Agenda: dnssec.2.txt

File dnssec.2.txt, 3.1 KB (added by oflaherty-guatemala, 9 years ago)

Line
1	Advanced Registry Operations Curriculum
2
3	DNSSEC Introduction
4
5	1. Install bind
6
7	# apt-get install bind9
8
9	2. Check the files in /etc/bind
10
11	Check and Follow the include files
12	named.conf
13	options:global options
14	local:your zones,
15	default-zones: route-cache, localhost, etc
16
17	3. Disable IPv6
18
19	# ifconfig eth0 inet6 down
20
21	4. Start the Server
22
23	# /etc/init.d/bind9 start
24
25	5. Check if it's working
26
27	# dig @localhost www.isoc.org
28
29	Check with DNSSEC options
30
31	# dig @localhost +dnssec www.isoc.org
32
33	See the differences between both queries (EDNS)
34
35	6. Enable dnssec in the server
36
37	Edit named.conf.options
38	Include within the options:
39
40	dnssec-enable yes;
41	dnssec-validation yes;
42
43	7. Restart the server
44
45	# /etc/init.d/bind9 restart
46
47	8. Query with DNSSEC enabled (the same query we did before)
48
49	# dig @localhost +dnssec www.isoc.org
50
51	9. Identify the Differences (Flag ad, RRs: RRSIG)
52
53	Query other names and note where the ad flag is present
54
55
56
57	Insert the root DNS key
58
59	Download the root Key
60
61	# dig +noall +answer DNSKEY . > raiz
62
63	See the file with the key
64
65	# more raiz
66
67	We should compare it with the published key before using it (it might be forged).
68	Create a DS record using the downloaded root key
69
70	# dnssec-dsfromkey -f raiz .
71
72	Compare this key (received from the root servers) with the published IANA key found in: https://data.iana.org/root-anchors/root-anchors.xml
73
74	Edit /etc/bind/named.conf
75
76	Insert the Key: (Use the downloaded key)
77
78	Example: (it's different in version 9.6 and 9.7)
79	For 9.6:
80	trusted-keys {
81	"." 257 3 8 "
82	AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF
83	FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX
84	bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD
85	X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz
86	W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS
87	Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq
88	QxA+Uk1ihz0= ";
89	};
90
91	For 9.7
92	managed-keys {
93	"." initial-key 257 3 8 "
94	AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF
95	FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX
96	bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD
97	X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz
98	W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS
99	Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq
100	QxA+Uk1ihz0= ";
101	};
102
103
104	Restart the Server
105
106	# /etc/init.d/bind9 restart
107
108
109	Check the same query with the root zone signed
110
111	# dig @localhost +dnssec www.isoc.org
112
113	See the differences with previous queries (Flag "ad: Autheticated Data)
114
115
116	Signing a zone
117
118	Create the keys
119
120	Llave para firmar las zonas
121
122	dnssec-keygen -r/dev/random -a RSASHA1 -b 1024 -n ZONE cctldX.org
123
124	Llave para firmar las claves (SEP)
125
126	dnssec-keygen -r/dev/random -f KSK -a RSASHA1 -b 1280 -n ZONE cctldX.org
127
128	Ver los archivos .key generados
129
130	Configure a zone for signing
131
132	Create your own zone cctldX.org (Use db.local as an example)
133
134	Include the KEYs dentro del archivo
135
136	$include KcctldX.org.+005+NNNNN.key ; ZSK
137	$include KcctldX.org.+005+NNNNN.key ; KSK
138
139	Sign the zone
140
141	dnssec-signzone cctldX.org
142
143	Edit /etc/bind/named.conf.local and add the zone file generated
144
145
146
147