AROC-EN Mali DNSSEC Exercise 1. First, install BIND9 # apt-get install bind9 Check that BIND9 is running # /etc/init.d/bind9 start # rndc status 2. BIND9's configuration files are all located in /etc/bind # cd /etc/bind We will create a new zone, dnssec.aroc, and sign it. Because we want to generate and store keys to go with this new zone, we will make a directory to keep everything in. # mkdir db.dnssec.aroc # cd db.dnssec.aroc 3. Create the unsigned zone file: # vi dnssec.aroc This is a normal zone file with no DNSSEC information in it at all. Here is an example to get you started. $TTL 3600 @ SOA tldXX.aroc. nsrc.nsrc.org. ( 0 ; serial 28800 ; refresh 3600 ; retry 604800 ; expire 3600 ) ; negative-cache TTL NS tldXX.aroc. test TXT "here is a TXT RRSet, so we have something to sign" TXT "here is another record in the same RRSet" Check that the zone you created has no errors in it # named-checkzone dnssec.aroc ./dnssec.aroc 4. Create KSK for the DNSSEC.AROC zone # dnssec-keygen -a RSASHA1 -b 4096 -n ZONE -f KSK -r /dev/urandom dnssec.aroc This is a 2048-bit RSA key, and it is a KSK. The key will be stored in a file. Find it using ls (or by reading the output of the dnssec-keygen command), and note down the name of the file. We are using /dev/urandom above because this is an exercise, and we don't care about the quality of the random data. Normally you would not use "-r /dev/urandom", and the Linux kernel will obtain high-quality random numbers. This will take longer. 5. Create ZSK for the DNSSEC.AROC zone # dnssec-keygen -a RSASHA1 -b 1024 -n ZONE -r /dev/urandom dnssec.aroc This is a 1024-bit RSA key, and we will use it as a ZSK. The key will again be stored in a file. If you get confused about which key is which, remember that because of the key sizes we chose, the ZSK is the small one. Note down the name of the file. See step 4 comments about /dev/urandom. 6. Include KSK and ZSK in the unsigned zone file Add the following lines to the dnssec.aroc zone file: $INCLUDE "/etc/bind/db.dnssec.aroc/.key" $INCLUDE "/etc/bind/db.dnssec.aroc/.key" Check again that the zone file is accurate and contains no errors # named-checkzone dnssec.aroc ./dnssec.aroc Instead of using $INCLUDE you could copy and paste the DNSKEY records into the zone. However, when you cut and paste, make sure you do it properly. There is no need to cut and paste if you use $INCLUDE. 7. Sign the zone! # dnssec-signzone -N unixtime dnssec.aroc Because we are using -N unixtime, we are letting the dnssec-signzone utility set the SOA serial number. We don't have to update it ourselves in the unsigned zone file. Look in your directory and see what you have, now. # ls dnssec.aroc Kdnssec.aroc.+005+34222.private dnssec.aroc.signed Kdnssec.aroc.+005+34653.key dsset-dnssec.aroc. Kdnssec.aroc.+005+34653.private Kdnssec.aroc.+005+34222.key keyset-dnssec.aroc. # dnssec.aroc unsigned zone file dnssec.aroc.signed signed zone file dsset-dnssec.aroc. DS record you could send to your parent keyset-dnssec.aroc. the DNSKEY record that the DS record matches Kdnssec.aroc.*.key public keys we generated earlier Kdnssec.aroc.*.private private keys we generated earlier Check that the signed zone is still valid # named-checkzone dnssec.aroc ./dnssec.aroc.signed 8. Serve the zone The signed zone is a zone file like any other one -- it just contains some extra records. To tell BIND9 to serve this zone, we have to add it to named.conf. The right place to make this change on Ubuntu is /etc/bind/named.conf.local. # cd /etc/bind # vi named.conf.local Add the following to the end of that file zone "dnssec.aroc" { type master; file "/etc/bind/db.dnssec.aroc/dnssec.aroc.signed"; }; Check that you have not made any typos by checking the configuration: # named-checkconf /etc/bind/named.conf If there are no errors, you will see no error messages. Tell BIND9 to reload its configuration: # rndc reconfig Send some queries to your local nameserver and observe the answers: # dig @127.0.0.1 dnssec.aroc SOA # dig @127.0.0.1 dnssec.aroc DNSKEY # dig @127.0.0.1 test.dnssec.aroc TXT Try adding the +dnssec option, so that you get signatures returned in your answers: # dig @127.0.0.1 dnssec.aroc SOA +dnssec # dig @127.0.0.1 dnssec.aroc DNSKEY +dnssec # dig @127.0.0.1 test.dnssec.aroc TXT +dnssec What are the inception and expiry times on the signatures? 9. Remember! In real-life, you will need to re-sign regularly so that your signatures do not expire. When you edit the zone, you don't edit the signed copy -- you edit the unsigned copy, e.g. # cd /etc/bind/db.dnssec.aroc # vi dnssec.aroc After you make any change you need to generate new signatures # cd /etc/bind/db.dnssec.aroc # dnssec-signzone -N unixtime dnssec.aroc Remember, because we are using -N unixtime, we are letting the dnssec-signzone utility set the SOA serial number. We don't have to update it ourselves in the unsigned zone file.