Agenda: AROC-EN-Introduction-to-DNSSEC.txt

File AROC-EN-Introduction-to-DNSSEC.txt, 5.3 KB (added by nocadmin, 9 years ago)
Line 
1AROC-EN Mali
2DNSSEC Exercise
3
41. First, install BIND9
5
6  # apt-get install bind9
7
8Check that BIND9 is running
9
10  # /etc/init.d/bind9 start
11  # rndc status
12
13
142. BIND9's configuration files are all located in /etc/bind
15
16  # cd /etc/bind
17
18We will create a new zone, dnssec.aroc, and sign it. Because we
19want to generate and store keys to go with this new zone, we will
20make a directory to keep everything in.
21
22  # mkdir db.dnssec.aroc
23  # cd db.dnssec.aroc
24
25
263. Create the unsigned zone file:
27
28  # vi dnssec.aroc
29
30This is a normal zone file with no DNSSEC information in it at all.
31Here is an example to get you started.
32
33  $TTL 3600
34
35  @          SOA      tldXX.aroc. nsrc.nsrc.org. (
36                        0           ; serial
37                        28800       ; refresh
38                        3600        ; retry
39                        604800      ; expire
40                        3600 )      ; negative-cache TTL
41
42             NS       tldXX.aroc.
43
44  test       TXT      "here is a TXT RRSet, so we have something to sign"
45             TXT      "here is another record in the same RRSet"
46
47Check that the zone you created has no errors in it
48
49  # named-checkzone dnssec.aroc ./dnssec.aroc
50
51
524. Create KSK for the DNSSEC.AROC zone
53
54  # dnssec-keygen -a RSASHA1 -b 4096 -n ZONE -f KSK -r /dev/urandom dnssec.aroc
55
56This is a 2048-bit RSA key, and it is a KSK. The key will be stored
57in a file. Find it using ls (or by reading the output of the
58dnssec-keygen command), and note down the name of the file.
59
60We are using /dev/urandom above because this is an exercise, and we don't
61care about the quality of the random data. Normally you would not use
62"-r /dev/urandom", and the Linux kernel will obtain high-quality random
63numbers. This will take longer.
64
65
665. Create ZSK for the DNSSEC.AROC zone
67
68  # dnssec-keygen -a RSASHA1 -b 1024 -n ZONE -r /dev/urandom dnssec.aroc
69
70This is a 1024-bit RSA key, and we will use it as a ZSK. The key
71will again be stored in a file. If you get confused about which key
72is which, remember that because of the key sizes we chose, the ZSK
73is the small one. Note down the name of the file.
74
75See step 4 comments about /dev/urandom.
76
77
786. Include KSK and ZSK in the unsigned zone file
79
80Add the following lines to the dnssec.aroc zone file:
81
82  $INCLUDE "/etc/bind/db.dnssec.aroc/<KSK filename>.key"
83  $INCLUDE "/etc/bind/db.dnssec.aroc/<ZSK filename>.key"
84
85Check again that the zone file is accurate and contains no errors
86
87  # named-checkzone dnssec.aroc ./dnssec.aroc
88
89Instead of using $INCLUDE you could copy and paste the DNSKEY records
90into the zone. However, when you cut and paste, make sure you do
91it properly.  There is no need to cut and paste if you use $INCLUDE.
92
93
947. Sign the zone!
95
96  # dnssec-signzone -N unixtime dnssec.aroc
97
98Because we are using -N unixtime, we are letting the dnssec-signzone
99utility set the SOA serial number. We don't have to update it
100ourselves in the unsigned zone file.
101
102Look in your directory and see what you have, now.
103
104  # ls
105  dnssec.aroc                  Kdnssec.aroc.+005+34222.private
106  dnssec.aroc.signed           Kdnssec.aroc.+005+34653.key
107  dsset-dnssec.aroc.           Kdnssec.aroc.+005+34653.private
108  Kdnssec.aroc.+005+34222.key  keyset-dnssec.aroc.
109  #
110
111     dnssec.aroc              unsigned zone file
112     dnssec.aroc.signed       signed zone file
113     dsset-dnssec.aroc.       DS record you could send to your parent
114     keyset-dnssec.aroc.      the DNSKEY record that the DS record matches
115     Kdnssec.aroc.*.key       public keys we generated earlier
116     Kdnssec.aroc.*.private   private keys we generated earlier
117
118Check that the signed zone is still valid
119
120  # named-checkzone dnssec.aroc ./dnssec.aroc.signed
121
122
1238. Serve the zone
124
125The signed zone is a zone file like any other one --  it just
126contains some extra records. To tell BIND9 to serve this zone, we
127have to add it to named.conf. The right place to make this change
128on Ubuntu is /etc/bind/named.conf.local.
129
130  # cd /etc/bind
131  # vi named.conf.local
132
133Add the following to the end of that file
134
135  zone "dnssec.aroc" {
136    type master;
137    file "/etc/bind/db.dnssec.aroc/dnssec.aroc.signed";
138  };
139
140Check that you have not made any typos by checking the configuration:
141
142  # named-checkconf /etc/bind/named.conf
143
144If there are no errors, you will see no error messages.
145
146Tell BIND9 to reload its configuration:
147
148  # rndc reconfig
149
150Send some queries to your local nameserver and observe the answers:
151
152  # dig @127.0.0.1 dnssec.aroc SOA
153  # dig @127.0.0.1 dnssec.aroc DNSKEY
154  # dig @127.0.0.1 test.dnssec.aroc TXT
155
156Try adding the +dnssec option, so that you get signatures returned
157in your answers:
158
159  # dig @127.0.0.1 dnssec.aroc SOA +dnssec
160  # dig @127.0.0.1 dnssec.aroc DNSKEY +dnssec
161  # dig @127.0.0.1 test.dnssec.aroc TXT +dnssec
162
163What are the inception and expiry times on the signatures?
164
165
1669. Remember!
167
168In real-life, you will need to re-sign regularly so that your signatures
169do not expire.
170
171When you edit the zone, you don't edit the signed copy -- you edit
172the unsigned copy, e.g.
173
174  # cd /etc/bind/db.dnssec.aroc
175  # vi dnssec.aroc
176
177After you make any change you need to generate new signatures
178
179  # cd /etc/bind/db.dnssec.aroc
180  # dnssec-signzone -N unixtime dnssec.aroc
181
182Remember, because we are using -N unixtime, we are letting the
183dnssec-signzone utility set the SOA serial number. We don't have
184to update it ourselves in the unsigned zone file.
185