Everything is fine with your DNSSEC setup. Now you can make your registrar create DS records in the parent zone or - if your parent zone isn't signed yet - upload your keys to a DLV repository such as https://dlv.isc.org/. After you have done that, you can remove the managed-keys section for example.org from the named.conf.options file and restart BIND.; <<>> DiG 9.7.3 <<>> +dnssec example.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 756
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 3, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;example.org. IN A
;; ANSWER SECTION:
example.org. 3600 IN A 1.2.3.4
example.org. 3600 IN RRSIG A 8 2 3600 20120514071934 20120413071934 31560 example.org.
oGCbVz6tro67wrwDKeG5UOugTjGxXaC1BODdLZtNHo4NAk9iuTQIOdWb ITsNotXqx8qpwhVpxSXEqcjqdyAKH3530A/lxntEDJzAfzLP7s
FIQfpY n2WedeFox6J9U1uNmkg45ddIsWE67AGC8emmsxj2+WieGJ4BpiIvaZgu OuI=
;; AUTHORITY SECTION:
example.org. 86400 IN NS server1.example.com.
example.org. 86400 IN NS server2.example.com.
example.org. 86400 IN RRSIG NS 8 2 86400 20120514071934 20120413071934 31560 example.org.
OYzDYsxaKvzEmI+DCtgbjycy1I1l+O+42UwyR/YAKzEEwRTswIbj/cjb mBb7HmWJVHkqLHw/xWPt9MwjSPyJZyGQtVgrHhmxZSf1vNByqHFU
evUh g1qsRBwFQfoayDKQWC77MkCn6qzYa5W4VxChDYP2rCkgaCuYnWLPm3o8 2RY=
;; Query time: 4 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Fri Apr 13 10:37:42 2012
;; MSG SIZE rcvd: 453
root@server3:/etc/bind#
6 Setting The DS Record At The Registry / Setting A DLV Record
(You can find a list of signed TLDs on http://stats.research.icann.org/dns/tld_report/ and http://www.tldwithdnssec.se/.)
Unfortunately this task cannot be automated. Some registrar's allow you to upload your DS records (the contents of the /etc/bind/dsset-example.org. file) through their web interface, while you can email it to others. Contact your registrar and ask if they support DNSSEC and what the preferred way is to submit your DS records.
If your parent zone isn't signed or your registrar has no way of submitting your DS records to the registry, you can use DLV. For example, you can go to https://dlv.isc.org/, register and follow their instructions.
7 Key Rolling
server1 (master):
By default, keys (KSKs and ZSKs) expire after some time to make it harder for hackers to compromise them. You can set the expiry date with the -endtime switch when you run zonesigner together with the -genkeys switch. If you don't specify the -endtime switch, the value is taken from /etc/dnssec-tools/dnssec-tools.conf.Because keys expire, we have to change them - this is called "key rolling". Fortunately, this task can be automated by a daemon called rollerd which takes care of creating new keys, signing zones, etc.
Go to /etc/bind:
cd /etc/bind
Create a file called all.rollrec that contains details about your signed zones, their keys, the contact person for the zone, etc.:rollinit -zonefile /etc/bind/pri.example.org.signed -keyrec /etc/bind/example.org.krf -admin zonemaster@example.com example.org >> all.rollrec
Repeat this for every signed zone you have.Then start the rollerd daemon as follows:
rollerd -rrfile /etc/bind/all.rollrec -directory /etc/bind
The service automatically goes to the background. Unfortunately it has no init script, so we have to add the command to /etc/rc.local (before the exit 0 line) to make it start automatically when the system boots:vi /etc/rc.local
[...] |
8 Automatic Zone File Checks With donutsd
server1 (master):Finally we can set up automated zone file checks with donutsd (this is optional, but nice to have). donutsd is the damon belonging to the donuts command we used earlier. It runs in the background, checks your signed zones from time to time and sends an email if there's anything wrong.
First, we create the file /etc/bind/checkzones.txt - it has the format
vi /etc/bind/checkzones.txt
Add your zones, one zone per line: /etc/bind/pri.example.org.signed example.org zonemaster@example.com |
donutsd -i /etc/bind/checkzones.txt &
Like rollerd, donutsd has no init script. Therefore we add the following command to /etc/rc.local (before the exit 0 line) to make it start automatically when the system boots:vi /etc/rc.local
[...] |
9 Links
- DNSSEC HOWTO, a tutorial in disguise: http://www.nlnetlabs.nl/publications/dnssec_howto/
- DNSSEC in 6 minutes: http://www.isc.org/files/DNSSEC_in_6_minutes.pdf
- DNSSEC background: https://dlv.isc.org/about/background
- ISC DLV Registry: https://dlv.isc.org/
- Root and DLV Trust Anchors (bind.keys): https://www.isc.org/bind-keys
- List of signed TLDs: http://stats.research.icann.org/dns/tld_report/ and http://www.tldwithdnssec.se/
- Debian: http://www.debian.org/
- Ubuntu: http://www.ubuntu.com/
No comments:
Post a Comment