| 1 | AROC-EN Mali |
|---|
| 2 | DNSSEC Exercise |
|---|
| 3 | |
|---|
| 4 | 1. First, install BIND9 |
|---|
| 5 | |
|---|
| 6 | # apt-get install bind9 |
|---|
| 7 | |
|---|
| 8 | Check that BIND9 is running |
|---|
| 9 | |
|---|
| 10 | # /etc/init.d/bind9 start |
|---|
| 11 | # rndc status |
|---|
| 12 | |
|---|
| 13 | |
|---|
| 14 | 2. BIND9's configuration files are all located in /etc/bind |
|---|
| 15 | |
|---|
| 16 | # cd /etc/bind |
|---|
| 17 | |
|---|
| 18 | We will create a new zone, dnssec.aroc, and sign it. Because we |
|---|
| 19 | want to generate and store keys to go with this new zone, we will |
|---|
| 20 | make a directory to keep everything in. |
|---|
| 21 | |
|---|
| 22 | # mkdir db.dnssec.aroc |
|---|
| 23 | # cd db.dnssec.aroc |
|---|
| 24 | |
|---|
| 25 | |
|---|
| 26 | 3. Create the unsigned zone file: |
|---|
| 27 | |
|---|
| 28 | # vi dnssec.aroc |
|---|
| 29 | |
|---|
| 30 | This is a normal zone file with no DNSSEC information in it at all. |
|---|
| 31 | Here is an example to get you started. |
|---|
| 32 | |
|---|
| 33 | $TTL 3600 |
|---|
| 34 | |
|---|
| 35 | @ SOA tldXX.aroc. nsrc.nsrc.org. ( |
|---|
| 36 | 0 ; serial |
|---|
| 37 | 28800 ; refresh |
|---|
| 38 | 3600 ; retry |
|---|
| 39 | 604800 ; expire |
|---|
| 40 | 3600 ) ; negative-cache TTL |
|---|
| 41 | |
|---|
| 42 | NS tldXX.aroc. |
|---|
| 43 | |
|---|
| 44 | test TXT "here is a TXT RRSet, so we have something to sign" |
|---|
| 45 | TXT "here is another record in the same RRSet" |
|---|
| 46 | |
|---|
| 47 | Check that the zone you created has no errors in it |
|---|
| 48 | |
|---|
| 49 | # named-checkzone dnssec.aroc ./dnssec.aroc |
|---|
| 50 | |
|---|
| 51 | |
|---|
| 52 | 4. Create KSK for the DNSSEC.AROC zone |
|---|
| 53 | |
|---|
| 54 | # dnssec-keygen -a RSASHA1 -b 4096 -n ZONE -f KSK -r /dev/urandom dnssec.aroc |
|---|
| 55 | |
|---|
| 56 | This is a 2048-bit RSA key, and it is a KSK. The key will be stored |
|---|
| 57 | in a file. Find it using ls (or by reading the output of the |
|---|
| 58 | dnssec-keygen command), and note down the name of the file. |
|---|
| 59 | |
|---|
| 60 | We are using /dev/urandom above because this is an exercise, and we don't |
|---|
| 61 | care about the quality of the random data. Normally you would not use |
|---|
| 62 | "-r /dev/urandom", and the Linux kernel will obtain high-quality random |
|---|
| 63 | numbers. This will take longer. |
|---|
| 64 | |
|---|
| 65 | |
|---|
| 66 | 5. Create ZSK for the DNSSEC.AROC zone |
|---|
| 67 | |
|---|
| 68 | # dnssec-keygen -a RSASHA1 -b 1024 -n ZONE -r /dev/urandom dnssec.aroc |
|---|
| 69 | |
|---|
| 70 | This is a 1024-bit RSA key, and we will use it as a ZSK. The key |
|---|
| 71 | will again be stored in a file. If you get confused about which key |
|---|
| 72 | is which, remember that because of the key sizes we chose, the ZSK |
|---|
| 73 | is the small one. Note down the name of the file. |
|---|
| 74 | |
|---|
| 75 | See step 4 comments about /dev/urandom. |
|---|
| 76 | |
|---|
| 77 | |
|---|
| 78 | 6. Include KSK and ZSK in the unsigned zone file |
|---|
| 79 | |
|---|
| 80 | Add the following lines to the dnssec.aroc zone file: |
|---|
| 81 | |
|---|
| 82 | $INCLUDE "/etc/bind/db.dnssec.aroc/<KSK filename>.key" |
|---|
| 83 | $INCLUDE "/etc/bind/db.dnssec.aroc/<ZSK filename>.key" |
|---|
| 84 | |
|---|
| 85 | Check again that the zone file is accurate and contains no errors |
|---|
| 86 | |
|---|
| 87 | # named-checkzone dnssec.aroc ./dnssec.aroc |
|---|
| 88 | |
|---|
| 89 | Instead of using $INCLUDE you could copy and paste the DNSKEY records |
|---|
| 90 | into the zone. However, when you cut and paste, make sure you do |
|---|
| 91 | it properly. There is no need to cut and paste if you use $INCLUDE. |
|---|
| 92 | |
|---|
| 93 | |
|---|
| 94 | 7. Sign the zone! |
|---|
| 95 | |
|---|
| 96 | # dnssec-signzone -N unixtime dnssec.aroc |
|---|
| 97 | |
|---|
| 98 | Because we are using -N unixtime, we are letting the dnssec-signzone |
|---|
| 99 | utility set the SOA serial number. We don't have to update it |
|---|
| 100 | ourselves in the unsigned zone file. |
|---|
| 101 | |
|---|
| 102 | Look in your directory and see what you have, now. |
|---|
| 103 | |
|---|
| 104 | # ls |
|---|
| 105 | dnssec.aroc Kdnssec.aroc.+005+34222.private |
|---|
| 106 | dnssec.aroc.signed Kdnssec.aroc.+005+34653.key |
|---|
| 107 | dsset-dnssec.aroc. Kdnssec.aroc.+005+34653.private |
|---|
| 108 | Kdnssec.aroc.+005+34222.key keyset-dnssec.aroc. |
|---|
| 109 | # |
|---|
| 110 | |
|---|
| 111 | dnssec.aroc unsigned zone file |
|---|
| 112 | dnssec.aroc.signed signed zone file |
|---|
| 113 | dsset-dnssec.aroc. DS record you could send to your parent |
|---|
| 114 | keyset-dnssec.aroc. the DNSKEY record that the DS record matches |
|---|
| 115 | Kdnssec.aroc.*.key public keys we generated earlier |
|---|
| 116 | Kdnssec.aroc.*.private private keys we generated earlier |
|---|
| 117 | |
|---|
| 118 | Check that the signed zone is still valid |
|---|
| 119 | |
|---|
| 120 | # named-checkzone dnssec.aroc ./dnssec.aroc.signed |
|---|
| 121 | |
|---|
| 122 | |
|---|
| 123 | 8. Serve the zone |
|---|
| 124 | |
|---|
| 125 | The signed zone is a zone file like any other one -- it just |
|---|
| 126 | contains some extra records. To tell BIND9 to serve this zone, we |
|---|
| 127 | have to add it to named.conf. The right place to make this change |
|---|
| 128 | on Ubuntu is /etc/bind/named.conf.local. |
|---|
| 129 | |
|---|
| 130 | # cd /etc/bind |
|---|
| 131 | # vi named.conf.local |
|---|
| 132 | |
|---|
| 133 | Add the following to the end of that file |
|---|
| 134 | |
|---|
| 135 | zone "dnssec.aroc" { |
|---|
| 136 | type master; |
|---|
| 137 | file "/etc/bind/db.dnssec.aroc/dnssec.aroc.signed"; |
|---|
| 138 | }; |
|---|
| 139 | |
|---|
| 140 | Check that you have not made any typos by checking the configuration: |
|---|
| 141 | |
|---|
| 142 | # named-checkconf /etc/bind/named.conf |
|---|
| 143 | |
|---|
| 144 | If there are no errors, you will see no error messages. |
|---|
| 145 | |
|---|
| 146 | Tell BIND9 to reload its configuration: |
|---|
| 147 | |
|---|
| 148 | # rndc reconfig |
|---|
| 149 | |
|---|
| 150 | Send some queries to your local nameserver and observe the answers: |
|---|
| 151 | |
|---|
| 152 | # dig @127.0.0.1 dnssec.aroc SOA |
|---|
| 153 | # dig @127.0.0.1 dnssec.aroc DNSKEY |
|---|
| 154 | # dig @127.0.0.1 test.dnssec.aroc TXT |
|---|
| 155 | |
|---|
| 156 | Try adding the +dnssec option, so that you get signatures returned |
|---|
| 157 | in your answers: |
|---|
| 158 | |
|---|
| 159 | # dig @127.0.0.1 dnssec.aroc SOA +dnssec |
|---|
| 160 | # dig @127.0.0.1 dnssec.aroc DNSKEY +dnssec |
|---|
| 161 | # dig @127.0.0.1 test.dnssec.aroc TXT +dnssec |
|---|
| 162 | |
|---|
| 163 | What are the inception and expiry times on the signatures? |
|---|
| 164 | |
|---|
| 165 | |
|---|
| 166 | 9. Remember! |
|---|
| 167 | |
|---|
| 168 | In real-life, you will need to re-sign regularly so that your signatures |
|---|
| 169 | do not expire. |
|---|
| 170 | |
|---|
| 171 | When you edit the zone, you don't edit the signed copy -- you edit |
|---|
| 172 | the unsigned copy, e.g. |
|---|
| 173 | |
|---|
| 174 | # cd /etc/bind/db.dnssec.aroc |
|---|
| 175 | # vi dnssec.aroc |
|---|
| 176 | |
|---|
| 177 | After you make any change you need to generate new signatures |
|---|
| 178 | |
|---|
| 179 | # cd /etc/bind/db.dnssec.aroc |
|---|
| 180 | # dnssec-signzone -N unixtime dnssec.aroc |
|---|
| 181 | |
|---|
| 182 | Remember, because we are using -N unixtime, we are letting the |
|---|
| 183 | dnssec-signzone utility set the SOA serial number. We don't have |
|---|
| 184 | to update it ourselves in the unsigned zone file. |
|---|
| 185 | |
|---|