Agenda: dnssec-bind-manual-signing-howto.txt

File dnssec-bind-manual-signing-howto.txt, 2.9 KB (added by admin, 7 years ago)
Line 
1*** ON YOUR AUTHORITATIVE SERVER ***
2
31. Change to the directory where the zone resides, and make a backup
4   of the zone (assuming it's called "mytld"), just in case
5
6    # cd /etc/namedb/master
7    # cp mytld mytld.backup
8
92. Generate first key pair (Zone Signing Key)
10
11    # dnssec-keygen -a RSASHA1 -b 1024 -n ZONE mytld
12    Kmytld.+005+51333
13
143. Generate second key pair (Key Signing Key)
15
16    # dnssec-keygen -f KSK -a RSASHA1 -b 1280 -n ZONE mytld
17    Kmytld.+005+52159
18
194. Let's look at the keys:
20
21    # ls -l Kmytld.+005+5*
22    -rw-r--r--  1 root  wheel   203 Nov 29 00:07 Kmytld.+005+51333.key
23    -rw-------  1 root  wheel   937 Nov 29 00:07 Kmytld.+005+51333.private
24    -rw-r--r--  1 root  wheel   247 Nov 29 00:07 Kmytld.+005+52159.key
25    -rw-------  1 root  wheel  1125 Nov 29 00:07 Kmytld.+005+52159.private
26
274. Add the public keys to the end of the zone file:
28
29    Edit the zone file for "mytld" and add the keys at the end:
30
31    ; Keys to be published in DNSKEY RRset
32
33    $include "/etc/namedb/master/Kmytld.+005+51333.key"     ; ZSK
34    $include "/etc/namedb/master/Kmytld.+005+52159.key"     ; KSK
35
36    Save and exit.
37
385. Sign the zone with the keys
39
40    # cd /etc/namedb/master
41    # dnssec-signzone -N incrememt -o mytld -k Kmytld.+005+52159 mytld Kmytld.+005+51333
42    Verifying the zone using the following algorithms: RSASHA1.
43    Zone signing complete:
44    Algorithm: RSASHA1: KSKs: 1 active, 0 stand-by, 0 revoked
45                        ZSKs: 1 active, 0 stand-by, 0 revoked
46    mytld.signed
47
48        Note: the "-N increment" option automatically changes the serial for your
49        zone. This is required otherwise your slave server will not pick up the
50        change!
51
52    # ls -l mytld*
53    -rw-r--r--  1 root  wheel   292 Nov 29 00:08 mytld
54    -rw-r--r--  1 root  wheel  4294 Nov 29 00:20 mytld.signed
55
566. Notice that a set of DS records has been generated, and is ready to
57   be communicated to your parent zone:
58
59    # ls -l dsset-*
60    -rw-r--r--  1 root  wheel  155 Nov 29 00:22 dsset-mytld.
61
62   Look at the contents of the dsset:
63
64    # cat dsset-mytld.
65
667. Change the /etc/namedb/named.conf definition that loads the zone, to point
67   to the signed zone:
68
69    zone "mytld" {
70            type master;
71            file "/etc/namedb/master/mytld.signed";
72    };
73
748. Also in the named.conf, enable dnssec (for the authoritative part):
75
76    ... in the options { .. }; section, add the following
77
78    dnssec-enable yes;
79
809. Reconfigure/restart your nameserver
81
82    # rndc reconfig
83
8410. Test that the nameserver is answering with DNSSEC records:
85
86    # dig @127.0.0.1 mytld SOA +dnssec
87
8811. Now you need to make sure that your slave has ALSO configured their
89    nameserver to enable dnssec in their configuration (step 8). They
90        should have done it since they are working on the same lab, but check
91        anyway!
92
93        To test:
94
95        # dig @10.10.Y.1 mytld SOA +dnssec
96
97        ... where Y is the IP of the partner you picked to be slave for your
98        domain.
99
10012. That's it - you now need to communicate the DS to your parent