1 | AROC-EN Mali |
---|
2 | DNSSEC Exercise |
---|
3 | |
---|
4 | 1. First, install BIND9 |
---|
5 | |
---|
6 | # apt-get install bind9 |
---|
7 | |
---|
8 | Check that BIND9 is running |
---|
9 | |
---|
10 | # /etc/init.d/bind9 start |
---|
11 | # rndc status |
---|
12 | |
---|
13 | |
---|
14 | 2. BIND9's configuration files are all located in /etc/bind |
---|
15 | |
---|
16 | # cd /etc/bind |
---|
17 | |
---|
18 | We will create a new zone, dnssec.aroc, and sign it. Because we |
---|
19 | want to generate and store keys to go with this new zone, we will |
---|
20 | make a directory to keep everything in. |
---|
21 | |
---|
22 | # mkdir db.dnssec.aroc |
---|
23 | # cd db.dnssec.aroc |
---|
24 | |
---|
25 | |
---|
26 | 3. Create the unsigned zone file: |
---|
27 | |
---|
28 | # vi dnssec.aroc |
---|
29 | |
---|
30 | This is a normal zone file with no DNSSEC information in it at all. |
---|
31 | Here is an example to get you started. |
---|
32 | |
---|
33 | $TTL 3600 |
---|
34 | |
---|
35 | @ SOA tldXX.aroc. nsrc.nsrc.org. ( |
---|
36 | 0 ; serial |
---|
37 | 28800 ; refresh |
---|
38 | 3600 ; retry |
---|
39 | 604800 ; expire |
---|
40 | 3600 ) ; negative-cache TTL |
---|
41 | |
---|
42 | NS tldXX.aroc. |
---|
43 | |
---|
44 | test TXT "here is a TXT RRSet, so we have something to sign" |
---|
45 | TXT "here is another record in the same RRSet" |
---|
46 | |
---|
47 | Check that the zone you created has no errors in it |
---|
48 | |
---|
49 | # named-checkzone dnssec.aroc ./dnssec.aroc |
---|
50 | |
---|
51 | |
---|
52 | 4. Create KSK for the DNSSEC.AROC zone |
---|
53 | |
---|
54 | # dnssec-keygen -a RSASHA1 -b 4096 -n ZONE -f KSK -r /dev/urandom dnssec.aroc |
---|
55 | |
---|
56 | This is a 2048-bit RSA key, and it is a KSK. The key will be stored |
---|
57 | in a file. Find it using ls (or by reading the output of the |
---|
58 | dnssec-keygen command), and note down the name of the file. |
---|
59 | |
---|
60 | We are using /dev/urandom above because this is an exercise, and we don't |
---|
61 | care about the quality of the random data. Normally you would not use |
---|
62 | "-r /dev/urandom", and the Linux kernel will obtain high-quality random |
---|
63 | numbers. This will take longer. |
---|
64 | |
---|
65 | |
---|
66 | 5. Create ZSK for the DNSSEC.AROC zone |
---|
67 | |
---|
68 | # dnssec-keygen -a RSASHA1 -b 1024 -n ZONE -r /dev/urandom dnssec.aroc |
---|
69 | |
---|
70 | This is a 1024-bit RSA key, and we will use it as a ZSK. The key |
---|
71 | will again be stored in a file. If you get confused about which key |
---|
72 | is which, remember that because of the key sizes we chose, the ZSK |
---|
73 | is the small one. Note down the name of the file. |
---|
74 | |
---|
75 | See step 4 comments about /dev/urandom. |
---|
76 | |
---|
77 | |
---|
78 | 6. Include KSK and ZSK in the unsigned zone file |
---|
79 | |
---|
80 | Add the following lines to the dnssec.aroc zone file: |
---|
81 | |
---|
82 | $INCLUDE "/etc/bind/db.dnssec.aroc/<KSK filename>.key" |
---|
83 | $INCLUDE "/etc/bind/db.dnssec.aroc/<ZSK filename>.key" |
---|
84 | |
---|
85 | Check again that the zone file is accurate and contains no errors |
---|
86 | |
---|
87 | # named-checkzone dnssec.aroc ./dnssec.aroc |
---|
88 | |
---|
89 | Instead of using $INCLUDE you could copy and paste the DNSKEY records |
---|
90 | into the zone. However, when you cut and paste, make sure you do |
---|
91 | it properly. There is no need to cut and paste if you use $INCLUDE. |
---|
92 | |
---|
93 | |
---|
94 | 7. Sign the zone! |
---|
95 | |
---|
96 | # dnssec-signzone -N unixtime dnssec.aroc |
---|
97 | |
---|
98 | Because we are using -N unixtime, we are letting the dnssec-signzone |
---|
99 | utility set the SOA serial number. We don't have to update it |
---|
100 | ourselves in the unsigned zone file. |
---|
101 | |
---|
102 | Look in your directory and see what you have, now. |
---|
103 | |
---|
104 | # ls |
---|
105 | dnssec.aroc Kdnssec.aroc.+005+34222.private |
---|
106 | dnssec.aroc.signed Kdnssec.aroc.+005+34653.key |
---|
107 | dsset-dnssec.aroc. Kdnssec.aroc.+005+34653.private |
---|
108 | Kdnssec.aroc.+005+34222.key keyset-dnssec.aroc. |
---|
109 | # |
---|
110 | |
---|
111 | dnssec.aroc unsigned zone file |
---|
112 | dnssec.aroc.signed signed zone file |
---|
113 | dsset-dnssec.aroc. DS record you could send to your parent |
---|
114 | keyset-dnssec.aroc. the DNSKEY record that the DS record matches |
---|
115 | Kdnssec.aroc.*.key public keys we generated earlier |
---|
116 | Kdnssec.aroc.*.private private keys we generated earlier |
---|
117 | |
---|
118 | Check that the signed zone is still valid |
---|
119 | |
---|
120 | # named-checkzone dnssec.aroc ./dnssec.aroc.signed |
---|
121 | |
---|
122 | |
---|
123 | 8. Serve the zone |
---|
124 | |
---|
125 | The signed zone is a zone file like any other one -- it just |
---|
126 | contains some extra records. To tell BIND9 to serve this zone, we |
---|
127 | have to add it to named.conf. The right place to make this change |
---|
128 | on Ubuntu is /etc/bind/named.conf.local. |
---|
129 | |
---|
130 | # cd /etc/bind |
---|
131 | # vi named.conf.local |
---|
132 | |
---|
133 | Add the following to the end of that file |
---|
134 | |
---|
135 | zone "dnssec.aroc" { |
---|
136 | type master; |
---|
137 | file "/etc/bind/db.dnssec.aroc/dnssec.aroc.signed"; |
---|
138 | }; |
---|
139 | |
---|
140 | Check that you have not made any typos by checking the configuration: |
---|
141 | |
---|
142 | # named-checkconf /etc/bind/named.conf |
---|
143 | |
---|
144 | If there are no errors, you will see no error messages. |
---|
145 | |
---|
146 | Tell BIND9 to reload its configuration: |
---|
147 | |
---|
148 | # rndc reconfig |
---|
149 | |
---|
150 | Send some queries to your local nameserver and observe the answers: |
---|
151 | |
---|
152 | # dig @127.0.0.1 dnssec.aroc SOA |
---|
153 | # dig @127.0.0.1 dnssec.aroc DNSKEY |
---|
154 | # dig @127.0.0.1 test.dnssec.aroc TXT |
---|
155 | |
---|
156 | Try adding the +dnssec option, so that you get signatures returned |
---|
157 | in your answers: |
---|
158 | |
---|
159 | # dig @127.0.0.1 dnssec.aroc SOA +dnssec |
---|
160 | # dig @127.0.0.1 dnssec.aroc DNSKEY +dnssec |
---|
161 | # dig @127.0.0.1 test.dnssec.aroc TXT +dnssec |
---|
162 | |
---|
163 | What are the inception and expiry times on the signatures? |
---|
164 | |
---|
165 | |
---|
166 | 9. Remember! |
---|
167 | |
---|
168 | In real-life, you will need to re-sign regularly so that your signatures |
---|
169 | do not expire. |
---|
170 | |
---|
171 | When you edit the zone, you don't edit the signed copy -- you edit |
---|
172 | the unsigned copy, e.g. |
---|
173 | |
---|
174 | # cd /etc/bind/db.dnssec.aroc |
---|
175 | # vi dnssec.aroc |
---|
176 | |
---|
177 | After you make any change you need to generate new signatures |
---|
178 | |
---|
179 | # cd /etc/bind/db.dnssec.aroc |
---|
180 | # dnssec-signzone -N unixtime dnssec.aroc |
---|
181 | |
---|
182 | Remember, because we are using -N unixtime, we are letting the |
---|
183 | dnssec-signzone utility set the SOA serial number. We don't have |
---|
184 | to update it ourselves in the unsigned zone file. |
---|
185 | |
---|