| 1 | *** ON YOUR AUTHORITATIVE SERVER AUTH1 *** |
|---|
| 2 | |
|---|
| 3 | 1. Change to the directory where the zone resides, and make a backup |
|---|
| 4 | of the zone (assuming it's called "mytld"), just in case |
|---|
| 5 | |
|---|
| 6 | # cd /etc/namedb/master |
|---|
| 7 | # cp mytld mytld.backup |
|---|
| 8 | |
|---|
| 9 | Also create a directory for the keys to live in, and let's create them |
|---|
| 10 | |
|---|
| 11 | # mkdir /etc/namedb/keys |
|---|
| 12 | # chown bind /etc/namedb/keys |
|---|
| 13 | |
|---|
| 14 | # cd /etc/namedb/keys |
|---|
| 15 | |
|---|
| 16 | 2. Generate first key pair (Zone Signing Key - ZSK) |
|---|
| 17 | |
|---|
| 18 | # dnssec-keygen -a RSASHA256 -b 1024 -n ZONE mytld |
|---|
| 19 | |
|---|
| 20 | You should see an output like: |
|---|
| 21 | Kmytld.+008+51333 |
|---|
| 22 | |
|---|
| 23 | Write this down as the ZSK. |
|---|
| 24 | |
|---|
| 25 | 4. Generate second key pair (Key Signing Key - KSK) |
|---|
| 26 | |
|---|
| 27 | # dnssec-keygen -f KSK -a RSASHA256 -b 2048 -n ZONE mytld |
|---|
| 28 | |
|---|
| 29 | You should see an output like: |
|---|
| 30 | Kmytld.+008+52159 |
|---|
| 31 | |
|---|
| 32 | Write this down KSK. |
|---|
| 33 | |
|---|
| 34 | 4. Let's look at the keys: |
|---|
| 35 | |
|---|
| 36 | # ls -l Kmytld.+008+* |
|---|
| 37 | -rw-r--r-- 1 root wheel 417 Nov 29 00:07 Kmytld.+008+51333.key |
|---|
| 38 | -rw------- 1 root wheel 1012 Nov 29 00:07 Kmytld.+008+51333.private |
|---|
| 39 | -rw-r--r-- 1 root wheel 590 Nov 29 00:07 Kmytld.+008+52159.key |
|---|
| 40 | -rw------- 1 root wheel 1776 Nov 29 00:07 Kmytld.+008+52159.private |
|---|
| 41 | |
|---|
| 42 | 4. Add the public keys to the end of the zone file: |
|---|
| 43 | |
|---|
| 44 | Edit the zone file for "mytld" and add the keys at the end: |
|---|
| 45 | |
|---|
| 46 | # cd /etc/namedb/master |
|---|
| 47 | |
|---|
| 48 | (edit the file "mytld" or whatever name you picked, and add the |
|---|
| 49 | lines corresponding to your keys) |
|---|
| 50 | |
|---|
| 51 | ; Keys to be published in DNSKEY RRset |
|---|
| 52 | |
|---|
| 53 | $include "/etc/namedb/keys/Kmytld.+008+51333.key" ; ZSK |
|---|
| 54 | $include "/etc/namedb/keys/Kmytld.+008+52159.key" ; KSK |
|---|
| 55 | |
|---|
| 56 | (Yes. the "$" must be in column 1) |
|---|
| 57 | |
|---|
| 58 | **** Increment the serial number. *** |
|---|
| 59 | |
|---|
| 60 | Save and exit. |
|---|
| 61 | |
|---|
| 62 | 5. Sign the zone with the keys |
|---|
| 63 | |
|---|
| 64 | # cd /etc/namedb/keys |
|---|
| 65 | # dnssec-signzone -x -o mytld -k Kmytld.+008+52159 ../master/mytld Kmytld.+008+51333 |
|---|
| 66 | |
|---|
| 67 | The first key is the KSK and the second the ZSK. |
|---|
| 68 | |
|---|
| 69 | You should see as output: |
|---|
| 70 | |
|---|
| 71 | Verifying the zone using the following algorithms: RSASHA1. |
|---|
| 72 | Zone signing complete: |
|---|
| 73 | Algorithm: RSASHA256: KSKs: 1 active, 0 stand-by, 0 revoked |
|---|
| 74 | ZSKs: 1 active, 0 stand-by, 0 revoked |
|---|
| 75 | ../master/mytld.signed |
|---|
| 76 | |
|---|
| 77 | The signed zone has been written out in the master/ directory, |
|---|
| 78 | so let's check it out: |
|---|
| 79 | |
|---|
| 80 | # cd /etc/namedb/master/ |
|---|
| 81 | # ls -l mytld* |
|---|
| 82 | |
|---|
| 83 | -rw-r--r-- 1 root wheel 292 Nov 29 00:08 mytld |
|---|
| 84 | -rw-r--r-- 1 root wheel 4294 Nov 29 00:20 mytld.signed |
|---|
| 85 | |
|---|
| 86 | Take a look at the zone contents, and observe the new records and |
|---|
| 87 | signatures. You could use: |
|---|
| 88 | |
|---|
| 89 | # less mytld.signed |
|---|
| 90 | |
|---|
| 91 | 6. Notice that a set of DS records has been generated, and is ready to |
|---|
| 92 | be communicated to your parent zone: |
|---|
| 93 | |
|---|
| 94 | # cd /etc/namedb/keys/ |
|---|
| 95 | # ls -l dsset-* |
|---|
| 96 | |
|---|
| 97 | -rw-r--r-- 1 root wheel 155 Nov 29 00:22 dsset-mytld. |
|---|
| 98 | |
|---|
| 99 | Look at the contents of the dsset: |
|---|
| 100 | |
|---|
| 101 | # cat dsset-mytld. |
|---|
| 102 | |
|---|
| 103 | 7. Change the /etc/namedb/named.conf definition that loads the zone, |
|---|
| 104 | to point to the signed zone: |
|---|
| 105 | |
|---|
| 106 | zone "mytld" { |
|---|
| 107 | type master; |
|---|
| 108 | file "/etc/namedb/master/mytld.signed"; // load the signed zone |
|---|
| 109 | }; |
|---|
| 110 | |
|---|
| 111 | 8. Also in the named.conf, enable dnssec (for the authoritative part): |
|---|
| 112 | |
|---|
| 113 | ... in the options { .. }; section, add the following |
|---|
| 114 | |
|---|
| 115 | dnssec-enable yes; |
|---|
| 116 | |
|---|
| 117 | 9. Reconfigure/restart your nameserver |
|---|
| 118 | |
|---|
| 119 | # rndc reconfig |
|---|
| 120 | |
|---|
| 121 | # rndc reload |
|---|
| 122 | |
|---|
| 123 | 10. Test that the nameserver is answering with DNSSEC records: |
|---|
| 124 | |
|---|
| 125 | # dig @127.0.0.1 mytld SOA +dnssec |
|---|
| 126 | |
|---|
| 127 | 11. Now you need to make sure that your slave has ALSO configured their |
|---|
| 128 | nameserver to enable dnssec in their configuration (step 8). They |
|---|
| 129 | should have done it since they are working on the same lab, but check |
|---|
| 130 | anyway! |
|---|
| 131 | |
|---|
| 132 | To test: |
|---|
| 133 | |
|---|
| 134 | # dig @10.10.Y.2 mytld SOA +dnssec |
|---|
| 135 | |
|---|
| 136 | ... where Y is the IP of the partner you picked to be slave for your |
|---|
| 137 | domain. |
|---|
| 138 | |
|---|
| 139 | 12. You now need to communicate the DS to your parent |
|---|
| 140 | |
|---|
| 141 | Go to https://rzm.dnssek.org/ |
|---|
| 142 | |
|---|
| 143 | Login (you should have signed up earlier) |
|---|
| 144 | |
|---|
| 145 | Under "Trust Anchor Details" you should see that the DS has |
|---|
| 146 | been automatically calculated from your published DNSKEY. |
|---|
| 147 | |
|---|
| 148 | It is NOT automatically activated - the only thing |
|---|
| 149 | RZM has done is "see" the DNSKEY you have published |
|---|
| 150 | and is waiting for your confirmation to include the |
|---|
| 151 | calculated DS in the parent zone. |
|---|
| 152 | |
|---|
| 153 | Match these with your actual DS record found here: |
|---|
| 154 | |
|---|
| 155 | # cat /etc/namedb/keys/dsset-mytld. |
|---|
| 156 | |
|---|
| 157 | Then click on either or both "eye" icons (only |
|---|
| 158 | one trust anchor is needed) till you get a "check" and then |
|---|
| 159 | click "Update" to commit and then "logout". |
|---|
| 160 | |
|---|
| 161 | It mat take a minute for the DS records to propagate through the class |
|---|
| 162 | root system (update the unsigned root zone file, sign it, publish on |
|---|
| 163 | root servers, loaded into caching resolver...etc) |
|---|
| 164 | Once you are certain that the DS is included in the parent zone, |
|---|
| 165 | using dig: |
|---|
| 166 | |
|---|
| 167 | dig @a.root-servers.net DS mytld. |
|---|
| 168 | |
|---|
| 169 | ... then you can begin to test validation! |
|---|
| 170 | |
|---|
| 171 | 13. Test that the AD bit is set: |
|---|
| 172 | |
|---|
| 173 | # dig @10.10.0.230 +dnssec www.MYTLD. |
|---|
| 174 | |
|---|
| 175 | Is it ? |
|---|
| 176 | |
|---|
| 177 | If not, note that the root manager may not have necessarily signed the |
|---|
| 178 | root zone with your DS included yet, OR due to the *negative TTL*, the |
|---|
| 179 | DS record may not be in the cache of the resolver. You may have to wait, |
|---|
| 180 | but check with your root manager, and you can always check at the root: |
|---|
| 181 | |
|---|
| 182 | # dig @a.root-servers.net DS mytld. |
|---|
| 183 | |
|---|
| 184 | ... to verify that the DS is published. Then it's a matter of waiting |
|---|
| 185 | for the cache to expire on the resolver, before you can verify your |
|---|
| 186 | signatures. |
|---|
| 187 | |
|---|
| 188 | Alternatively, don't wait and proceed to enable validation in your own |
|---|
| 189 | resolver (resolv.grpX.dns.nsrc.org) - see the relevant lab! |
|---|
