Agenda: dnssec.2.txt

File dnssec.2.txt, 3.1 KB (added by oflaherty-guatemala, 9 years ago)
Line 
1Advanced Registry Operations Curriculum
2
3DNSSEC Introduction
4
51. Install bind
6
7        # apt-get install bind9
8
92. Check the files in /etc/bind
10
11Check and Follow the include files
12named.conf
13        options:global options
14        local:your zones,
15        default-zones: route-cache, localhost, etc
16
173. Disable IPv6
18
19        # ifconfig eth0 inet6 down
20
214. Start the Server
22
23        # /etc/init.d/bind9 start
24
255. Check if it's working
26
27        # dig @localhost www.isoc.org
28
29Check with DNSSEC options
30
31        # dig @localhost +dnssec www.isoc.org
32
33See the differences between both queries (EDNS)
34
356. Enable dnssec in the server
36
37Edit named.conf.options
38Include within the options:
39
40        dnssec-enable yes;
41        dnssec-validation yes;
42
437. Restart the server
44
45        # /etc/init.d/bind9 restart
46
478. Query with DNSSEC enabled (the same query we did before)
48
49        # dig @localhost +dnssec www.isoc.org
50
519. Identify the Differences (Flag ad, RRs: RRSIG)
52
53Query other names and note where the ad flag is present
54
55
56
57Insert the root DNS key
58
59Download the root Key
60
61        # dig +noall +answer DNSKEY . > raiz
62
63See the file with the key
64
65        # more raiz
66
67We should compare it with the published key before using it (it might be forged).
68        Create a DS record using the downloaded root key
69
70        # dnssec-dsfromkey -f raiz . 
71
72Compare this key (received from the root servers) with the published IANA key found in: https://data.iana.org/root-anchors/root-anchors.xml
73
74Edit /etc/bind/named.conf
75
76Insert the Key: (Use the downloaded key)
77
78Example: (it's different in version 9.6 and 9.7)
79For 9.6:
80trusted-keys {
81"." 257 3 8 "
82AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF
83FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX
84bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD
85X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz
86W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS
87Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq
88QxA+Uk1ihz0= ";
89};
90
91For 9.7
92managed-keys {
93"." initial-key 257 3 8 "
94AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF
95FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX
96bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD
97X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz
98W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS
99Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq
100QxA+Uk1ihz0= ";
101};
102
103
104Restart the Server
105
106        # /etc/init.d/bind9 restart
107
108
109Check the same query with the root zone signed
110
111        # dig @localhost +dnssec www.isoc.org
112
113See the differences with previous queries (Flag "ad: Autheticated Data)
114
115
116Signing a zone
117
118Create the keys
119
120Llave para firmar las zonas
121
122dnssec-keygen -r/dev/random -a RSASHA1 -b 1024 -n ZONE cctldX.org
123
124Llave para firmar las claves (SEP)
125
126dnssec-keygen -r/dev/random -f KSK -a RSASHA1 -b 1280 -n ZONE cctldX.org
127
128Ver los archivos .key generados
129
130Configure a zone for signing
131
132Create your own zone cctldX.org (Use db.local as an example)
133
134Include the KEYs dentro del archivo
135
136$include KcctldX.org.+005+NNNNN.key ; ZSK
137$include KcctldX.org.+005+NNNNN.key ; KSK
138
139Sign the zone
140
141dnssec-signzone cctldX.org
142
143Edit /etc/bind/named.conf.local and add the zone file generated
144
145
146
147