Agenda: dnssec-bind-enable-validation.txt

File dnssec-bind-enable-validation.txt, 2.1 KB (added by admin, 6 years ago)
Line 
1Enabling DNSSEC validation with the root trust anchor in BIND
2-------------------------------------------------------------
3
4You need to log in to your resolver (cache) machine, i.e. for group 1, you
5would use resolv.grp1.ws.nsrc.org, as you did when you enabled recursion on
6that server.
7
81. Grab the root key
9
10    NOTE: This is only for the purpose of this lab - on the Internet,
11    you would simply use "unbound-anchor" to download the real root.key,
12    and set "auto-trust-anchor-file:" in unbound.conf, and let unbound update
13    the key when necessary.
14
15    In this lab, ask your instructor if we are using the "RZM" or not.
16
17    With RZM
18    --------
19
20
21    Go to https://rzm.dnssek.org/, and copy the trust-anchor
22    statement (the ENTIRE line) from this page and paste it into
23    a file, /usr/local/etc/unbound/root.key
24
25    Without RZM
26    -----------
27
28    Grab the key from the root server:
29
30    $ sudo scp adm@a.root-servers.net:root.key  /tmp/root.key
31
32    (Alternatively, your instructor may have made the file available on
33    the Web - ask him!)
34
35    View the contents of the key (/tmp/root.key or where you put it) and
36    copy them.
37
38    Edit the /etc/namedb/named.conf, and paste the contents at the bottom of
39    the file, in the following format:
40
41
42trusted-keys {
43    // paste here the contents
44};
45
46    It should look something like this when done:
47
48
49trusted-keys {
50  . 257 3 5 "AwEAAaGF0WNdnZ9krIIBOZCgR7t6F5ikcKREeRkWQOxZGIRYKq1hgwu9 bd+yyg20+NPpfV1ThX5WD4/QJ/tgygLZKTjy3wYcSYBBwXPoTYY9/6lw ysD6GjXDHsYHWmWE6usxaEwJNAk3Pfsy2q2ZN6LjcfcmZzKmB4saq1ph h6nDiYfUJFLzXPRQtW1OisLxedCLYZ/IOUjx2MJd+xmKJ93wt9Du799RF4I+9ZsYMZ+aIRt3LWuq/+g60Ipb4cqtUl5rnfYFpDmfq4QXf67tkvYk aCaxv0bpd5vj2E86V5HfAQmeaKPX9sGG80LD+GNI53168OfZdHje58vZ sW765bV/iVk=";
51};
52
53
542. Restart the nameserver
55
56    # service named restart
57
583. Run a few queries:
59
60    $ dig @localhost +dnssec . SOA
61    $ dig @localhost +dnssec mytld. SOA
62
63    What do you notice ?
64
654. If you haven't already done so, you can go back to the DNS logging exercise,
66   and enable logging on your RESOLV host, and look at the dnssec log file...
67