Agenda: quick-dnssec-signing-howto.txt

File quick-dnssec-signing-howto.txt, 4.7 KB (added by regnauld, 8 years ago)
Line 
1One page howto for signing your DNS zone with DNSSEC
2----------------------------------------------------
3
4*** ON YOUR MASTER SERVER ***
5
61. Change to the directory where the zone resides, normally
7
8    First, verify that DNSSEC is enabled in /etc/namedb/named.conf
9
10    dnssec-enable yes;
11
12    Find the definition for your zone ("MYTLD"), and modify it so it looks like
13    this:
14
15zone "MYTLD" {
16        file "/etc/namedb/master/MYTLD";
17        type master;
18        allow-transfer { key mydomain-key; };   
19
20        key-directory "/etc/namedb/keys";       // <--- Add this
21        auto-dnssec maintain;                   // <--- Add this
22        update-policy local;                    // <--- Add this
23        // dnssec-secure-to-insecure yes;       // <--- Add this
24};
25
26    Save and exit, and now reconfig the nameserver
27
28    # rndc reconfig
29
30    Create a directory for the keys:
31
32    # mkdir /etc/namedb/keys
33    # chown bind /etc/namedb/keys
34
35    Give ownership of the /etc/namedb/master directory so BIND can sign
36    your zone and write the file:
37
38    # chown -R bind /etc/namedb/master
39
40    Then go to the keys directory
41
42    # cd /etc/namedb/keys
43
44
452. Generate first key pair (Zone Signing Key)
46
47    # dnssec-keygen mytld
48
49    (t will output something like:
50    Generating key pair......................+++++ + ....
51    Kmytld.+005+43116)
52
533. Generate second key pair (Key Signing Key)
54
55    # dnssec-keygen -f KSK mytld
56    Kmytld.+005+52159
57
58    (once again, some output will show)
59
604. Let's look at the keys:
61
62    # ls -l Kmytld*
63    -rw-r--r--  1 root  wheel   591 Feb 18 15:52 Kmytld.+005+32044.key
64    -rw-------  1 root  wheel  1774 Feb 18 15:52 Kmytld.+005+32044.private
65    -rw-r--r--  1 root  wheel   417 Feb 18 15:52 Kmytld.+005+64860.key
66    -rw-------  1 root  wheel  1010 Feb 18 15:52 Kmytld.+005+64860.private
67
68    Make the keys readable by BIND:
69
70    # chgrp bind K*
71    # chmod g+r K*
72
735. We're ready to sign!
74
75    # rndc sign mytld
76
77    Take a look at the /etc/namedb/log/general log:
78
79    # tail -10 /etc/namedb/log/general
80
8118-Feb-2011 15:57:41.168 set up managed keys zone for view _default, file 'managed-keys.bind'
8218-Feb-2011 15:57:41.184 reloading configuration succeeded
8318-Feb-2011 15:57:41.193 any newly configured zones are now loaded
8418-Feb-2011 15:57:43.666 received control channel command 'sign mytlf'
8518-Feb-2011 15:57:43.668 zone mytlf/IN: reconfiguring zone keys
8618-Feb-2011 15:57:43.693 zone mytlf/IN: next key event: 19-Feb-2011 03:57:43.693
87
886. Take a look at the signed zone:
89
90    # cd /etc/namedb/master
91    # ls -l mytld*
92
93    Notice the ".jnl" file:
94
95    -rw-r--r--  1 bind  wheel   535 Feb 18 14:22 mytld
96    -rw-r--r--  1 bind  wheel  3473 Feb 18 15:57 mytld.jnl
97
98    The zone is now DYNAMICALLY managed by bind.
99
100    If you want to make changes, you either need to:
101
102    a) freeze the zone, edit, thaw:
103   
104        # rndc freeze mytld
105        # vi ...   // remember the serial!
106        # rndc thaw mytld
107
108    b) use nsupdate
109
110        # nsupdate -l
111        > update add mail.mytld. 300 A 1.2.3.4
112        > send
113        > quit
114
115    # tail -10 /etc/namedb/log/general
116
11718-Feb-2011 16:07:00.374 client 127.0.0.1#57195: updating zone 'mytld/IN': adding an RR at 'mail.phil' A
118
119
120Now we need to include the DS in the parent zone !
121
122    (DS = digest fingerprint of the Key Signing Key).
123
1247. Generate a "DS" from your key:
125
126    Find which key is the key signing key:
127
128    # cd /etc/namedb/keys
129    # more Kmytld*
130   
131    Look at which one has "IN DNSKEY 257".
132
133    # dnssec-dsfromkey Kdsset-mytld.+005+32044 >dsset-mytld.
134
135    REMEMBER the dot!
136
1378. Upload the dsset for your zone (containing the hash of your zone) to the AUTH:
138
139    # scp dsset-mytld. adm@rootserv.ws.nsrc.org:
140
141    The password is 'nsrcws'
142
1439. Tell the instructor you have done so!
144
145    The instructor will include the DS-set in the root and re-sign the zone
146
147*** ON THE RESOLVER ***
148
149You need to log in to your cache machine, i.e. for group 1, you would use
150cache.grp1.ws.nsrc.org, as you did in the unbound config exercise
151
1529. Grab the root key
153
154    NOTE: This is only for the purpose of this lab - on the Internet,
155    you would simply use "unbound-anchor" to download the real root.key,
156    and set "auto-trust-anchor-file:" unbound.conf, and let unbound update
157    the key when necessary.
158
159    In this lab:
160
161    # cd /usr/local/etc/unbound
162   
163    # fetch http://10.10.0.245/resources/root.key
164
165    Edit the /usr/local/etc/unbound/unbound.conf file:
166
167    Find the "trust-anchor-file:" line, and change it from:
168
169    # trust-anchor-file: ""
170
171    to
172
173    trust-anchor-file: "/usr/local/etc/unbound/root.key"
174
17510. Reload the nameserver
176
177    # /usr/local/etc/rc.d/unbound restart
178
17911. dig @localhost +dnssec mytld. SOA
180
181    What do you notice ?