| 1 | *** ON YOUR AUTHORITATIVE SERVER *** |
|---|
| 2 | |
|---|
| 3 | 1. Change to the directory where the zone resides, and make a backup |
|---|
| 4 | of the zone (assuming it's called "mytld"), just in case |
|---|
| 5 | |
|---|
| 6 | # cd /etc/namedb/master |
|---|
| 7 | # cp mytld mytld.backup |
|---|
| 8 | |
|---|
| 9 | 2. Generate first key pair (Zone Signing Key) |
|---|
| 10 | |
|---|
| 11 | # dnssec-keygen -a RSASHA1 -b 1024 -n ZONE mytld |
|---|
| 12 | Kmytld.+005+51333 |
|---|
| 13 | |
|---|
| 14 | 3. Generate second key pair (Key Signing Key) |
|---|
| 15 | |
|---|
| 16 | # dnssec-keygen -f KSK -a RSASHA1 -b 1280 -n ZONE mytld |
|---|
| 17 | Kmytld.+005+52159 |
|---|
| 18 | |
|---|
| 19 | 4. Let's look at the keys: |
|---|
| 20 | |
|---|
| 21 | # ls -l Kmytld.+005+5* |
|---|
| 22 | -rw-r--r-- 1 root wheel 203 Nov 29 00:07 Kmytld.+005+51333.key |
|---|
| 23 | -rw------- 1 root wheel 937 Nov 29 00:07 Kmytld.+005+51333.private |
|---|
| 24 | -rw-r--r-- 1 root wheel 247 Nov 29 00:07 Kmytld.+005+52159.key |
|---|
| 25 | -rw------- 1 root wheel 1125 Nov 29 00:07 Kmytld.+005+52159.private |
|---|
| 26 | |
|---|
| 27 | 4. Add the public keys to the end of the zone file: |
|---|
| 28 | |
|---|
| 29 | # cat >> mytld |
|---|
| 30 | |
|---|
| 31 | ; Keys to be published in DNSKEY RRset |
|---|
| 32 | |
|---|
| 33 | $include "Kmytld.+005+51333.key" ; ZSK |
|---|
| 34 | $include "Kmytld.+005+52159.key" ; KSK |
|---|
| 35 | ^D |
|---|
| 36 | |
|---|
| 37 | 5. Sign the zone with the keys |
|---|
| 38 | |
|---|
| 39 | # cd /etc/namedb/master |
|---|
| 40 | # dnssec-signzone -g -o mytld -k Kmytld.+005+52159 mytld Kmytld.+005+51333 |
|---|
| 41 | Verifying the zone using the following algorithms: RSASHA1. |
|---|
| 42 | Zone signing complete: |
|---|
| 43 | Algorithm: RSASHA1: KSKs: 1 active, 0 stand-by, 0 revoked |
|---|
| 44 | ZSKs: 1 active, 0 stand-by, 0 revoked |
|---|
| 45 | mytld.signed |
|---|
| 46 | |
|---|
| 47 | # ls -l mytld* |
|---|
| 48 | -rw-r--r-- 1 root wheel 292 Nov 29 00:08 mytld |
|---|
| 49 | -rw-r--r-- 1 root wheel 4294 Nov 29 00:20 mytld.signed |
|---|
| 50 | |
|---|
| 51 | 6. Notice that a set of DS records has been generated, and is ready to |
|---|
| 52 | be communicated to your parent zone: |
|---|
| 53 | |
|---|
| 54 | # ls -l dsset-* |
|---|
| 55 | -rw-r--r-- 1 root wheel 155 Nov 29 00:22 dsset-mytld. |
|---|
| 56 | |
|---|
| 57 | Look at the contents of the dsset: |
|---|
| 58 | |
|---|
| 59 | # cat dsset-mytld. |
|---|
| 60 | |
|---|
| 61 | 7. Change the /etc/namedb/named.conf definition that loads the zone, to point |
|---|
| 62 | to the signed zone: |
|---|
| 63 | |
|---|
| 64 | zone "mytld" { |
|---|
| 65 | type master; |
|---|
| 66 | file "/etc/namedb/master/mytld.signed"; |
|---|
| 67 | }; |
|---|
| 68 | |
|---|
| 69 | 8. Also in the named.conf, enable dnssec (for the authoritative part): |
|---|
| 70 | |
|---|
| 71 | ... in the options { .. }; section, add the following |
|---|
| 72 | |
|---|
| 73 | dnssec-enable yes; |
|---|
| 74 | |
|---|
| 75 | |
|---|
| 76 | 9. Reconfigure/restart your nameserver |
|---|
| 77 | |
|---|
| 78 | # rndc reconfig |
|---|
| 79 | |
|---|
| 80 | 10. Test that the nameserver is answering with DNSSEC records: |
|---|
| 81 | |
|---|
| 82 | # dig @127.0.0.1 mytld SOA +dnssec |
|---|
| 83 | |
|---|
| 84 | 11. That's it - you now need to communicate the DS to your parent |
|---|
