Agenda: dnssec-bind-manual-signing-howto.txt

File dnssec-bind-manual-signing-howto.txt, 6.6 KB (added by admin, 6 years ago)
Line 
1*** ON YOUR AUTHORITATIVE SERVER ***
2
31. Change to the directory where the zone resides, and make a backup
4   of the zone (assuming it's called "mytld"), just in case
5
6    $ cd /etc/namedb/master
7    $ sudo cp mytld mytld.backup
8
9  Also create a directory for the keys to live in, and let's create them
10
11    $ sudo mkdir /etc/namedb/keys
12    $ sudo chown bind /etc/namedb/keys
13
14    $ cd /etc/namedb/keys
15
162. Generate first key pair (Zone Signing Key)
17
18    $ sudo dnssec-keygen -a RSASHA1 -b 1024 -n ZONE mytld
19
20    The output will be something like:
21
22Generating key pair....................++++++ ...........................................................................................................++++++
23Kmytld.+005+51333
24
254. Generate second key pair (Key Signing Key)
26
27    $ sudo dnssec-keygen -f KSK -a RSASHA1 -b 2048 -n ZONE mytld
28
29    Again you will see output similar to this:
30
31Generating key pair.............................................+++ ..........................................................................+++
32Kmytld.+005+52159
33
344. Let's look at the keys:
35
36    # ls -l Kmytld.+005+5*
37    -rw-r--r--  1 root  wheel   203 Nov 29 00:07 Kmytld.+005+51333.key
38    -rw-------  1 root  wheel   937 Nov 29 00:07 Kmytld.+005+51333.private
39    -rw-r--r--  1 root  wheel   247 Nov 29 00:07 Kmytld.+005+52159.key
40    -rw-------  1 root  wheel  1125 Nov 29 00:07 Kmytld.+005+52159.private
41
424. Add the public keys to the end of the zone file:
43
44    Edit the zone file for "mytld" and add the keys at the end:
45
46    $ cd /etc/namedb/master
47
48    (edit the file "mytld" or whatever name you picked, and add the
49    lines corresponding to your keys). To know which files to include:
50
51    $ ls -lC1 /etc/namedb/keys/K*key
52
53    (copy the file names so you don't have to type then in by hand)
54
55    $ sudo ee mytld
56
57    ; Keys to be published in DNSKEY RRset
58
59    $include "/etc/namedb/keys/Kmytld.+005+51333.key"     ; ZSK
60    $include "/etc/namedb/keys/Kmytld.+005+52159.key"     ; KSK
61
62    Increment the serial number.
63    Save and exit.
64
655. Sign the zone with the keys
66
67    $ cd /etc/namedb/keys
68    $ sudo dnssec-signzone -o mytld ../master/mytld
69
70    The output will look something like:
71
72Verifying the zone using the following algorithms: RSASHA1.
73Zone signing complete:
74Algorithm: RSASHA1: KSKs: 1 active, 0 stand-by, 0 revoked
75                    ZSKs: 1 active, 0 stand-by, 0 revoked
76../master/mytld.signed
77
78    NOTE: that we don't need to specifiy which keys we'll be using - by
79    default dnssec-signzone will sign using the keys it finds listed in the
80    zone (those we added via the $include statement in step 4).
81
82    If you wanted to explicitly specify which keys to use, you'd write
83    something like (don't run this):
84
85    $ sudo dnssec-signzone -o mytld -k Kmytld.+005+52159 ../master/mytld Kmytld.+005+51333
86
87    The signed zone has been written out in the master/ directory, so let's
88    check it out:
89
90    $ cd /etc/namedb/master/
91    $ ls -l mytld*
92
93    -rw-r--r--  1 root  wheel   292 Nov 29 00:08 mytld
94    -rw-r--r--  1 root  wheel   292 Nov 29 00:10 mytld.backup
95    -rw-r--r--  1 root  wheel  4294 Nov 29 00:20 mytld.signed
96
97    Take a look at the zone contents, and observe the new records and
98    signatures.
99
1006. Notice that a set of DS records has been generated, and is ready to
101   be communicated to your parent zone:
102
103    $ cd /etc/namedb/keys/
104    $ ls -l dsset-*
105
106    -rw-r--r--  1 root  wheel  155 Nov 29 00:22 dsset-mytld.
107
108   Look at the contents of the dsset:
109
110    $ cat dsset-mytld.
111
112    You should see two lines, one for each hashing algorithm used on
113    the KSK.
114
1157. Change the /etc/namedb/named.conf definition that loads the zone, to point
116   to the signed zone:
117
118    $ sudo ee /etc/namedb/named.conf
119
120    zone "mytld" {
121            type master;
122            file "/etc/namedb/master/mytld.signed"; // load the signed zone
123    };
124
1258. Also in the named.conf, enable dnssec (for the authoritative part):
126
127    ... in the options { .. }; section, add the following
128
129    dnssec-enable yes;
130
1319. Reconfigure/restart your nameserver
132
133    $ sudo rndc reconfig
134
135    You may also want to, but it is probably not necessary, do:
136
137    $ sudo rndc reload mytld
138
139    ... to "force" a reload of the zone. reconfig should normally
140    do this, but it doesn't hurt :)
141
14210. Test that the nameserver is answering with DNSSEC records:
143
144    $ dig @127.0.0.1 mytld SOA +dnssec
145
14611. Now you need to make sure that your slave has ALSO configured their
147    nameserver to enable dnssec in their configuration (step 8). They
148    should have done it since they are working on the same lab, but check
149    anyway!
150
151    To test:
152
153    $ dig @10.20.Y.1 mytld SOA +dnssec
154
155    ... where Y is the IP of the partner you picked to be slave for your
156    domain - this could be the instructor, check with them.
157
15812. You now need to communicate the DS to your parent
159
160   Talk to your root manager on the way to communicate the DS.
161   It could be using SCP or using a web interface.
162
163    a) if using the RZM:
164
165    Go to https://rzm.dnssek.org/
166
167    Login (you should have signed up earlier)
168
169    Check to see under Trust Anchor Details that your DS has automatically
170    appeared AND matches. It is NOT automatically activated - the only thing
171    the the RZM has done is "grab" the key from you and is waiting for your
172    confirmation to enable th DS in the parent zone.
173
174    b) if not using the RZM:
175
176   If your root manager says to use scp, do as follows:
177
178   $ cd /etc/namedb/keys
179   $ scp dsset-mytld. sysadm@a.root-servers.net:
180
181   ... this will copy the file "dsset-mytld." into the "sysadm" user directory
182   on the a.root-server, where the root manager will include it into the root
183   zone for signing.
184   
185   Notify them when you have uploaded the file if using the "scp" method.
186
18713. Wait a few minutes, until you are certain that the DS is included in
188    the parent (root) zone.
189   
190    Then, using dig:
191
192   dig @a.root-servers.net DS mytld.
193
194   ... then you can begin to test validation!
195
19614. Test that the AD bit is set:
197
198    # dig @10.20.0.230 +dnssec www.MYTLD.
199
200    Is it ?
201
202    If not, note that the root manager may not have necessarily signed the
203    root zone with your DS included yet, OR due to the *negative TTL*, the
204    DS record may not be in the cache of the resolver. You may have to wait,
205    but check with your root manager, and you can always check at the root:
206
207    # dig @a.root-servers.net DS mytld.
208
209    ... to verify that the DS is published. Then it's a matter of waiting
210    for the cache to expire on the resolver, before you can verify your
211    signatures.
212
213    Alternatively, don't wait and proceed to enable validation in your own
214    resolver (resolv.grpX.dns.nsrc.org) - see the relevant lab!