Agenda: dnssec-bind-signing-howto.txt

File dnssec-bind-signing-howto.txt, 4.9 KB (added by admin, 7 years ago)
Line 
1One page howto for signing your DNS zone with DNSSEC
2----------------------------------------------------
3
4*** ON YOUR MASTER SERVER ***
5
61. Change to the directory where the zone resides, normally
7
8    First, verify that DNSSEC is enabled in /etc/namedb/named.conf
9
10        ... in the options { .. }; section, add the following
11
12    dnssec-enable yes;
13
14    Find the definition for your zone ("MYTLD"), and modify it so it looks like
15    this:
16
17zone "MYTLD" {
18        file "/etc/namedb/master/MYTLD";
19        type master;
20        allow-transfer { key mydomain-key; };   
21
22        key-directory "/etc/namedb/keys";       // <--- Add this
23        auto-dnssec maintain;                   // <--- Add this
24        update-policy local;                    // <--- Add this
25        // dnssec-secure-to-insecure yes;       // <--- Add this
26};
27
28    Save and exit, and now reconfig the nameserver
29
30    # rndc reconfig
31
32    Create a directory for the keys:
33
34    # mkdir /etc/namedb/keys
35    # chown bind /etc/namedb/keys
36
37    Give ownership of the /etc/namedb/master directory so BIND can sign
38    your zone and write the file:
39
40    # chown -R bind /etc/namedb/master
41
42    Then go to the keys directory
43
44    # cd /etc/namedb/keys
45
46
472. Generate first key pair (Zone Signing Key)
48
49    # dnssec-keygen mytld
50
51    (  will output something like:
52    Generating key pair......................+++++ + ....
53    Kmytld.+005+43116)
54
553. Generate second key pair (Key Signing Key)
56
57    # dnssec-keygen -f KSK mytld
58    Kmytld.+005+52159
59
60    (once again, some output will show)
61
624. Let's look at the keys:
63
64    # ls -l Kmytld*
65    -rw-r--r--  1 root  wheel   591 Feb 18 15:52 Kmytld.+005+32044.key
66    -rw-------  1 root  wheel  1774 Feb 18 15:52 Kmytld.+005+32044.private
67    -rw-r--r--  1 root  wheel   417 Feb 18 15:52 Kmytld.+005+64860.key
68    -rw-------  1 root  wheel  1010 Feb 18 15:52 Kmytld.+005+64860.private
69
70    Make the keys readable by BIND:
71
72    # chgrp bind K*
73    # chmod g+r K*
74
755. We're ready to sign!
76
77    First take a backup of the zone before it was signed
78
79    # cd /etc/namedb/master
80    # cp MYTLD MYTLD.unsigned
81
82    Signal BIND to sign the zone (the backup made above will be untouched)
83
84    # rndc sign mytld
85
86    Take a look at the /etc/namedb/log/general log:
87
88    # tail -10 /etc/namedb/log/general
89
9018-Feb-2011 15:57:41.168 set up managed keys zone for view _default, file 'managed-keys.bind'
9118-Feb-2011 15:57:41.184 reloading configuration succeeded
9218-Feb-2011 15:57:41.193 any newly configured zones are now loaded
9318-Feb-2011 15:57:43.666 received control channel command 'sign mytlf'
9418-Feb-2011 15:57:43.668 zone mytlf/IN: reconfiguring zone keys
9518-Feb-2011 15:57:43.693 zone mytlf/IN: next key event: 19-Feb-2011 03:57:43.693
96
976. Take a look at the signed zone:
98
99    # cd /etc/namedb/master
100    # ls -l mytld*
101
102    Notice the ".jnl" file:
103
104    -rw-r--r--  1 bind  wheel   535 Feb 18 14:22 mytld
105    -rw-r--r--  1 bind  wheel  3473 Feb 18 15:57 mytld.jnl
106
107    The zone is now DYNAMICALLY managed by bind.
108
109    If you want to make changes, you either need to:
110
111    a) freeze the zone, edit, thaw:
112   
113        # rndc freeze mytld
114        # vi ...   // remember the serial!
115        # rndc thaw mytld
116
117    b) use nsupdate
118
119        # nsupdate -l
120        > update add mail.mytld. 300 A 1.2.3.4
121        > send
122        > quit
123
124    # tail -10 /etc/namedb/log/general
125
12618-Feb-2011 16:07:00.374 client 127.0.0.1#57195: updating zone 'mytld/IN': adding an RR at 'mail.phil' A
127
128
129Now we need to include the DS in the parent zone !
130
131    (DS = digest fingerprint of the Key Signing Key).
132
1337. Generate a "DS" from your key:
134
135    Find which key is the key signing key:
136
137    # cd /etc/namedb/keys
138    # more Kmytld*
139   
140    Look at which one has "IN DNSKEY 257".
141
142    # dnssec-dsfromkey Kmytld.+005+32044 >dsset-mytld.
143
144    REMEMBER the dot!
145
1468. Upload the dsset for your zone (containing the hash of your zone) to the AUTH:
147
148    # scp dsset-mytld. adm@rootserv.ws.nsrc.org:
149
150    The password is 'nsrcws'
151
1529. Tell the instructor you have done so!
153
154    The instructor will include the DS-set in the root and re-sign the zone
155
156*** ON THE RESOLVER ***
157
158You need to log in to your cache machine, i.e. for group 1, you would use
159cache.grp1.ws.nsrc.org, as you did in the unbound config exercise
160
1619. Grab the root key
162
163    NOTE: This is only for the purpose of this lab - on the Internet,
164    you would simply use "unbound-anchor" to download the real root.key,
165    and set "auto-trust-anchor-file:" unbound.conf, and let unbound update
166    the key when necessary.
167
168    In this lab:
169
170    # scp adm@rootserv.ws.nsrc.org:root.key  /usr/local/etc/unbound/root.key
171
172    Edit the /usr/local/etc/unbound/unbound.conf file:
173
174    Find the "trust-anchor-file:" line, and change it from:
175
176    # trust-anchor-file: ""
177
178    to
179
180    trust-anchor-file: "/usr/local/etc/unbound/root.key"
181
18210. Reload the nameserver
183
184    # /usr/local/etc/rc.d/unbound restart
185
18611. dig @localhost +dnssec mytld. SOA
187
188    What do you notice ?