1 | Advanced Registry Operations Curriculum |
---|
2 | |
---|
3 | DNSSEC Introduction |
---|
4 | |
---|
5 | 1. Install bind |
---|
6 | |
---|
7 | # apt-get install bind9 |
---|
8 | |
---|
9 | 2. Check the files in /etc/bind |
---|
10 | |
---|
11 | Check and Follow the include files |
---|
12 | named.conf |
---|
13 | options:global options |
---|
14 | local:your zones, |
---|
15 | default-zones: route-cache, localhost, etc |
---|
16 | |
---|
17 | 3. Disable IPv6 |
---|
18 | |
---|
19 | # ifconfig eth0 inet6 down |
---|
20 | |
---|
21 | 4. Start the Server |
---|
22 | |
---|
23 | # /etc/init.d/bind9 start |
---|
24 | |
---|
25 | 5. Check if it's working |
---|
26 | |
---|
27 | # dig @localhost www.isoc.org |
---|
28 | |
---|
29 | Check with DNSSEC options |
---|
30 | |
---|
31 | # dig @localhost +dnssec www.isoc.org |
---|
32 | |
---|
33 | See the differences between both queries (EDNS) |
---|
34 | |
---|
35 | 6. Enable dnssec in the server |
---|
36 | |
---|
37 | Edit named.conf.options |
---|
38 | Include within the options: |
---|
39 | |
---|
40 | dnssec-enable yes; |
---|
41 | dnssec-validation yes; |
---|
42 | |
---|
43 | 7. Restart the server |
---|
44 | |
---|
45 | # /etc/init.d/bind9 restart |
---|
46 | |
---|
47 | 8. Query with DNSSEC enabled (the same query we did before) |
---|
48 | |
---|
49 | # dig @localhost +dnssec www.isoc.org |
---|
50 | |
---|
51 | 9. Identify the Differences (Flag ad, RRs: RRSIG) |
---|
52 | |
---|
53 | Query other names and note where the ad flag is present |
---|
54 | |
---|
55 | |
---|
56 | |
---|
57 | Insert the root DNS key |
---|
58 | |
---|
59 | Download the root Key |
---|
60 | |
---|
61 | # dig +noall +answer DNSKEY . > raiz |
---|
62 | |
---|
63 | See the file with the key |
---|
64 | |
---|
65 | # more raiz |
---|
66 | |
---|
67 | We should compare it with the published key before using it (it might be forged). |
---|
68 | Create a DS record using the downloaded root key |
---|
69 | |
---|
70 | # dnssec-dsfromkey -f raiz . |
---|
71 | |
---|
72 | Compare this key (received from the root servers) with the published IANA key found in: https://data.iana.org/root-anchors/root-anchors.xml |
---|
73 | |
---|
74 | Edit /etc/bind/named.conf |
---|
75 | |
---|
76 | Insert the Key: (Use the downloaded key) |
---|
77 | |
---|
78 | Example: (it's different in version 9.6 and 9.7) |
---|
79 | For 9.6: |
---|
80 | trusted-keys { |
---|
81 | "." 257 3 8 " |
---|
82 | AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF |
---|
83 | FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX |
---|
84 | bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD |
---|
85 | X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz |
---|
86 | W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS |
---|
87 | Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq |
---|
88 | QxA+Uk1ihz0= "; |
---|
89 | }; |
---|
90 | |
---|
91 | For 9.7 |
---|
92 | managed-keys { |
---|
93 | "." initial-key 257 3 8 " |
---|
94 | AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF |
---|
95 | FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX |
---|
96 | bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD |
---|
97 | X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz |
---|
98 | W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS |
---|
99 | Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq |
---|
100 | QxA+Uk1ihz0= "; |
---|
101 | }; |
---|
102 | |
---|
103 | |
---|
104 | Restart the Server |
---|
105 | |
---|
106 | # /etc/init.d/bind9 restart |
---|
107 | |
---|
108 | |
---|
109 | Check the same query with the root zone signed |
---|
110 | |
---|
111 | # dig @localhost +dnssec www.isoc.org |
---|
112 | |
---|
113 | See the differences with previous queries (Flag "ad: Autheticated Data) |
---|
114 | |
---|
115 | |
---|
116 | Signing a zone |
---|
117 | |
---|
118 | Create the keys |
---|
119 | |
---|
120 | Llave para firmar las zonas |
---|
121 | |
---|
122 | dnssec-keygen -r/dev/random -a RSASHA1 -b 1024 -n ZONE cctldX.org |
---|
123 | |
---|
124 | Llave para firmar las claves (SEP) |
---|
125 | |
---|
126 | dnssec-keygen -r/dev/random -f KSK -a RSASHA1 -b 1280 -n ZONE cctldX.org |
---|
127 | |
---|
128 | Ver los archivos .key generados |
---|
129 | |
---|
130 | Configure a zone for signing |
---|
131 | |
---|
132 | Create your own zone cctldX.org (Use db.local as an example) |
---|
133 | |
---|
134 | Include the KEYs dentro del archivo |
---|
135 | |
---|
136 | $include KcctldX.org.+005+NNNNN.key ; ZSK |
---|
137 | $include KcctldX.org.+005+NNNNN.key ; KSK |
---|
138 | |
---|
139 | Sign the zone |
---|
140 | |
---|
141 | dnssec-signzone cctldX.org |
---|
142 | |
---|
143 | Edit /etc/bind/named.conf.local and add the zone file generated |
---|
144 | |
---|
145 | |
---|
146 | |
---|
147 | |
---|