Agenda: quick-dnssec-signing-howto.txt

File quick-dnssec-signing-howto.txt, 4.7 KB (added by regnauld, 8 years ago)
Line 
1One page howto for signing your DNS zone with DNSSEC
2----------------------------------------------------
3
4*** ON YOUR MASTER SERVER ***
5
61. Change to the directory where the zone resides, normally
7
8    First, verify that DNSSEC is enabled in /etc/namedb/named.conf
9
10        ... in the options { .. }; section, add the following
11
12    dnssec-enable yes;
13
14    Find the definition for your zone ("MYTLD"), and modify it so it looks like
15    this:
16
17zone "MYTLD" {
18        file "/etc/namedb/master/MYTLD";
19        type master;
20        allow-transfer { key mydomain-key; };   
21
22        key-directory "/etc/namedb/keys";       // <--- Add this
23        auto-dnssec maintain;                   // <--- Add this
24        update-policy local;                    // <--- Add this
25        // dnssec-secure-to-insecure yes;       // <--- Add this
26};
27
28    Save and exit, and now reconfig the nameserver
29
30    # rndc reconfig
31
32    Create a directory for the keys:
33
34    # mkdir /etc/namedb/keys
35    # chown bind /etc/namedb/keys
36
37    Give ownership of the /etc/namedb/master directory so BIND can sign
38    your zone and write the file:
39
40    # chown -R bind /etc/namedb/master
41
42    Then go to the keys directory
43
44    # cd /etc/namedb/keys
45
46
472. Generate first key pair (Zone Signing Key)
48
49    # dnssec-keygen mytld
50
51    (t will output something like:
52    Generating key pair......................+++++ + ....
53    Kmytld.+005+43116)
54
553. Generate second key pair (Key Signing Key)
56
57    # dnssec-keygen -f KSK mytld
58    Kmytld.+005+52159
59
60    (once again, some output will show)
61
624. Let's look at the keys:
63
64    # ls -l Kmytld*
65    -rw-r--r--  1 root  wheel   591 Feb 18 15:52 Kmytld.+005+32044.key
66    -rw-------  1 root  wheel  1774 Feb 18 15:52 Kmytld.+005+32044.private
67    -rw-r--r--  1 root  wheel   417 Feb 18 15:52 Kmytld.+005+64860.key
68    -rw-------  1 root  wheel  1010 Feb 18 15:52 Kmytld.+005+64860.private
69
70    Make the keys readable by BIND:
71
72    # chgrp bind K*
73    # chmod g+r K*
74
755. We're ready to sign!
76
77    # rndc sign mytld
78
79    Take a look at the /etc/namedb/log/general log:
80
81    # tail -10 /etc/namedb/log/general
82
8318-Feb-2011 15:57:41.168 set up managed keys zone for view _default, file 'managed-keys.bind'
8418-Feb-2011 15:57:41.184 reloading configuration succeeded
8518-Feb-2011 15:57:41.193 any newly configured zones are now loaded
8618-Feb-2011 15:57:43.666 received control channel command 'sign mytlf'
8718-Feb-2011 15:57:43.668 zone mytlf/IN: reconfiguring zone keys
8818-Feb-2011 15:57:43.693 zone mytlf/IN: next key event: 19-Feb-2011 03:57:43.693
89
906. Take a look at the signed zone:
91
92    # cd /etc/namedb/master
93    # ls -l mytld*
94
95    Notice the ".jnl" file:
96
97    -rw-r--r--  1 bind  wheel   535 Feb 18 14:22 mytld
98    -rw-r--r--  1 bind  wheel  3473 Feb 18 15:57 mytld.jnl
99
100    The zone is now DYNAMICALLY managed by bind.
101
102    If you want to make changes, you either need to:
103
104    a) freeze the zone, edit, thaw:
105   
106        # rndc freeze mytld
107        # vi ...   // remember the serial!
108        # rndc thaw mytld
109
110    b) use nsupdate
111
112        # nsupdate -l
113        > update add mail.mytld. 300 A 1.2.3.4
114        > send
115        > quit
116
117    # tail -10 /etc/namedb/log/general
118
11918-Feb-2011 16:07:00.374 client 127.0.0.1#57195: updating zone 'mytld/IN': adding an RR at 'mail.phil' A
120
121
122Now we need to include the DS in the parent zone !
123
124    (DS = digest fingerprint of the Key Signing Key).
125
1267. Generate a "DS" from your key:
127
128    Find which key is the key signing key:
129
130    # cd /etc/namedb/keys
131    # more Kmytld*
132   
133    Look at which one has "IN DNSKEY 257".
134
135    # dnssec-dsfromkey Kmytld.+005+32044 >dsset-mytld.
136
137    REMEMBER the dot!
138
1398. Upload the dsset for your zone (containing the hash of your zone) to the AUTH:
140
141    # scp dsset-mytld. adm@rootserv.ws.nsrc.org:
142
143    The password is 'nsrcws'
144
1459. Tell the instructor you have done so!
146
147    The instructor will include the DS-set in the root and re-sign the zone
148
149*** ON THE RESOLVER ***
150
151You need to log in to your cache machine, i.e. for group 1, you would use
152cache.grp1.ws.nsrc.org, as you did in the unbound config exercise
153
1549. Grab the root key
155
156    NOTE: This is only for the purpose of this lab - on the Internet,
157    you would simply use "unbound-anchor" to download the real root.key,
158    and set "auto-trust-anchor-file:" unbound.conf, and let unbound update
159    the key when necessary.
160
161    In this lab:
162
163    # scp adm@rootserv.ws.nsrc.org:root.key  /usr/local/etc/unbound/root.key
164
165    Edit the /usr/local/etc/unbound/unbound.conf file:
166
167    Find the "trust-anchor-file:" line, and change it from:
168
169    # trust-anchor-file: ""
170
171    to
172
173    trust-anchor-file: "/usr/local/etc/unbound/root.key"
174
17510. Reload the nameserver
176
177    # /usr/local/etc/rc.d/unbound restart
178
17911. dig @localhost +dnssec mytld. SOA
180
181    What do you notice ?