Agenda: 04-dnssec-bind-manual-signing-howto.txt

File 04-dnssec-bind-manual-signing-howto.txt, 7.0 KB (added by Andy Linton, 6 years ago)
Line 
1*** ON YOUR AUTHORITATIVE SERVER ***
2
31. Change to the directory where the zone resides, and make a backup
4   of the zone (assuming it's called "mytld"), just in case
5
6    $ cd /etc/namedb/master
7    $ sudo cp mytld mytld.backup
8
9  Also create a directory for the keys to live in, and let's create them
10
11    $ sudo mkdir /etc/namedb/keys
12    $ sudo chown bind /etc/namedb/keys
13
14    $ cd /etc/namedb/keys
15
162. Generate first key pair (Zone Signing Key - ZSK)
17
18    $ sudo dnssec-keygen -a RSASHA256 -b 1024 -n ZONE mytld
19
20    The output will be something like:
21
22Generating key pair....................++++++ ...........................................................................................................++++++
23Kmytld.+008+51333
24
254. Generate second key pair (Key Signing Key - KSK)
26
27    $ sudo dnssec-keygen -f KSK -a RSASHA256 -b 2048 -n ZONE mytld
28
29    Again you will see output similar to this:
30
31Generating key pair.............................................+++ ..........................................................................+++
32Kmytld.+008+52159
33
34   Let's look at the keys:
35
36    # ls -l Kmytld.+008+5*
37    -rw-r--r--  1 root  wheel   203 Nov 29 00:07 Kmytld.+008+51333.key
38    -rw-------  1 root  wheel   937 Nov 29 00:07 Kmytld.+008+51333.private
39    -rw-r--r--  1 root  wheel   247 Nov 29 00:07 Kmytld.+008+52159.key
40    -rw-------  1 root  wheel  1125 Nov 29 00:07 Kmytld.+008+52159.private
41
425. Add the public keys to the end of the zone file:
43
44    Edit the zone file for "mytld" and add the keys at the end:
45    To know which files to include:
46
47    $ cd /etc/namedb/master
48    $ ls -lC1 /etc/namedb/keys/K*key
49
50    (copy the file names so you don't have to type then in by hand)
51
52    In the file "mytld", or whatever name you picked, add the lines
53        corresponding to your keys)
54
55        $ sudo ee mytld
56
57    ; Keys to be published in DNSKEY RRset
58
59    $include "/etc/namedb/keys/Kmytld.+008+51333.key"     ; ZSK
60    $include "/etc/namedb/keys/Kmytld.+008+52159.key"     ; KSK
61
62    Increment the serial number.
63    Save and exit.
64
656. Sign the zone with the keys
66
67    $ cd /etc/namedb/keys
68    $ sudo dnssec-signzone -x -o mytld -k Kmytld.+008+52159 ../master/mytld Kmytld.+008+51333
69
70    You should see as output:
71
72Verifying the zone using the following algorithms: RSASHA256.
73Zone signing complete:
74Algorithm: RSASHA256: KSKs: 1 active, 0 stand-by, 0 revoked
75                      ZSKs: 1 active, 0 stand-by, 0 revoked
76../master/mytld.signed
77
78    NOTE: although we don't really need to specifiy which keys we'll be
79        using - by default dnssec-signzone will sign using the keys it finds
80        listed in the zone (those we added via the $include statement in step
81        4) - it is a good idea to do it anyway.
82       
83        This is to be very clear which keys we're using, especially when you
84        have multiple keys.
85
86    The signed zone has been written out in the master/ directory, so let's
87    check it out:
88
89    $ cd /etc/namedb/master/
90    $ ls -l mytld*
91
92    -rw-r--r--  1 root  wheel   292 Nov 29 00:08 mytld
93    -rw-r--r--  1 root  wheel  4294 Nov 29 00:20 mytld.signed
94
95    Take a look at the zone contents, and observe the new records and
96    signatures.
97
987. Notice that a set of DS records has been generated, and is ready to
99   be communicated to your parent zone:
100
101    $ cd /etc/namedb/keys/
102    $ ls -l dsset-*
103
104    -rw-r--r--  1 root  wheel  155 Nov 29 00:22 dsset-mytld.
105
106   Look at the contents of the dsset:
107
108    $ cat dsset-mytld.
109
110    You should see two lines, one for each hashing algorithm used on
111    the KSK.
112
1138. Change the /etc/namedb/named.conf definition that loads the zone, to point
114   to the signed zone:
115
116    $ sudo ee /etc/namedb/named.conf
117
118    zone "mytld" {
119            type master;
120            file "/etc/namedb/master/mytld.signed"; // load the signed zone
121    };
122
1239. Also in the named.conf, enable dnssec (for the authoritative part):
124
125    ... in the options { .. }; section, add the following
126
127    dnssec-enable yes;
128
12910. Reconfigure/restart your nameserver
130
131    $ sudo rndc reconfig
132
133    You may also want to, but it is probably not necessary, do:
134
135    $ sudo rndc reload mytld
136
137    ... to "force" a reload of the zone. reconfig should normally
138    do this, but it doesn't hurt :)
139
14011. Test that the nameserver is answering with DNSSEC records:
141
142    $ dig @127.0.0.1 mytld SOA +dnssec
143
14412. Now you need to make sure that your slave has ALSO configured their
145    nameserver to enable dnssec in their configuration (step 8). They
146    should have done it since they are working on the same lab, but check
147    anyway!
148
149    To test:
150
151    $ dig @10.10.Y.1 mytld SOA +dnssec
152
153    ... where Y is the IP of the partner you picked to be slave for your
154    domain - this could be the instructor, check with them.
155
15613. You now need to communicate the DS to your parent
157
158   Talk to your root manager on the way to communicate the DS.
159   It could be using scp or using a web interface.
160
161    a) if using the RZM:
162
163    Go to https://rzm.dnssek.org/
164
165    Login (you should have signed up earlier)
166
167    Check to see under Trust Anchor Details that your DS has automatically
168    appeared AND matches. It is NOT automatically activated - the only thing
169    the the RZM has done is "see" the DNSKEY supposedly you have published
170    and is waiting for your confirmation to enable th DS in the parent zone.
171
172    Match the trust anchors with the dsset-mytld. file contents
173    viewed above and then click on either or both "eye" icons (only
174    one trust anchor is needed) till you get a "check" and then
175    click "Update"
176
177
178    b) if not using the RZM:
179
180   If your root manager says to use scp, do as follows:
181
182   $ cd /etc/namedb/keys
183   $ scp dsset-mytld. sysadm@a.root-servers.net:
184
185   ... this will copy the file "dsset-mytld." into the "qdm" user directory
186   on the a.root-server, where the root manager will include it into the root
187   zone for signing.
188   
189   Notify them when you have uploaded the file if using the "scp" method.
190
19114. Wait a few minutes for the DS to be included in the (root) zone
192
193   It may take a minute for the DS records to propagate through the class
194   root system (update the unsigned root zone file, sign it, publish on
195   root servers, loaded into caching resolver... etc).
196
197   To verify that the DS is included in the parent (root) zone:
198
199   dig @a.root-servers.net DS mytld.
200
201   Once you are certain that the DS is included in the parent zone,
202   using dig:
203
204   ... then you can begin to test validation!
205
20615. Test that the AD bit is set:
207
208    # dig @10.10.0.230 +dnssec www.MYTLD.
209
210    Is it ?
211
212    If not, note that the root manager may not have necessarily signed the
213    root zone with your DS included yet, OR due to the *negative TTL*, the
214    DS record may not be in the cache of the resolver. You may have to wait,
215    but check with your root manager, and you can always check at the root:
216
217    # dig @a.root-servers.net DS mytld.
218
219    ... to verify that the DS is published. Then it's a matter of waiting
220    for the cache to expire on the resolver, before you can verify your
221    signatures.
222
223    Alternatively, don't wait and proceed to enable validation in your own
224    resolver (resolv.grpX.dns.nsrc.org) - see the relevant lab!