Agenda: quick-dnssec-signing-howto.txt

File quick-dnssec-signing-howto.txt, 4.3 KB (added by regnauld, 8 years ago)
Line 
1One page howto for signing your DNS zone with DNSSEC
2----------------------------------------------------
3
4*** ON YOUR MASTER SERVER ***
5
61. Change to the directory where the zone resides, normally
7
8        First, verify that DNSSEC is enabled in /etc/namedb/named.conf
9
10        dnssec-enable yes;
11
12        Find the definition for your zone ("MYTLD"), and modify it so it looks like
13        this:
14
15zone "MYTLD" {
16        file "/etc/namedb/master/MYTLD";
17        type master;
18        allow-transfer { key mydomain-key; };   
19
20        key-directory "/etc/namedb/keys";               // <--- Add this
21        auto-dnssec maintain;                                   // <--- Add this
22        update-policy local;                                    // <--- Add this
23        // dnssec-secure-to-insecure yes;               // <--- Add this
24};
25
26        Save and exit, and now reconfig the nameserver
27
28        # rndc reconfig
29
30        Create a directory for the keys:
31
32        # mkdir /etc/namedb/keys
33        # chown bind /etc/namedb/keys
34
35        Give ownership of the /etc/namedb/master directory so BIND can sign
36        your zone and write the file:
37
38        # chown -R bind /etc/namedb/master
39
40        Then go to the keys directory
41
42    # cd /etc/namedb/keys
43
44
452. Generate first key pair (Zone Signing Key)
46
47    # dnssec-keygen mytld
48
49        (t will output something like:
50        Generating key pair......................+++++ + ....
51        Kmytld.+005+43116)
52
533. Generate second key pair (Key Signing Key)
54
55    # dnssec-keygen -f KSK mytld
56    Kmytld.+005+52159
57
58        (once again, some output will show)
59
604. Let's look at the keys:
61
62    # ls -l Kmytld*
63        -rw-r--r--  1 root  wheel   591 Feb 18 15:52 Kmytld.+005+32044.key
64        -rw-------  1 root  wheel  1774 Feb 18 15:52 Kmytld.+005+32044.private
65        -rw-r--r--  1 root  wheel   417 Feb 18 15:52 Kmytld.+005+64860.key
66        -rw-------  1 root  wheel  1010 Feb 18 15:52 Kmytld.+005+64860.private
67
68        Make the keys readable by BIND:
69
70        # chgrp bind *key
71        # chmod g+r *key
72
735. We're ready to sign!
74
75    # rndc sign mytld
76
77        Take a look at the /etc/namedb/log/general log:
78
79        # tail -10 /etc/namedb/log/general
80
8118-Feb-2011 15:57:41.168 set up managed keys zone for view _default, file 'managed-keys.bind'
8218-Feb-2011 15:57:41.184 reloading configuration succeeded
8318-Feb-2011 15:57:41.193 any newly configured zones are now loaded
8418-Feb-2011 15:57:43.666 received control channel command 'sign mytlf'
8518-Feb-2011 15:57:43.668 zone mytlf/IN: reconfiguring zone keys
8618-Feb-2011 15:57:43.693 zone mytlf/IN: next key event: 19-Feb-2011 03:57:43.693
87
886. Take a look at the signed zone:
89
90        # cd /etc/namedb/master
91        # ls -l mytld*
92
93        Notice the ".jnl" file:
94
95        -rw-r--r--  1 bind  wheel   535 Feb 18 14:22 mytld
96        -rw-r--r--  1 bind  wheel  3473 Feb 18 15:57 mytld.jnl
97
98        The zone is now DYNAMICALLY managed by bind.
99
100        If you want to make changes, you either need to:
101
102        a) freeze the zone, edit, thaw:
103       
104                # rndc freeze mytld
105                # vi ...   // remember the serial!
106                # rndc thaw mytld
107
108        b) use nsupdate
109
110                # nsupdate -l
111                > update add mail.mytld. 300 A 1.2.3.4
112                > send
113                > quit
114
115        # tail -10 /etc/namedb/log/general
116
11718-Feb-2011 16:07:00.374 client 127.0.0.1#57195: updating zone 'mytld/IN': adding an RR at 'mail.phil' A
118
119
120Now we need to include the DS in the parent zone !
121
122        (DS = digest fingerprint of the Key Signing Key).
123
1247. Generate a "DS" from your key:
125
126        Find which key is the key signing key:
127
128        # cd /etc/namedb/keys
129        # more Kmytld*
130       
131        Look at which one has "IN DNSKEY 257".
132
133        # dnssec-dsfromkey Kdsset-mytld.+005+32044 >dsset-mytld.
134
135        REMEMBER the dot!
136
1378. Upload the dsset for your zone (containing the hash of your zone) to the AUTH:
138
139        # scp dsset-mytld. adm@rootserv.ws.nsrc.org:
140
141        The password is 'nsrcws'
142
1439. Tell the instructor you have done so!
144
145        The instructor will include the DS-set in the root and re-sign the zone
146
147*** ON THE RESOLVER (performed by the instructor) ***
148
149
1509. Grab the root key
151
152        NOTE: This is only for the purpose of this lab - on the Internet,
153        you would simply use "unbound-anchor" to download the real root.key,
154        and set "auto-trust-anchor-file:" unbound.conf, and let unbound update
155        the key when necessary.
156
157        In this lab:
158
159        # scp adm@10.10.0.203:root.key  /usr/local/etc/unbound/root.key
160
161        Edit toe /usr/local/etc/unbound/unbound.conf file:
162
163        Find the "trust-anchor-file:" line, and change it from:
164
165        # trust-anchor-file: ""
166
167        to
168
169        trust-anchor-file: "/usr/local/etc/unbound/root.key"
170
17110. Reload the nameserver
172
173        # /usr/local/etc/rc.d/unbound restart
174
17511. dig @localhost +dnssec mytld. SOA
176
177        What do you notice ?