| 1 | Enabling DNSSEC validation with the root trust anchor in BIND |
|---|
| 2 | ------------------------------------------------------------- |
|---|
| 3 | |
|---|
| 4 | You need to log in to your resolver (cache) machine, i.e. for group 1, you |
|---|
| 5 | would use resolv.grp1.ws.nsrc.org, as you did when you enabled recursion on |
|---|
| 6 | that server. |
|---|
| 7 | |
|---|
| 8 | 1. Grab the root key |
|---|
| 9 | |
|---|
| 10 | NOTE: This is only for the purpose of this lab - on the Internet, |
|---|
| 11 | you would simply use "unbound-anchor" to download the real root.key, |
|---|
| 12 | and set "auto-trust-anchor-file:" in unbound.conf, and let unbound update |
|---|
| 13 | the key when necessary. |
|---|
| 14 | |
|---|
| 15 | In this lab, ask your instructor if we are using the "RZM" or not. |
|---|
| 16 | |
|---|
| 17 | With RZM |
|---|
| 18 | -------- |
|---|
| 19 | |
|---|
| 20 | |
|---|
| 21 | Go to https://rzm.dnssek.org/, and copy the trust-anchor |
|---|
| 22 | statement (the ENTIRE line) from this page and paste it into |
|---|
| 23 | a file, /usr/local/etc/unbound/root.key |
|---|
| 24 | |
|---|
| 25 | Without RZM |
|---|
| 26 | ----------- |
|---|
| 27 | |
|---|
| 28 | Grab the key from the root server: |
|---|
| 29 | |
|---|
| 30 | $ sudo scp adm@a.root-servers.net:root.key /tmp/root.key |
|---|
| 31 | |
|---|
| 32 | (Alternatively, your instructor may have made the file available on |
|---|
| 33 | the Web - ask him!) |
|---|
| 34 | |
|---|
| 35 | View the contents of the key (/tmp/root.key or where you put it) and |
|---|
| 36 | copy them. |
|---|
| 37 | |
|---|
| 38 | Edit the /etc/namedb/named.conf, and paste the contents at the bottom of |
|---|
| 39 | the file, in the following format: |
|---|
| 40 | |
|---|
| 41 | |
|---|
| 42 | trusted-keys { |
|---|
| 43 | // paste here the contents |
|---|
| 44 | }; |
|---|
| 45 | |
|---|
| 46 | It should look something like this when done: |
|---|
| 47 | |
|---|
| 48 | |
|---|
| 49 | trusted-keys { |
|---|
| 50 | . 257 3 5 "AwEAAaGF0WNdnZ9krIIBOZCgR7t6F5ikcKREeRkWQOxZGIRYKq1hgwu9 bd+yyg20+NPpfV1ThX5WD4/QJ/tgygLZKTjy3wYcSYBBwXPoTYY9/6lw ysD6GjXDHsYHWmWE6usxaEwJNAk3Pfsy2q2ZN6LjcfcmZzKmB4saq1ph h6nDiYfUJFLzXPRQtW1OisLxedCLYZ/IOUjx2MJd+xmKJ93wt9Du799RF4I+9ZsYMZ+aIRt3LWuq/+g60Ipb4cqtUl5rnfYFpDmfq4QXf67tkvYk aCaxv0bpd5vj2E86V5HfAQmeaKPX9sGG80LD+GNI53168OfZdHje58vZ sW765bV/iVk="; |
|---|
| 51 | }; |
|---|
| 52 | |
|---|
| 53 | |
|---|
| 54 | 2. Restart the nameserver |
|---|
| 55 | |
|---|
| 56 | # service named restart |
|---|
| 57 | |
|---|
| 58 | 3. Run a few queries: |
|---|
| 59 | |
|---|
| 60 | $ dig @localhost +dnssec . SOA |
|---|
| 61 | $ dig @localhost +dnssec mytld. SOA |
|---|
| 62 | |
|---|
| 63 | What do you notice ? |
|---|
| 64 | |
|---|
| 65 | 4. If you haven't already done so, you can go back to the DNS logging exercise, |
|---|
| 66 | and enable logging on your RESOLV host, and look at the dnssec log file... |
|---|
| 67 | |
|---|
