Agenda: dnssec.txt

File dnssec.txt, 3.1 KB (added by oflaherty-guatemala, 9 years ago)

Line
1	Advanced Registry Operations Curriculum
2
3	DNSSEC Introduction
4
5	1. Install bind - You need openssl before for crypto key features
6
7	# apt-get openssl
8	# apt-get install bind9
9
10	2. Check the files in /etc/bind
11
12	Check and Follow the include files
13	named.conf
14	options:global options
15	local:your zones,
16	default-zones: route-cache, localhost, etc
17
18	3. Disable IPv6
19
20	# ifconfig eth0 inet6 down
21
22	4. Start the Server
23
24	# /etc/init.d/bind9 start
25
26	5. Check if it's working
27
28	# dig @localhost www.isoc.org
29
30	Check with DNSSEC options
31
32	# dig @localhost +dnssec www.isoc.org
33
34	See the differences between both queries (EDNS)
35
36	6. Enable dnssec in the server
37
38	Edit named.conf.options
39	Include within the options:
40
41	dnssec-enable yes;
42	dnssec-validation yes;
43
44	7. Restart the server
45
46	# /etc/init.d/bind9 restart
47
48	8. Query with DNSSEC enabled (the same query we did before)
49
50	# dig @localhost +dnssec www.isoc.org
51
52	9. Identify the Differences (Flag ad, RRs: RRSIG)
53
54	Query other names and note where the ad flag is present
55
56
57
58	Insert the root DNS key
59
60	Download the root Key
61
62	# dig +noall +answer DNSKEY . > raiz
63
64	See the file with the key
65
66	# more raiz
67
68	We should compare it with the published key before using it (it might be forged).
69	Create a DS record using the downloaded root key
70
71	# dnssec-dsfromkey -f raiz .
72
73	Compare this key (received from the root servers) with the published IANA key found in: https://data.iana.org/root-anchors/root-anchors.xml
74
75	Edit /etc/bind/named.conf
76
77	Insert the Key: (Use the downloaded key)
78
79	Example: (it's different in version 9.6 and 9.7)
80	For 9.6:
81	trusted-keys {
82	"." 257 3 8 "
83	AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF
84	FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX
85	bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD
86	X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz
87	W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS
88	Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq
89	QxA+Uk1ihz0= ";
90	};
91
92	For 9.7
93	managed-keys {
94	"." initial-key 257 3 8 "
95	AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF
96	FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX
97	bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD
98	X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz
99	W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS
100	Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq
101	QxA+Uk1ihz0= ";
102	};
103
104
105	Restart the Server
106
107	# /etc/init.d/bind9 restart
108
109
110	Check the same query with the root zone signed
111
112	# dig @localhost +dnssec www.isoc.org
113
114	See the differences with previous queries (Flag "ad: Autheticated Data)
115
116
117	Signing a zone
118
119	Create the keys
120
121	Llave para firmar las zonas
122
123	dnssec-keygen -r/dev/random -a RSASHA1 -b 1024 -n ZONE cctldX.org
124
125	Llave para firmar las claves (SEP)
126
127	dnssec-keygen -r/dev/random -f KSK -a RSASHA1 -b 1280 -n ZONE cctldX.org
128
129	Ver los archivos .key generados
130
131	Configure a zone for signing
132
133	Create your own zone cctldX.org (Use db.local as an example)
134
135	Include the KEYs dentro del archivo
136
137	$include KcctldX.org.+005+NNNNN.key ; ZSK
138	$include KcctldX.org.+005+NNNNN.key ; KSK
139
140	Sign the zone
141
142	dnssec-signzone cctldX.org
143
144	Edit /etc/bind/named.conf.local and add the zone file generated
145
146
147
148