Agenda: dnssec.txt

File dnssec.txt, 3.1 KB (added by oflaherty-guatemala, 9 years ago)
Line 
1Advanced Registry Operations Curriculum
2
3DNSSEC Introduction
4
51. Install bind - You need openssl before for crypto key features
6
7        # apt-get openssl
8        # apt-get install bind9
9
102. Check the files in /etc/bind
11
12Check and Follow the include files
13named.conf
14        options:global options
15        local:your zones,
16        default-zones: route-cache, localhost, etc
17
183. Disable IPv6
19
20        # ifconfig eth0 inet6 down
21
224. Start the Server
23
24        # /etc/init.d/bind9 start
25
265. Check if it's working
27
28        # dig @localhost www.isoc.org
29
30Check with DNSSEC options
31
32        # dig @localhost +dnssec www.isoc.org
33
34See the differences between both queries (EDNS)
35
366. Enable dnssec in the server
37
38Edit named.conf.options
39Include within the options:
40
41        dnssec-enable yes;
42        dnssec-validation yes;
43
447. Restart the server
45
46        # /etc/init.d/bind9 restart
47
488. Query with DNSSEC enabled (the same query we did before)
49
50        # dig @localhost +dnssec www.isoc.org
51
529. Identify the Differences (Flag ad, RRs: RRSIG)
53
54Query other names and note where the ad flag is present
55
56
57
58Insert the root DNS key
59
60Download the root Key
61
62        # dig +noall +answer DNSKEY . > raiz
63
64See the file with the key
65
66        # more raiz
67
68We should compare it with the published key before using it (it might be forged).
69        Create a DS record using the downloaded root key
70
71        # dnssec-dsfromkey -f raiz . 
72
73Compare this key (received from the root servers) with the published IANA key found in: https://data.iana.org/root-anchors/root-anchors.xml
74
75Edit /etc/bind/named.conf
76
77Insert the Key: (Use the downloaded key)
78
79Example: (it's different in version 9.6 and 9.7)
80For 9.6:
81trusted-keys {
82"." 257 3 8 "
83AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF
84FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX
85bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD
86X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz
87W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS
88Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq
89QxA+Uk1ihz0= ";
90};
91
92For 9.7
93managed-keys {
94"." initial-key 257 3 8 "
95AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF
96FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX
97bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD
98X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz
99W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS
100Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq
101QxA+Uk1ihz0= ";
102};
103
104
105Restart the Server
106
107        # /etc/init.d/bind9 restart
108
109
110Check the same query with the root zone signed
111
112        # dig @localhost +dnssec www.isoc.org
113
114See the differences with previous queries (Flag "ad: Autheticated Data)
115
116
117Signing a zone
118
119Create the keys
120
121Llave para firmar las zonas
122
123dnssec-keygen -r/dev/random -a RSASHA1 -b 1024 -n ZONE cctldX.org
124
125Llave para firmar las claves (SEP)
126
127dnssec-keygen -r/dev/random -f KSK -a RSASHA1 -b 1280 -n ZONE cctldX.org
128
129Ver los archivos .key generados
130
131Configure a zone for signing
132
133Create your own zone cctldX.org (Use db.local as an example)
134
135Include the KEYs dentro del archivo
136
137$include KcctldX.org.+005+NNNNN.key ; ZSK
138$include KcctldX.org.+005+NNNNN.key ; KSK
139
140Sign the zone
141
142dnssec-signzone cctldX.org
143
144Edit /etc/bind/named.conf.local and add the zone file generated
145
146
147
148