One page howto for signing your DNS zone with DNSSEC ---------------------------------------------------- *** ON YOUR MASTER SERVER *** 1. Change to the directory where the zone resides, normally First, verify that DNSSEC is enabled in /etc/namedb/named.conf dnssec-enable yes; Find the definition for your zone ("MYTLD"), and modify it so it looks like this: zone "MYTLD" { file "/etc/namedb/master/MYTLD"; type master; allow-transfer { key mydomain-key; }; key-directory "/etc/namedb/keys"; // <--- Add this auto-dnssec maintain; // <--- Add this update-policy local; // <--- Add this // dnssec-secure-to-insecure yes; // <--- Add this }; Save and exit, and now reconfig the nameserver # rndc reconfig Create a directory for the keys: # mkdir /etc/namedb/keys # chown bind /etc/namedb/keys Give ownership of the /etc/namedb/master directory so BIND can sign your zone and write the file: # chown -R bind /etc/namedb/master Then go to the keys directory # cd /etc/namedb/keys 2. Generate first key pair (Zone Signing Key) # dnssec-keygen mytld (t will output something like: Generating key pair......................+++++ + .... Kmytld.+005+43116) 3. Generate second key pair (Key Signing Key) # dnssec-keygen -f KSK mytld Kmytld.+005+52159 (once again, some output will show) 4. Let's look at the keys: # ls -l Kmytld* -rw-r--r-- 1 root wheel 591 Feb 18 15:52 Kmytld.+005+32044.key -rw------- 1 root wheel 1774 Feb 18 15:52 Kmytld.+005+32044.private -rw-r--r-- 1 root wheel 417 Feb 18 15:52 Kmytld.+005+64860.key -rw------- 1 root wheel 1010 Feb 18 15:52 Kmytld.+005+64860.private Make the keys readable by BIND: # chgrp bind K* # chmod g+r K* 5. We're ready to sign! # rndc sign mytld Take a look at the /etc/namedb/log/general log: # tail -10 /etc/namedb/log/general 18-Feb-2011 15:57:41.168 set up managed keys zone for view _default, file 'managed-keys.bind' 18-Feb-2011 15:57:41.184 reloading configuration succeeded 18-Feb-2011 15:57:41.193 any newly configured zones are now loaded 18-Feb-2011 15:57:43.666 received control channel command 'sign mytlf' 18-Feb-2011 15:57:43.668 zone mytlf/IN: reconfiguring zone keys 18-Feb-2011 15:57:43.693 zone mytlf/IN: next key event: 19-Feb-2011 03:57:43.693 6. Take a look at the signed zone: # cd /etc/namedb/master # ls -l mytld* Notice the ".jnl" file: -rw-r--r-- 1 bind wheel 535 Feb 18 14:22 mytld -rw-r--r-- 1 bind wheel 3473 Feb 18 15:57 mytld.jnl The zone is now DYNAMICALLY managed by bind. If you want to make changes, you either need to: a) freeze the zone, edit, thaw: # rndc freeze mytld # vi ... // remember the serial! # rndc thaw mytld b) use nsupdate # nsupdate -l > update add mail.mytld. 300 A 1.2.3.4 > send > quit # tail -10 /etc/namedb/log/general 18-Feb-2011 16:07:00.374 client 127.0.0.1#57195: updating zone 'mytld/IN': adding an RR at 'mail.phil' A Now we need to include the DS in the parent zone ! (DS = digest fingerprint of the Key Signing Key). 7. Generate a "DS" from your key: Find which key is the key signing key: # cd /etc/namedb/keys # more Kmytld* Look at which one has "IN DNSKEY 257". # dnssec-dsfromkey Kdsset-mytld.+005+32044 >dsset-mytld. REMEMBER the dot! 8. Upload the dsset for your zone (containing the hash of your zone) to the AUTH: # scp dsset-mytld. adm@rootserv.ws.nsrc.org: The password is 'nsrcws' 9. Tell the instructor you have done so! The instructor will include the DS-set in the root and re-sign the zone *** ON THE RESOLVER *** You need to log in to your cache machine, i.e. for group 1, you would use cache.grp1.ws.nsrc.org, as you did in the unbound config exercise 9. Grab the root key NOTE: This is only for the purpose of this lab - on the Internet, you would simply use "unbound-anchor" to download the real root.key, and set "auto-trust-anchor-file:" unbound.conf, and let unbound update the key when necessary. In this lab: # cd /usr/local/etc/unbound # fetch http://10.10.0.245/resources/root.key Edit the /usr/local/etc/unbound/unbound.conf file: Find the "trust-anchor-file:" line, and change it from: # trust-anchor-file: "" to trust-anchor-file: "/usr/local/etc/unbound/root.key" 10. Reload the nameserver # /usr/local/etc/rc.d/unbound restart 11. dig @localhost +dnssec mytld. SOA What do you notice ?