One page howto for signing your DNS zone with DNSSEC ---------------------------------------------------- *** ON YOUR MASTER SERVER *** 1. Change to the directory where the zone resides, normally First, verify that DNSSEC is enabled in /etc/namedb/named.conf dnssec-enable yes; Find the definition for your zone ("MYTLD"), and modify it so it looks like this: zone "MYTLD" { file "/etc/namedb/master/MYTLD"; type master; allow-transfer { key mydomain-key; }; key-directory "/etc/namedb/keys"; // <--- Add this auto-dnssec maintain; // <--- Add this update-policy local; // <--- Add this // dnssec-secure-to-insecure yes; // <--- Add this }; Save and exit, and now reconfig the nameserver # rndc reconfig Create a directory for the keys: # mkdir /etc/namedb/keys # chown bind /etc/namedb/keys Give ownership of the /etc/namedb/master directory so BIND can sign your zone and write the file: # chown -R bind /etc/namedb/master Then go to the keys directory # cd /etc/namedb/keys 2. Generate first key pair (Zone Signing Key) # dnssec-keygen mytld (t will output something like: Generating key pair......................+++++ + .... Kmytld.+005+43116) 3. Generate second key pair (Key Signing Key) # dnssec-keygen -f KSK mytld Kmytld.+005+52159 (once again, some output will show) 4. Let's look at the keys: # ls -l Kmytld* -rw-r--r-- 1 root wheel 591 Feb 18 15:52 Kmytld.+005+32044.key -rw------- 1 root wheel 1774 Feb 18 15:52 Kmytld.+005+32044.private -rw-r--r-- 1 root wheel 417 Feb 18 15:52 Kmytld.+005+64860.key -rw------- 1 root wheel 1010 Feb 18 15:52 Kmytld.+005+64860.private Make the keys readable by BIND: # chgrp bind *key # chmod g+r *key 5. We're ready to sign! # rndc sign mytld Take a look at the /etc/namedb/log/general log: # tail -10 /etc/namedb/log/general 18-Feb-2011 15:57:41.168 set up managed keys zone for view _default, file 'managed-keys.bind' 18-Feb-2011 15:57:41.184 reloading configuration succeeded 18-Feb-2011 15:57:41.193 any newly configured zones are now loaded 18-Feb-2011 15:57:43.666 received control channel command 'sign mytlf' 18-Feb-2011 15:57:43.668 zone mytlf/IN: reconfiguring zone keys 18-Feb-2011 15:57:43.693 zone mytlf/IN: next key event: 19-Feb-2011 03:57:43.693 6. Take a look at the signed zone: # cd /etc/namedb/master # ls -l mytld* Notice the ".jnl" file: -rw-r--r-- 1 bind wheel 535 Feb 18 14:22 mytld -rw-r--r-- 1 bind wheel 3473 Feb 18 15:57 mytld.jnl The zone is now DYNAMICALLY managed by bind. If you want to make changes, you either need to: a) freeze the zone, edit, thaw: # rndc freeze mytld # vi ... // remember the serial! # rndc thaw mytld b) use nsupdate # nsupdate -l > update add mail.mytld. 300 A 1.2.3.4 > send > quit # tail -10 /etc/namedb/log/general 18-Feb-2011 16:07:00.374 client 127.0.0.1#57195: updating zone 'mytld/IN': adding an RR at 'mail.phil' A Now we need to include the DS in the parent zone ! (DS = digest fingerprint of the Key Signing Key). 7. Generate a "DS" from your key: Find which key is the key signing key: # cd /etc/namedb/keys # more Kmytld* Look at which one has "IN DNSKEY 257". # dnssec-dsfromkey Kdsset-mytld.+005+32044 >dsset-mytld. REMEMBER the dot! 8. Upload the dsset for your zone (containing the hash of your zone) to the AUTH: # scp dsset-mytld. adm@rootserv.ws.nsrc.org: The password is 'nsrcws' 9. Tell the instructor you have done so! The instructor will include the DS-set in the root and re-sign the zone *** ON THE RESOLVER (performed by the instructor) *** 9. Grab the root key NOTE: This is only for the purpose of this lab - on the Internet, you would simply use "unbound-anchor" to download the real root.key, and set "auto-trust-anchor-file:" unbound.conf, and let unbound update the key when necessary. In this lab: # scp adm@10.10.0.203:root.key /usr/local/etc/unbound/root.key Edit toe /usr/local/etc/unbound/unbound.conf file: Find the "trust-anchor-file:" line, and change it from: # trust-anchor-file: "" to trust-anchor-file: "/usr/local/etc/unbound/root.key" 10. Reload the nameserver # /usr/local/etc/rc.d/unbound restart 11. dig @localhost +dnssec mytld. SOA What do you notice ?