1 | One page howto for signing your DNS zone with DNSSEC |
---|
2 | ---------------------------------------------------- |
---|
3 | |
---|
4 | *** ON YOUR MASTER SERVER *** |
---|
5 | |
---|
6 | 1. Change to the directory where the zone resides, normally |
---|
7 | |
---|
8 | First, verify that DNSSEC is enabled in /etc/namedb/named.conf |
---|
9 | |
---|
10 | dnssec-enable yes; |
---|
11 | |
---|
12 | Find the definition for your zone ("MYTLD"), and modify it so it looks like |
---|
13 | this: |
---|
14 | |
---|
15 | zone "MYTLD" { |
---|
16 | file "/etc/namedb/master/MYTLD"; |
---|
17 | type master; |
---|
18 | allow-transfer { key mydomain-key; }; |
---|
19 | |
---|
20 | key-directory "/etc/namedb/keys"; // <--- Add this |
---|
21 | auto-dnssec maintain; // <--- Add this |
---|
22 | update-policy local; // <--- Add this |
---|
23 | // dnssec-secure-to-insecure yes; // <--- Add this |
---|
24 | }; |
---|
25 | |
---|
26 | Save and exit, and now reconfig the nameserver |
---|
27 | |
---|
28 | # rndc reconfig |
---|
29 | |
---|
30 | Create a directory for the keys: |
---|
31 | |
---|
32 | # mkdir /etc/namedb/keys |
---|
33 | # chown bind /etc/namedb/keys |
---|
34 | |
---|
35 | Give ownership of the /etc/namedb/master directory so BIND can sign |
---|
36 | your zone and write the file: |
---|
37 | |
---|
38 | # chown -R bind /etc/namedb/master |
---|
39 | |
---|
40 | Then go to the keys directory |
---|
41 | |
---|
42 | # cd /etc/namedb/keys |
---|
43 | |
---|
44 | |
---|
45 | 2. Generate first key pair (Zone Signing Key) |
---|
46 | |
---|
47 | # dnssec-keygen mytld |
---|
48 | |
---|
49 | (t will output something like: |
---|
50 | Generating key pair......................+++++ + .... |
---|
51 | Kmytld.+005+43116) |
---|
52 | |
---|
53 | 3. Generate second key pair (Key Signing Key) |
---|
54 | |
---|
55 | # dnssec-keygen -f KSK mytld |
---|
56 | Kmytld.+005+52159 |
---|
57 | |
---|
58 | (once again, some output will show) |
---|
59 | |
---|
60 | 4. Let's look at the keys: |
---|
61 | |
---|
62 | # ls -l Kmytld* |
---|
63 | -rw-r--r-- 1 root wheel 591 Feb 18 15:52 Kmytld.+005+32044.key |
---|
64 | -rw------- 1 root wheel 1774 Feb 18 15:52 Kmytld.+005+32044.private |
---|
65 | -rw-r--r-- 1 root wheel 417 Feb 18 15:52 Kmytld.+005+64860.key |
---|
66 | -rw------- 1 root wheel 1010 Feb 18 15:52 Kmytld.+005+64860.private |
---|
67 | |
---|
68 | Make the keys readable by BIND: |
---|
69 | |
---|
70 | # chgrp bind K* |
---|
71 | # chmod g+r K* |
---|
72 | |
---|
73 | 5. We're ready to sign! |
---|
74 | |
---|
75 | # rndc sign mytld |
---|
76 | |
---|
77 | Take a look at the /etc/namedb/log/general log: |
---|
78 | |
---|
79 | # tail -10 /etc/namedb/log/general |
---|
80 | |
---|
81 | 18-Feb-2011 15:57:41.168 set up managed keys zone for view _default, file 'managed-keys.bind' |
---|
82 | 18-Feb-2011 15:57:41.184 reloading configuration succeeded |
---|
83 | 18-Feb-2011 15:57:41.193 any newly configured zones are now loaded |
---|
84 | 18-Feb-2011 15:57:43.666 received control channel command 'sign mytlf' |
---|
85 | 18-Feb-2011 15:57:43.668 zone mytlf/IN: reconfiguring zone keys |
---|
86 | 18-Feb-2011 15:57:43.693 zone mytlf/IN: next key event: 19-Feb-2011 03:57:43.693 |
---|
87 | |
---|
88 | 6. Take a look at the signed zone: |
---|
89 | |
---|
90 | # cd /etc/namedb/master |
---|
91 | # ls -l mytld* |
---|
92 | |
---|
93 | Notice the ".jnl" file: |
---|
94 | |
---|
95 | -rw-r--r-- 1 bind wheel 535 Feb 18 14:22 mytld |
---|
96 | -rw-r--r-- 1 bind wheel 3473 Feb 18 15:57 mytld.jnl |
---|
97 | |
---|
98 | The zone is now DYNAMICALLY managed by bind. |
---|
99 | |
---|
100 | If you want to make changes, you either need to: |
---|
101 | |
---|
102 | a) freeze the zone, edit, thaw: |
---|
103 | |
---|
104 | # rndc freeze mytld |
---|
105 | # vi ... // remember the serial! |
---|
106 | # rndc thaw mytld |
---|
107 | |
---|
108 | b) use nsupdate |
---|
109 | |
---|
110 | # nsupdate -l |
---|
111 | > update add mail.mytld. 300 A 1.2.3.4 |
---|
112 | > send |
---|
113 | > quit |
---|
114 | |
---|
115 | # tail -10 /etc/namedb/log/general |
---|
116 | |
---|
117 | 18-Feb-2011 16:07:00.374 client 127.0.0.1#57195: updating zone 'mytld/IN': adding an RR at 'mail.phil' A |
---|
118 | |
---|
119 | |
---|
120 | Now we need to include the DS in the parent zone ! |
---|
121 | |
---|
122 | (DS = digest fingerprint of the Key Signing Key). |
---|
123 | |
---|
124 | 7. Generate a "DS" from your key: |
---|
125 | |
---|
126 | Find which key is the key signing key: |
---|
127 | |
---|
128 | # cd /etc/namedb/keys |
---|
129 | # more Kmytld* |
---|
130 | |
---|
131 | Look at which one has "IN DNSKEY 257". |
---|
132 | |
---|
133 | # dnssec-dsfromkey Kdsset-mytld.+005+32044 >dsset-mytld. |
---|
134 | |
---|
135 | REMEMBER the dot! |
---|
136 | |
---|
137 | 8. Upload the dsset for your zone (containing the hash of your zone) to the AUTH: |
---|
138 | |
---|
139 | # scp dsset-mytld. adm@rootserv.ws.nsrc.org: |
---|
140 | |
---|
141 | The password is 'nsrcws' |
---|
142 | |
---|
143 | 9. Tell the instructor you have done so! |
---|
144 | |
---|
145 | The instructor will include the DS-set in the root and re-sign the zone |
---|
146 | |
---|
147 | *** ON THE RESOLVER *** |
---|
148 | |
---|
149 | You need to log in to your cache machine, i.e. for group 1, you would use |
---|
150 | cache.grp1.ws.nsrc.org, as you did in the unbound config exercise |
---|
151 | |
---|
152 | 9. Grab the root key |
---|
153 | |
---|
154 | NOTE: This is only for the purpose of this lab - on the Internet, |
---|
155 | you would simply use "unbound-anchor" to download the real root.key, |
---|
156 | and set "auto-trust-anchor-file:" unbound.conf, and let unbound update |
---|
157 | the key when necessary. |
---|
158 | |
---|
159 | In this lab: |
---|
160 | |
---|
161 | # cd /usr/local/etc/unbound |
---|
162 | |
---|
163 | # fetch http://10.10.0.245/resources/root.key |
---|
164 | |
---|
165 | Edit the /usr/local/etc/unbound/unbound.conf file: |
---|
166 | |
---|
167 | Find the "trust-anchor-file:" line, and change it from: |
---|
168 | |
---|
169 | # trust-anchor-file: "" |
---|
170 | |
---|
171 | to |
---|
172 | |
---|
173 | trust-anchor-file: "/usr/local/etc/unbound/root.key" |
---|
174 | |
---|
175 | 10. Reload the nameserver |
---|
176 | |
---|
177 | # /usr/local/etc/rc.d/unbound restart |
---|
178 | |
---|
179 | 11. dig @localhost +dnssec mytld. SOA |
---|
180 | |
---|
181 | What do you notice ? |
---|