Track3Sec: 2.8_dnssec-bind-inline-signing-howto.txt

File 2.8_dnssec-bind-inline-signing-howto.txt, 6.5 KB (added by Fakrul Alam, 6 years ago)
Line 
1Automated zone INLINE signing with BIND
2---------------------------------------
3
4Remember that if you see '#' before a command, it means
5you need to run this command as root, either via:
6
7a) sudo -s
8
9b) sudo command
10
11We'll build on the previous labs and enable inline signing on BIND (9.9+)
12
13When doing inline signing, the original zone is never modified: this
14allows the operator to make, for example, a dump of a DB to create the
15zone, and BIND will just sign it.
16
17When the unsigned zone is updated, named detects the changes,
18and re-signs.
19
20*** ON YOUR MASTER (auth1) SERVER ***
21
221. We're going to add a couple of statements to the BIND named.conf
23   configuration file to enable inline dnssec signing.
24
25   First, edit named.conf under /etc/namedb/, and make the following
26    changes:
27
28        zone "mytld" {
29        file "/etc/namedb/master/mytld"; // <--- remove ".signed", if there
30                                                   
31        type master;
32        allow-transfer { key mytld-key; }; // <-- leave it if there
33        key-directory "/etc/namedb/keys";   // <--- Add this if not done
34        auto-dnssec maintain;           // <--- Add this if not yet done
35        inline-signing yes;                 // <--- Add this
36        // update-policy local;             // <--- Remove if it's there
37        };
38
39    Save and exit.
40
412. Preparing the keys
42
43       If you've done the manual signing lab from before, you have already
44       generated keys, and we can reuse those. Otherwise, we'll generate
45       a new set of keys.
46
47    a) If you already have keys (otherwise go to step b)
48
49       We need to make sure the directory has the right permissions
50       - since BIND will be managing this, it needs access to the
51       files and the directory:
52
53        # chown -R bind /etc/namedb/keys
54
55       Let's look at the keys:
56
57        # cd /etc/namedb/keys/
58
59    # ls -l Kmytld*
60    -rw-r--r--  1 bind  wheel   591 Feb 18 15:52 Kmytld.+008+52159.key
61    -rw-------  1 bind  wheel  1774 Feb 18 15:52 Kmytld.+008+52159.private
62    -rw-r--r--  1 bind  wheel   417 Feb 18 15:52 Kmytld.+008+51333.key
63    -rw-------  1 bind  wheel  1010 Feb 18 15:52 Kmytld.+008+51333.private
64
65      If you have extra ZSK and KSK from manual key rollover exercizes,
66      delete the oldest ZSK and KSK.  Make sure to leave just one
67      KSK and one ZSK.  If you delete the wrong ones, reconfig with RZM.
68
69
70    b) If you don't have keys yet:
71
72        # mkdir -p /etc/namedb/keys
73        # chown -R bind /etc/namedb/keys
74        # cd /etc/namedb/keys
75
76        - Generate first key pair (Zone Signing Key)
77
78    # dnssec-keygen -a RSASHA256 mytld
79
80    (  will output something like:
81    Generating key pair......................+++++ + ....
82    Kmytld.+008+51333)
83
84        - Generate second key pair (Key Signing Key)
85
86    # dnssec-keygen -f KSK -a RSASHA256 mytld
87    Kmytld.+008+52159
88
89    (once again, some output will show)
90
91        Check that the keys are there:
92
93        # ls -l Kmytld*
94
95      Notice that we don't specify any flags such as algorithm, key size,
96      etc... We're using the defaults for now.
97
98
993. Now let's take care of the zone file
100
101   If you have made a backup of your zone file, let's copy it back over
102   our zone, to start fresh:
103
104        # cd /etc/namedb/master
105
106   Note the serial number in "mytld"
107
108        # cp mytld.backup mytld
109
110   Increment the serial number in mytld to be higher than what we noted
111   above.
112
113   Remove the old .signed zone - BIND will create that automatically!
114
115    # rm mytld.signed
116
117   Again, remember to check in named.conf, that you are loading "mytld",
118   and *NOT* "mytld.signed".
119
120   We also need to make sure BIND can write in the master directory:
121
122   # chown bind /etc/namedb/master
123
1244. Now reconfig the nameserver
125
126    # rndc reconfig
127
128    At this point you should see some new files appear in the master/ dir:
129
130        # cd /etc/namedb/master
131        # ls -l
132
133...
134-rw-r--r--  1 root  wheel   497 Sep 13 14:56 mytld
135-rw-r--r--  1 root  wheel   497 Sep 12 09:49 mytld.backup
136-rw-r--r--  1 bind  wheel   512 Sep 13 15:04 mytld.jbk
137-rw-r--r--  1 bind  wheel  1331 Sep 13 15:04 mytld.signed
138-rw-r--r--  1 bind  wheel  3581 Sep 13 15:04 mytld.signed.jnl
139...
140
141        Check that signing did work:
142
143        # rndc signing -list mytld
144        Done signing with key 22603/RSASHA1
145        Done signing with key 39978/RSASHA1
146
147        Also look in the logs:
148
149        # less /etc/namedb/log/general
150
15113-Sep-2012 15:04:27.444 reloading configuration succeeded
15213-Sep-2012 15:04:27.450 zone mytld/IN (unsigned): loaded serial 2012022301
15313-Sep-2012 15:04:27.451 any newly configured zones are now loaded
15413-Sep-2012 15:04:27.471 zone mytld/IN (signed): loaded serial 2012022301
15513-Sep-2012 15:04:27.493 zone mytld/IN (signed): receive_secure_serial: unchanged
15613-Sep-2012 15:04:27.501 zone mytld/IN (signed): reconfiguring zone keys
15713-Sep-2012 15:04:27.544 zone mytld/IN (signed): next key event: 13-Sep-2012 16:04:27.501
158
159
160        # dig @10.10.X.1 mytld NS
161        # dig @10.10.X.1 mytld SOA
162
163      Note that the signed zone is not stored in a human readable format.
164
165        To see the contents of the signed zone, one can either do a zone
166        transfer (axfr) or:
167
168        # named-checkzone -D -f raw -o - mytld mytld.signed | less
169
1705. Changes to the zone
171
172        So how do we update the zone and resign it ? Simple!
173
174        Let's modify the zone and add a "mail" record with the IP address
175        of the auth1 server:
176
177        mail    A       10.10.XX.1  ; X is your group
178
179        So edit the zone file "mytld" and add the line above.
180
181        Remember to increment the serial.
182
183        Now, reload the zone. named will be automatically resign the zone:
184
185        # rndc reload mytld
186
187        Wait a few seconds, then:
188
189        # tail /etc/namedb/log/general
190
191        What do you observe ?
192
193        # dig @10.10.X.1 mail.mytld a
194        # dig @10.10.X.1 mytld soa
195
196        Notice the serial
197
1986. If you haven't already uploaded the DS record in a previous lab, it's
199   time to communicate it to your parent (the root). Otherwise, goto
200   step 8.
201
202    (DS = digest fingerprint of the Key Signing Key).
203
204   Generate a "DS" from your key:
205
206    Find which key is the key signing key:
207
208    # cd /etc/namedb/keys
209    # more Kmytld*key
210   
211    Look at which one has "IN DNSKEY 257". Find the "keyid" and replace
212    the string "+008+52159" below with "+008+keyid" where "keyid" is the
213    number displayed.
214
215    # dnssec-dsfromkey Kmytld.+008+52159
216
217    Use web based managment interface. (See previous
218    BIND manual signing exercize for details).
219
2207. You should be able to verify this:
221
222        # dig @a.root-servers.net DS mytld.
223
2248. After 2 x TTL the changes you observed locally should be visible
225   globally.  Test this with
226
227        # dig @10.10.0.230 mail.mytld a +dnssec +multi
228        # dig @10.10.0.230 mytld soa +dnssec +multi
229        # dig @10.10.0.230 mytld dnskey +dnssec +multi
230
231   You should see the AD bit set in all cases.