| 1 | One page howto for signing your DNS zone with DNSSEC | 
|---|
| 2 | ---------------------------------------------------- | 
|---|
| 3 |  | 
|---|
| 4 | *** ON YOUR MASTER SERVER *** | 
|---|
| 5 |  | 
|---|
| 6 | 1. Change to the directory where the zone resides, normally | 
|---|
| 7 |  | 
|---|
| 8 | First, verify that DNSSEC is enabled in /etc/namedb/named.conf | 
|---|
| 9 |  | 
|---|
| 10 | dnssec-enable yes; | 
|---|
| 11 |  | 
|---|
| 12 | Find the definition for your zone ("MYTLD"), and modify it so it looks like | 
|---|
| 13 | this: | 
|---|
| 14 |  | 
|---|
| 15 | zone "MYTLD" { | 
|---|
| 16 | file "/etc/namedb/master/MYTLD"; | 
|---|
| 17 | type master; | 
|---|
| 18 | allow-transfer { key mydomain-key; }; | 
|---|
| 19 |  | 
|---|
| 20 | key-directory "/etc/namedb/keys";               // <--- Add this | 
|---|
| 21 | auto-dnssec maintain;                                   // <--- Add this | 
|---|
| 22 | update-policy local;                                    // <--- Add this | 
|---|
| 23 | // dnssec-secure-to-insecure yes;               // <--- Add this | 
|---|
| 24 | }; | 
|---|
| 25 |  | 
|---|
| 26 | Save and exit, and now reconfig the nameserver | 
|---|
| 27 |  | 
|---|
| 28 | # rndc reconfig | 
|---|
| 29 |  | 
|---|
| 30 | Create a directory for the keys: | 
|---|
| 31 |  | 
|---|
| 32 | # mkdir /etc/namedb/keys | 
|---|
| 33 | # chown bind /etc/namedb/keys | 
|---|
| 34 |  | 
|---|
| 35 | Give ownership of the /etc/namedb/master directory so BIND can sign | 
|---|
| 36 | your zone and write the file: | 
|---|
| 37 |  | 
|---|
| 38 | # chown -R bind /etc/namedb/master | 
|---|
| 39 |  | 
|---|
| 40 | Then go to the keys directory | 
|---|
| 41 |  | 
|---|
| 42 | # cd /etc/namedb/keys | 
|---|
| 43 |  | 
|---|
| 44 |  | 
|---|
| 45 | 2. Generate first key pair (Zone Signing Key) | 
|---|
| 46 |  | 
|---|
| 47 | # dnssec-keygen mytld | 
|---|
| 48 |  | 
|---|
| 49 | (t will output something like: | 
|---|
| 50 | Generating key pair......................+++++ + .... | 
|---|
| 51 | Kmytld.+005+43116) | 
|---|
| 52 |  | 
|---|
| 53 | 3. Generate second key pair (Key Signing Key) | 
|---|
| 54 |  | 
|---|
| 55 | # dnssec-keygen -f KSK mytld | 
|---|
| 56 | Kmytld.+005+52159 | 
|---|
| 57 |  | 
|---|
| 58 | (once again, some output will show) | 
|---|
| 59 |  | 
|---|
| 60 | 4. Let's look at the keys: | 
|---|
| 61 |  | 
|---|
| 62 | # ls -l Kmytld* | 
|---|
| 63 | -rw-r--r--  1 root  wheel   591 Feb 18 15:52 Kmytld.+005+32044.key | 
|---|
| 64 | -rw-------  1 root  wheel  1774 Feb 18 15:52 Kmytld.+005+32044.private | 
|---|
| 65 | -rw-r--r--  1 root  wheel   417 Feb 18 15:52 Kmytld.+005+64860.key | 
|---|
| 66 | -rw-------  1 root  wheel  1010 Feb 18 15:52 Kmytld.+005+64860.private | 
|---|
| 67 |  | 
|---|
| 68 | Make the keys readable by BIND: | 
|---|
| 69 |  | 
|---|
| 70 | # chgrp bind *key | 
|---|
| 71 | # chmod g+r *key | 
|---|
| 72 |  | 
|---|
| 73 | 5. We're ready to sign! | 
|---|
| 74 |  | 
|---|
| 75 | # rndc sign mytld | 
|---|
| 76 |  | 
|---|
| 77 | Take a look at the /etc/namedb/log/general log: | 
|---|
| 78 |  | 
|---|
| 79 | # tail -10 /etc/namedb/log/general | 
|---|
| 80 |  | 
|---|
| 81 | 18-Feb-2011 15:57:41.168 set up managed keys zone for view _default, file 'managed-keys.bind' | 
|---|
| 82 | 18-Feb-2011 15:57:41.184 reloading configuration succeeded | 
|---|
| 83 | 18-Feb-2011 15:57:41.193 any newly configured zones are now loaded | 
|---|
| 84 | 18-Feb-2011 15:57:43.666 received control channel command 'sign mytlf' | 
|---|
| 85 | 18-Feb-2011 15:57:43.668 zone mytlf/IN: reconfiguring zone keys | 
|---|
| 86 | 18-Feb-2011 15:57:43.693 zone mytlf/IN: next key event: 19-Feb-2011 03:57:43.693 | 
|---|
| 87 |  | 
|---|
| 88 | 6. Take a look at the signed zone: | 
|---|
| 89 |  | 
|---|
| 90 | # cd /etc/namedb/master | 
|---|
| 91 | # ls -l mytld* | 
|---|
| 92 |  | 
|---|
| 93 | Notice the ".jnl" file: | 
|---|
| 94 |  | 
|---|
| 95 | -rw-r--r--  1 bind  wheel   535 Feb 18 14:22 mytld | 
|---|
| 96 | -rw-r--r--  1 bind  wheel  3473 Feb 18 15:57 mytld.jnl | 
|---|
| 97 |  | 
|---|
| 98 | The zone is now DYNAMICALLY managed by bind. | 
|---|
| 99 |  | 
|---|
| 100 | If you want to make changes, you either need to: | 
|---|
| 101 |  | 
|---|
| 102 | a) freeze the zone, edit, thaw: | 
|---|
| 103 |  | 
|---|
| 104 | # rndc freeze mytld | 
|---|
| 105 | # vi ...   // remember the serial! | 
|---|
| 106 | # rndc thaw mytld | 
|---|
| 107 |  | 
|---|
| 108 | b) use nsupdate | 
|---|
| 109 |  | 
|---|
| 110 | # nsupdate -l | 
|---|
| 111 | > update add mail.mytld. 300 A 1.2.3.4 | 
|---|
| 112 | > send | 
|---|
| 113 | > quit | 
|---|
| 114 |  | 
|---|
| 115 | # tail -10 /etc/namedb/log/general | 
|---|
| 116 |  | 
|---|
| 117 | 18-Feb-2011 16:07:00.374 client 127.0.0.1#57195: updating zone 'mytld/IN': adding an RR at 'mail.phil' A | 
|---|
| 118 |  | 
|---|
| 119 |  | 
|---|
| 120 | Now we need to include the DS in the parent zone ! | 
|---|
| 121 |  | 
|---|
| 122 | (DS = digest fingerprint of the Key Signing Key). | 
|---|
| 123 |  | 
|---|
| 124 | 7. Generate a "DS" from your key: | 
|---|
| 125 |  | 
|---|
| 126 | Find which key is the key signing key: | 
|---|
| 127 |  | 
|---|
| 128 | # cd /etc/namedb/keys | 
|---|
| 129 | # more Kmytld* | 
|---|
| 130 |  | 
|---|
| 131 | Look at which one has "IN DNSKEY 257". | 
|---|
| 132 |  | 
|---|
| 133 | # dnssec-dsfromkey Kdsset-mytld.+005+32044 >dsset-mytld. | 
|---|
| 134 |  | 
|---|
| 135 | REMEMBER the dot! | 
|---|
| 136 |  | 
|---|
| 137 | 8. Upload the dsset for your zone (containing the hash of your zone) to the AUTH: | 
|---|
| 138 |  | 
|---|
| 139 | # scp dsset-mytld. adm@rootserv.ws.nsrc.org: | 
|---|
| 140 |  | 
|---|
| 141 | The password is 'nsrcws' | 
|---|
| 142 |  | 
|---|
| 143 | 9. Tell the instructor you have done so! | 
|---|
| 144 |  | 
|---|
| 145 | The instructor will include the DS-set in the root and re-sign the zone | 
|---|
| 146 |  | 
|---|
| 147 | *** ON THE RESOLVER (performed by the instructor) *** | 
|---|
| 148 |  | 
|---|
| 149 |  | 
|---|
| 150 | 9. Grab the root key | 
|---|
| 151 |  | 
|---|
| 152 | NOTE: This is only for the purpose of this lab - on the Internet, | 
|---|
| 153 | you would simply use "unbound-anchor" to download the real root.key, | 
|---|
| 154 | and set "auto-trust-anchor-file:" unbound.conf, and let unbound update | 
|---|
| 155 | the key when necessary. | 
|---|
| 156 |  | 
|---|
| 157 | In this lab: | 
|---|
| 158 |  | 
|---|
| 159 | # scp adm@10.10.0.203:root.key  /usr/local/etc/unbound/root.key | 
|---|
| 160 |  | 
|---|
| 161 | Edit toe /usr/local/etc/unbound/unbound.conf file: | 
|---|
| 162 |  | 
|---|
| 163 | Find the "trust-anchor-file:" line, and change it from: | 
|---|
| 164 |  | 
|---|
| 165 | # trust-anchor-file: "" | 
|---|
| 166 |  | 
|---|
| 167 | to | 
|---|
| 168 |  | 
|---|
| 169 | trust-anchor-file: "/usr/local/etc/unbound/root.key" | 
|---|
| 170 |  | 
|---|
| 171 | 10. Reload the nameserver | 
|---|
| 172 |  | 
|---|
| 173 | # /usr/local/etc/rc.d/unbound restart | 
|---|
| 174 |  | 
|---|
| 175 | 11. dig @localhost +dnssec mytld. SOA | 
|---|
| 176 |  | 
|---|
| 177 | What do you notice ? | 
|---|