BIND9 inline signing

Introduction

Automating inline signing of your zone with BIND

Notes

Commands preceded with “$” imply that you should execute the command as a general user - not as root.
Commands preceded with “#” imply that you should be working as root.
Commands with more specific command lines (e.g. “rtrX>” or “mysql>”) imply that you are executing commands on remote equipment, or within another program.

Overview

We’ll build on the previous labs and enable inline signing on BIND (9.9+)

When doing inline signing, the original zone is never modified: this allows the operator to make, for example, a dump of a DB to create the zone, and BIND will just sign it.

When the unsigned zone is updated, BIND (named) detects the changes, and re-signs.

ON YOUR AUTHORITATIVE (SOA) SERVER

Enabling inline signing

Edit `named.conf`

We’re going to add a couple of statements to the BIND named.conf configuration file to enable inline dnssec signing.

First, edit /etc/bind/named.conf.local, and make the following changes:

zone "MYTLD" {
    file "/etc/bind/zones/mytld/mytld"; // <--- !!! REMOVE ".signed", if there
                                        
    type master;
    allow-transfer { key MYTLD-key; };  // <-- leave it if there
    key-directory "/etc/bind/keys";     // <--- Add this if not done
    auto-dnssec maintain;               // <--- Add this if not yet done
    inline-signing yes;                 // <--- Add this
    // update-policy local;             // <--- Remove if it's there
};

Save and exit.

*** Do make sure you are have changed the configuration above to load the mytld file and NOT mytld.signed ! ***

Preparing the keys directory

We’re going to move the keys to a dedicated directory - the reason for this is we want the keys to be managed separately from the zone (it’s good practice).

Let’s create the directory:

$ sudo mkdir /etc/bind/keys

Now we need to move all keys from the zone directory:

$ sudo mv /etc/bind/zones/mytld/K* /etc/bind/keys/

And make sure it has the right permissions:

$ sudo chown -R bind /etc/bind/keys

Let’s look at the keys:

$ cd /etc/bind/keys/

$ ls -lt Kmytld*

-rw-r--r--  1 bind  wheel   591 Feb 18 15:52 Kmytld.+008+52159.key
-rw-------  1 bind  wheel  1774 Feb 18 15:52 Kmytld.+008+52159.private
-rw-r--r--  1 bind  wheel   417 Feb 18 15:52 Kmytld.+008+51333.key
-rw-------  1 bind  wheel  1010 Feb 18 15:52 Kmytld.+008+51333.private

Now let’s take care of the zone file

$ cd /etc/bind/zones/mytld

Increment the serial number in mytld - you know how to do this now - then save the file.
Remove the old .signed zone file - BIND will create it automatically!

 $ sudo rm mytld.signed

Finally, and this is important, you need to REMOVE the $INCLUDE statements at the end of the zone - BIND will take care of finding the keys.

$ sudo editor mytld

… and at the end of the file, REMOVE these lines:

$INCLUDE "/etc/bind/zones/mytld/Kmytld.+008+07096.key"  ;
$INCLUDE "/etc/bind/zones/mytld/Kmytld.+008+44358.key"  ;

Save and exit.

Update `/etc/bind/named.conf.local`

Again, Check that you are loading mytld, and NOT mytld.signed.

We need to make sure BIND can write to this directory as well:

$ sudo chown bind /etc/bind/zones/mytld

Reconfigure the nameserver

$ sudo rndc reconfig

At this point you should see some new files appear in the master/ dir:

$ cd /etc/bind/zones/mytld
$ ls -l

...
-rw-r--r--  1 root  wheel   497 Sep 13 14:56 MYTLD
-rw-r--r--  1 root  wheel   497 Sep 12 09:49 MYTLD.backup
-rw-r--r--  1 bind  wheel   512 Sep 13 15:04 MYTLD.jbk
-rw-r--r--  1 bind  wheel  1331 Sep 13 15:04 MYTLD.signed
-rw-r--r--  1 bind  wheel  3581 Sep 13 15:04 MYTLD.signed.jnl
...

Check that signing did work:

$ sudo rndc signing -list mytld

Done signing with key 52159/RSASHA256
Done signing with key 51333/RSASHA256

Also look in the logs:

$ less /etc/bind/log/general

13-Sep-2012 15:04:27.444 reloading configuration succeeded
13-Sep-2012 15:04:27.450 zone mytld/IN (unsigned): loaded serial 2012022301
13-Sep-2012 15:04:27.451 any newly configured zones are now loaded
13-Sep-2012 15:04:27.471 zone mytld/IN (signed): loaded serial 2012022301
13-Sep-2012 15:04:27.493 zone mytld/IN (signed): receive_secure_serial: unchanged
13-Sep-2012 15:04:27.501 zone mytld/IN (signed): reconfiguring zone keys
13-Sep-2012 15:04:27.544 zone mytld/IN (signed): next key event: 13-Sep-2012 16:04:27.501

Use dig to verify that DNSSEC records have appeared in the zone:

$ dig @10.X.1.1 mytld NS +dnssec
$ dig @10.X.1.1 mytld SOA +dnssec

Note that the SIGNED zone is not stored in a human readable format.

To see the contents of the signed zone, one can either do a zone transfer (axfr), or:

$ sudo rndc sync
$ named-checkzone -D -f raw -o - mytld /etc/bind/zones/mytld/mytld.signed | less

Making changes to the zone

So how do we update the zone and resign it ? Simple!

Let’s modify the zone and add a “mail” record with the IP address of the ns1 server:

mail    A   10.X.2.1 ; X is your group

So edit the zone file mytld and add the line above.

Remember to increment the serial

Now, reload the zone. named will be automatically resign the zone:

$ sudo rndc reload mytld

Wait a few seconds, then:

$ tail /etc/bind/log/general

What do you observe ?

$ dig @10.X.1.1 mail.mytld A +dnssec
$ dig @10.X.1.1 mytld SOA

Notice the serial

Now you should be able to see those changes in the entire class:

$ dig @10.0.0.252 mail.mytld A +dnssec +multi
$ dig @10.0.0.252 mytld SOA +dnssec +multi
$ dig @10.0.0.252 mytld DNSKEY +dnssec +multi

You should see the AD bit set in all cases.

Do you notice anything about the size of the DNSKEY response?