| 1 | One page howto for signing your DNS zone with DNSSEC |
|---|
| 2 | ---------------------------------------------------- |
|---|
| 3 | |
|---|
| 4 | *** ON YOUR MASTER SERVER *** |
|---|
| 5 | |
|---|
| 6 | 1. Change to the directory where the zone resides, normally |
|---|
| 7 | |
|---|
| 8 | First, verify that DNSSEC is enabled in /etc/namedb/named.conf |
|---|
| 9 | |
|---|
| 10 | dnssec-enable yes; |
|---|
| 11 | |
|---|
| 12 | Find the definition for your zone ("MYTLD"), and modify it so it looks like |
|---|
| 13 | this: |
|---|
| 14 | |
|---|
| 15 | zone "MYTLD" { |
|---|
| 16 | file "/etc/namedb/master/MYTLD"; |
|---|
| 17 | type master; |
|---|
| 18 | allow-transfer { key mydomain-key; }; |
|---|
| 19 | |
|---|
| 20 | key-directory "/etc/namedb/keys"; // <--- Add this |
|---|
| 21 | auto-dnssec maintain; // <--- Add this |
|---|
| 22 | update-policy local; // <--- Add this |
|---|
| 23 | // dnssec-secure-to-insecure yes; // <--- Add this |
|---|
| 24 | }; |
|---|
| 25 | |
|---|
| 26 | Save and exit, and now reconfig the nameserver |
|---|
| 27 | |
|---|
| 28 | # rndc reconfig |
|---|
| 29 | |
|---|
| 30 | Create a directory for the keys: |
|---|
| 31 | |
|---|
| 32 | # mkdir /etc/namedb/keys |
|---|
| 33 | # chown bind /etc/namedb/keys |
|---|
| 34 | |
|---|
| 35 | Give ownership of the /etc/namedb/master directory so BIND can sign |
|---|
| 36 | your zone and write the file: |
|---|
| 37 | |
|---|
| 38 | # chown -R bind /etc/namedb/master |
|---|
| 39 | |
|---|
| 40 | Then go to the keys directory |
|---|
| 41 | |
|---|
| 42 | # cd /etc/namedb/keys |
|---|
| 43 | |
|---|
| 44 | |
|---|
| 45 | 2. Generate first key pair (Zone Signing Key) |
|---|
| 46 | |
|---|
| 47 | # dnssec-keygen mytld |
|---|
| 48 | |
|---|
| 49 | (t will output something like: |
|---|
| 50 | Generating key pair......................+++++ + .... |
|---|
| 51 | Kmytld.+005+43116) |
|---|
| 52 | |
|---|
| 53 | 3. Generate second key pair (Key Signing Key) |
|---|
| 54 | |
|---|
| 55 | # dnssec-keygen -f KSK mytld |
|---|
| 56 | Kmytld.+005+52159 |
|---|
| 57 | |
|---|
| 58 | (once again, some output will show) |
|---|
| 59 | |
|---|
| 60 | 4. Let's look at the keys: |
|---|
| 61 | |
|---|
| 62 | # ls -l Kmytld* |
|---|
| 63 | -rw-r--r-- 1 root wheel 591 Feb 18 15:52 Kmytld.+005+32044.key |
|---|
| 64 | -rw------- 1 root wheel 1774 Feb 18 15:52 Kmytld.+005+32044.private |
|---|
| 65 | -rw-r--r-- 1 root wheel 417 Feb 18 15:52 Kmytld.+005+64860.key |
|---|
| 66 | -rw------- 1 root wheel 1010 Feb 18 15:52 Kmytld.+005+64860.private |
|---|
| 67 | |
|---|
| 68 | Make the keys readable by BIND: |
|---|
| 69 | |
|---|
| 70 | # chgrp bind K* |
|---|
| 71 | # chmod g+r K* |
|---|
| 72 | |
|---|
| 73 | 5. We're ready to sign! |
|---|
| 74 | |
|---|
| 75 | # rndc sign mytld |
|---|
| 76 | |
|---|
| 77 | Take a look at the /etc/namedb/log/general log: |
|---|
| 78 | |
|---|
| 79 | # tail -10 /etc/namedb/log/general |
|---|
| 80 | |
|---|
| 81 | 18-Feb-2011 15:57:41.168 set up managed keys zone for view _default, file 'managed-keys.bind' |
|---|
| 82 | 18-Feb-2011 15:57:41.184 reloading configuration succeeded |
|---|
| 83 | 18-Feb-2011 15:57:41.193 any newly configured zones are now loaded |
|---|
| 84 | 18-Feb-2011 15:57:43.666 received control channel command 'sign mytlf' |
|---|
| 85 | 18-Feb-2011 15:57:43.668 zone mytlf/IN: reconfiguring zone keys |
|---|
| 86 | 18-Feb-2011 15:57:43.693 zone mytlf/IN: next key event: 19-Feb-2011 03:57:43.693 |
|---|
| 87 | |
|---|
| 88 | 6. Take a look at the signed zone: |
|---|
| 89 | |
|---|
| 90 | # cd /etc/namedb/master |
|---|
| 91 | # ls -l mytld* |
|---|
| 92 | |
|---|
| 93 | Notice the ".jnl" file: |
|---|
| 94 | |
|---|
| 95 | -rw-r--r-- 1 bind wheel 535 Feb 18 14:22 mytld |
|---|
| 96 | -rw-r--r-- 1 bind wheel 3473 Feb 18 15:57 mytld.jnl |
|---|
| 97 | |
|---|
| 98 | The zone is now DYNAMICALLY managed by bind. |
|---|
| 99 | |
|---|
| 100 | If you want to make changes, you either need to: |
|---|
| 101 | |
|---|
| 102 | a) freeze the zone, edit, thaw: |
|---|
| 103 | |
|---|
| 104 | # rndc freeze mytld |
|---|
| 105 | # vi ... // remember the serial! |
|---|
| 106 | # rndc thaw mytld |
|---|
| 107 | |
|---|
| 108 | b) use nsupdate |
|---|
| 109 | |
|---|
| 110 | # nsupdate -l |
|---|
| 111 | > update add mail.mytld. 300 A 1.2.3.4 |
|---|
| 112 | > send |
|---|
| 113 | > quit |
|---|
| 114 | |
|---|
| 115 | # tail -10 /etc/namedb/log/general |
|---|
| 116 | |
|---|
| 117 | 18-Feb-2011 16:07:00.374 client 127.0.0.1#57195: updating zone 'mytld/IN': adding an RR at 'mail.phil' A |
|---|
| 118 | |
|---|
| 119 | |
|---|
| 120 | Now we need to include the DS in the parent zone ! |
|---|
| 121 | |
|---|
| 122 | (DS = digest fingerprint of the Key Signing Key). |
|---|
| 123 | |
|---|
| 124 | 7. Generate a "DS" from your key: |
|---|
| 125 | |
|---|
| 126 | Find which key is the key signing key: |
|---|
| 127 | |
|---|
| 128 | # cd /etc/namedb/keys |
|---|
| 129 | # more Kmytld* |
|---|
| 130 | |
|---|
| 131 | Look at which one has "IN DNSKEY 257". |
|---|
| 132 | |
|---|
| 133 | # dnssec-dsfromkey Kdsset-mytld.+005+32044 >dsset-mytld. |
|---|
| 134 | |
|---|
| 135 | REMEMBER the dot! |
|---|
| 136 | |
|---|
| 137 | 8. Upload the dsset for your zone (containing the hash of your zone) to the AUTH: |
|---|
| 138 | |
|---|
| 139 | # scp dsset-mytld. adm@rootserv.ws.nsrc.org: |
|---|
| 140 | |
|---|
| 141 | The password is 'nsrcws' |
|---|
| 142 | |
|---|
| 143 | 9. Tell the instructor you have done so! |
|---|
| 144 | |
|---|
| 145 | The instructor will include the DS-set in the root and re-sign the zone |
|---|
| 146 | |
|---|
| 147 | *** ON THE RESOLVER *** |
|---|
| 148 | |
|---|
| 149 | You need to log in to your cache machine, i.e. for group 1, you would use |
|---|
| 150 | cache.grp1.ws.nsrc.org, as you did in the unbound config exercise |
|---|
| 151 | |
|---|
| 152 | 9. Grab the root key |
|---|
| 153 | |
|---|
| 154 | NOTE: This is only for the purpose of this lab - on the Internet, |
|---|
| 155 | you would simply use "unbound-anchor" to download the real root.key, |
|---|
| 156 | and set "auto-trust-anchor-file:" unbound.conf, and let unbound update |
|---|
| 157 | the key when necessary. |
|---|
| 158 | |
|---|
| 159 | In this lab: |
|---|
| 160 | |
|---|
| 161 | # cd /usr/local/etc/unbound |
|---|
| 162 | |
|---|
| 163 | # fetch http://10.10.0.245/resources/root.key |
|---|
| 164 | |
|---|
| 165 | Edit the /usr/local/etc/unbound/unbound.conf file: |
|---|
| 166 | |
|---|
| 167 | Find the "trust-anchor-file:" line, and change it from: |
|---|
| 168 | |
|---|
| 169 | # trust-anchor-file: "" |
|---|
| 170 | |
|---|
| 171 | to |
|---|
| 172 | |
|---|
| 173 | trust-anchor-file: "/usr/local/etc/unbound/root.key" |
|---|
| 174 | |
|---|
| 175 | 10. Reload the nameserver |
|---|
| 176 | |
|---|
| 177 | # /usr/local/etc/rc.d/unbound restart |
|---|
| 178 | |
|---|
| 179 | 11. dig @localhost +dnssec mytld. SOA |
|---|
| 180 | |
|---|
| 181 | What do you notice ? |
|---|