CourseOutline: quick-dnssec-signing-howto.txt

File quick-dnssec-signing-howto.txt, 2.7 KB (added by regnauld, 9 years ago)

DNSSEC signing howto

Line 
1One page howto for signing your DNS zone with DNSSEC
2
3*** ON YOUR SERVER ***
4
51. Change to the directory where the zone resides, normally
6
7        First, verify that DNSSEC is enabled in named.conf
8
9        dnssec-enable yes;
10
11        Then go to where your zone is:
12
13    # cd /etc/namedb/master
14
15        ... there you should find the zone.
16
17        If you do not have one, you can create one:
18
19        # cp empty.db myzone.menog
20
212. Generate first key pair (Zone Signing Key)
22
23    # dnssec-keygen -a RSASHA1 -b 1024 -n ZONE myzone.menog
24    Kmyzone.+005+51333
25
263. Generate second key pair (Key Signing Key)
27
28    # dnssec-keygen -f KSK -a RSASHA1 -b 1280 -n ZONE myzone.menog
29    Kmyzone.+005+52159
30
314. Let's look at the keys:
32
33    # ls -l Kmyzone.menog.*
34    -rw-r--r--  1 root  wheel   203 Feb 15 00:07 Kmyzone.menog.+005+51333.key
35    -rw-------  1 root  wheel   937 Feb 15 00:07 Kmyzone.menog.+005+51333.private
36    -rw-r--r--  1 root  wheel   247 Feb 15 00:07 Kmyzone.menog.+005+52159.key
37    -rw-------  1 root  wheel  1125 Feb 15 00:07 Kmyzone.menog.+005+52159.private
38
394. Add the public keys to the end of the zone file:
40
41        # vi myzone.meynog
42
43    ; Keys to be published in DNSKEY RRset - these are the PUBLIC keys!!!
44
45    $include "Kmyzone.menog.+005+51333.key"     ; ZSK
46    $include "Kmyzone.menog.+005+52159.key"     ; KSK
47    ^D
48
495. Sign the zone with the keys
50
51    # cd /etc/namedb/master
52
53        # dnssec-signzone -g -o myzone.menog -k Kmyzone.menog.+005+52159 myzone.menog Kmyzone.+005+51333
54
55The program will output:
56
57    myzone.menog.signed
58
59        # ls -l myzone.menog.*
60        -rw-r--r--  1 root  wheel   292 Feb 15 00:08 myzone.menog
61        -rw-r--r--  1 root  wheel  4294 Feb 15 00:20 myzone.menog.signed
62
636. At the end of /etc/namedb/named.conf, check that the zone is defined:
64
65    zone "myzone.menog" {
66            type master;
67            file "master/myzone.menog.signed";  // change to the ".signed" copy!
68    };
69
707. Reconfigure/restart your nameserver
71
728. Upload the dsset for your zone (containing the hash of your zone) to the AUTH:
73
74        # scp dsset-myzone.menog. dnssec@10.10.1.203:
75
76        The password is 'dnssec' !
77
789. Tell the instructor you have done so!
79
80
81*** ON THE RESOLVER (performed by the intstructor) ***
82
83The instructor will setup the AUTH to include your keys
84
85
8610. Grab the root key
87
88# scp dnssec@10.10.1.203:rootkey  /etc/namedb/rootkey
89# cat rootkey  >> /etc/namedb/named.conf
90# check that validation is on on in named.conf:
91
92options {
93        ...
94        dnssec-validation yes;
95        ...
96};
97
98Make sure that "severity debug 3;" is in the dnssec channel definition:
99
100logging {
101    ...
102        channel dnssec {
103                file "log/dnssec";
104                severity debug 3;
105        };
106        ...
107};
108
109Restart named
110# /etc/rc.d/named restart
111
112CHECK that named is running
113
11411. dig @localhost +dnssec arabic.menog. soa
115
116