| 1 | Advanced Registry Operations Curriculum |
|---|
| 2 | |
|---|
| 3 | DNSSEC Introduction |
|---|
| 4 | |
|---|
| 5 | 1. Install bind - You need openssl before for crypto key features |
|---|
| 6 | |
|---|
| 7 | # apt-get openssl |
|---|
| 8 | # apt-get install bind9 |
|---|
| 9 | |
|---|
| 10 | 2. Check the files in /etc/bind |
|---|
| 11 | |
|---|
| 12 | Check and Follow the include files |
|---|
| 13 | named.conf |
|---|
| 14 | options:global options |
|---|
| 15 | local:your zones, |
|---|
| 16 | default-zones: route-cache, localhost, etc |
|---|
| 17 | |
|---|
| 18 | 3. Disable IPv6 |
|---|
| 19 | |
|---|
| 20 | # ifconfig eth0 inet6 down |
|---|
| 21 | |
|---|
| 22 | 4. Start the Server |
|---|
| 23 | |
|---|
| 24 | # /etc/init.d/bind9 start |
|---|
| 25 | |
|---|
| 26 | 5. Check if it's working |
|---|
| 27 | |
|---|
| 28 | # dig @localhost www.isoc.org |
|---|
| 29 | |
|---|
| 30 | Check with DNSSEC options |
|---|
| 31 | |
|---|
| 32 | # dig @localhost +dnssec www.isoc.org |
|---|
| 33 | |
|---|
| 34 | See the differences between both queries (EDNS) |
|---|
| 35 | |
|---|
| 36 | 6. Enable dnssec in the server |
|---|
| 37 | |
|---|
| 38 | Edit named.conf.options |
|---|
| 39 | Include within the options: |
|---|
| 40 | |
|---|
| 41 | dnssec-enable yes; |
|---|
| 42 | dnssec-validation yes; |
|---|
| 43 | |
|---|
| 44 | 7. Restart the server |
|---|
| 45 | |
|---|
| 46 | # /etc/init.d/bind9 restart |
|---|
| 47 | |
|---|
| 48 | 8. Query with DNSSEC enabled (the same query we did before) |
|---|
| 49 | |
|---|
| 50 | # dig @localhost +dnssec www.isoc.org |
|---|
| 51 | |
|---|
| 52 | 9. Identify the Differences (Flag ad, RRs: RRSIG) |
|---|
| 53 | |
|---|
| 54 | Query other names and note where the ad flag is present |
|---|
| 55 | |
|---|
| 56 | |
|---|
| 57 | |
|---|
| 58 | Insert the root DNS key |
|---|
| 59 | |
|---|
| 60 | Download the root Key |
|---|
| 61 | |
|---|
| 62 | # dig +noall +answer DNSKEY . > raiz |
|---|
| 63 | |
|---|
| 64 | See the file with the key |
|---|
| 65 | |
|---|
| 66 | # more raiz |
|---|
| 67 | |
|---|
| 68 | We should compare it with the published key before using it (it might be forged). |
|---|
| 69 | Create a DS record using the downloaded root key |
|---|
| 70 | |
|---|
| 71 | # dnssec-dsfromkey -f raiz . |
|---|
| 72 | |
|---|
| 73 | Compare this key (received from the root servers) with the published IANA key found in: https://data.iana.org/root-anchors/root-anchors.xml |
|---|
| 74 | |
|---|
| 75 | Edit /etc/bind/named.conf |
|---|
| 76 | |
|---|
| 77 | Insert the Key: (Use the downloaded key) |
|---|
| 78 | |
|---|
| 79 | Example: (it's different in version 9.6 and 9.7) |
|---|
| 80 | For 9.6: |
|---|
| 81 | trusted-keys { |
|---|
| 82 | "." 257 3 8 " |
|---|
| 83 | AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF |
|---|
| 84 | FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX |
|---|
| 85 | bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD |
|---|
| 86 | X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz |
|---|
| 87 | W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS |
|---|
| 88 | Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq |
|---|
| 89 | QxA+Uk1ihz0= "; |
|---|
| 90 | }; |
|---|
| 91 | |
|---|
| 92 | For 9.7 |
|---|
| 93 | managed-keys { |
|---|
| 94 | "." initial-key 257 3 8 " |
|---|
| 95 | AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF |
|---|
| 96 | FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX |
|---|
| 97 | bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD |
|---|
| 98 | X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz |
|---|
| 99 | W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS |
|---|
| 100 | Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq |
|---|
| 101 | QxA+Uk1ihz0= "; |
|---|
| 102 | }; |
|---|
| 103 | |
|---|
| 104 | |
|---|
| 105 | Restart the Server |
|---|
| 106 | |
|---|
| 107 | # /etc/init.d/bind9 restart |
|---|
| 108 | |
|---|
| 109 | |
|---|
| 110 | Check the same query with the root zone signed |
|---|
| 111 | |
|---|
| 112 | # dig @localhost +dnssec www.isoc.org |
|---|
| 113 | |
|---|
| 114 | See the differences with previous queries (Flag "ad: Autheticated Data) |
|---|
| 115 | |
|---|
| 116 | |
|---|
| 117 | Signing a zone |
|---|
| 118 | |
|---|
| 119 | Create the keys |
|---|
| 120 | |
|---|
| 121 | Llave para firmar las zonas |
|---|
| 122 | |
|---|
| 123 | dnssec-keygen -r/dev/random -a RSASHA1 -b 1024 -n ZONE cctldX.org |
|---|
| 124 | |
|---|
| 125 | Llave para firmar las claves (SEP) |
|---|
| 126 | |
|---|
| 127 | dnssec-keygen -r/dev/random -f KSK -a RSASHA1 -b 1280 -n ZONE cctldX.org |
|---|
| 128 | |
|---|
| 129 | Ver los archivos .key generados |
|---|
| 130 | |
|---|
| 131 | Configure a zone for signing |
|---|
| 132 | |
|---|
| 133 | Create your own zone cctldX.org (Use db.local as an example) |
|---|
| 134 | |
|---|
| 135 | Include the KEYs dentro del archivo |
|---|
| 136 | |
|---|
| 137 | $include KcctldX.org.+005+NNNNN.key ; ZSK |
|---|
| 138 | $include KcctldX.org.+005+NNNNN.key ; KSK |
|---|
| 139 | |
|---|
| 140 | Sign the zone |
|---|
| 141 | |
|---|
| 142 | dnssec-signzone cctldX.org |
|---|
| 143 | |
|---|
| 144 | Edit /etc/bind/named.conf.local and add the zone file generated |
|---|
| 145 | |
|---|
| 146 | |
|---|
| 147 | |
|---|
| 148 | |
|---|