Advanced Registry Operations Curriculum DNSSEC Introduction 1. Install bind # apt-get install bind9 2. Check the files in /etc/bind Check and Follow the include files named.conf options:global options local:your zones, default-zones: route-cache, localhost, etc 3. Disable IPv6 # ifconfig eth0 inet6 down 4. Start the Server # /etc/init.d/bind9 start 5. Check if it's working # dig @localhost www.isoc.org Check with DNSSEC options # dig @localhost +dnssec www.isoc.org See the differences between both queries (EDNS) 6. Enable dnssec in the server Edit named.conf.options Include within the options: dnssec-enable yes; dnssec-validation yes; 7. Restart the server # /etc/init.d/bind9 restart 8. Query with DNSSEC enabled (the same query we did before) # dig @localhost +dnssec www.isoc.org 9. Identify the Differences (Flag ad, RRs: RRSIG) Query other names and note where the ad flag is present Insert the root DNS key Download the root Key # dig +noall +answer DNSKEY . > raiz See the file with the key # more raiz We should compare it with the published key before using it (it might be forged). Create a DS record using the downloaded root key # dnssec-dsfromkey -f raiz . Compare this key (received from the root servers) with the published IANA key found in: https://data.iana.org/root-anchors/root-anchors.xml Edit /etc/bind/named.conf Insert the Key: (Use the downloaded key) Example: (it's different in version 9.6 and 9.7) For 9.6: trusted-keys { "." 257 3 8 " AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq QxA+Uk1ihz0= "; }; For 9.7 managed-keys { "." initial-key 257 3 8 " AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq QxA+Uk1ihz0= "; }; Restart the Server # /etc/init.d/bind9 restart Check the same query with the root zone signed # dig @localhost +dnssec www.isoc.org See the differences with previous queries (Flag "ad: Autheticated Data) Signing a zone Create the keys Llave para firmar las zonas dnssec-keygen -r/dev/random -a RSASHA1 -b 1024 -n ZONE cctldX.org Llave para firmar las claves (SEP) dnssec-keygen -r/dev/random -f KSK -a RSASHA1 -b 1280 -n ZONE cctldX.org Ver los archivos .key generados Configure a zone for signing Create your own zone cctldX.org (Use db.local as an example) Include the KEYs dentro del archivo $include KcctldX.org.+005+NNNNN.key ; ZSK $include KcctldX.org.+005+NNNNN.key ; KSK Sign the zone dnssec-signzone cctldX.org Edit /etc/bind/named.conf.local and add the zone file generated