Agenda: dnssec-bind-inline-signing-howto.txt

File dnssec-bind-inline-signing-howto.txt, 7.4 KB (added by admin, 6 years ago)
Line 
1Automated zone INLINE signing with BIND
2---------------------------------------
3
4Remember that if you see '#' before a command, it means
5you need to run this command as root, either via:
6
7
8a) sudo -s
9
10b) sudo command
11
12We'll build on the previous labs and enable inline signing on BIND (9.9+)
13
14When doing inline signing, the original zone is never modified: this
15allows the operator to make, for example, a dump of a DB containing the
16zone, and BIND will just sign it.
17
18When the unsigned zone is updated, named detects the changes, and re-signs.
19
20*** ON YOUR MASTER (auth1) SERVER ***
21
221. We're going to add a couple of statements to the BIND named.conf
23   configuration file to enable inline dnssec signing.
24
25   First, edit named.conf under /etc/namedb/, and make the following changes:
26
27        zone "mytld" {
28        file "/etc/namedb/master/mytld";    // <--- remove ".signed", if there
29                                                   
30        type master;
31        allow-transfer { key mydomain-key; };   
32
33        key-directory "/etc/namedb/keys";   // <--- Add this if not done
34        auto-dnssec maintain;               // <--- Add this if not yet done
35        inline-signing yes;                 // <--- Add this
36
37        // update-policy local;             // <--- Remove if it's there
38        };
39
40    Save and exit.
41
422. Preparing the keys
43
44        If you've done the manual signing lab from before, you have already
45        generated keys, and we can reuse those. Otherwise, we'll generate
46        a new set of keys.
47
48    a) If you already have keys (otherwise go to step b)
49
50   We need to make sure the directory has the right permissions - since BIND
51   will be managing this, it needs access to the files and the directory:
52
53        $ sudo chown -R bind /etc/namedb/keys
54
55   Let's look at the keys:
56
57        $ cd /etc/namedb/keys/
58    $ ls -l Kmytld*
59    -rw-r--r--  1 bind  wheel   591 Feb 18 15:52 Kmytld.+005+32044.key
60    -rw-------  1 bind  wheel  1774 Feb 18 15:52 Kmytld.+005+32044.private
61    -rw-r--r--  1 bind  wheel   417 Feb 18 15:52 Kmytld.+005+64860.key
62    -rw-------  1 bind  wheel  1010 Feb 18 15:52 Kmytld.+005+64860.private
63
64        b) If you don't have keys yet:
65
66        $ sudo mkdir -p /etc/namedb/keys
67        $ sudo chown -R bind /etc/namedb/keys
68    $ cd /etc/namedb/keys
69
70        - Generate first key pair (Zone Signing Key)
71
72    $ sudo dnssec-keygen mytld
73
74    (  will output something like:
75    Generating key pair......................+++++ + ....
76    Kmytld.+005+43116)
77
78        - Generate second key pair (Key Signing Key)
79
80    $ sudo dnssec-keygen -f KSK mytld
81    Kmytld.+005+52159
82
83    (once again, some output will show)
84
85        Check that the keys are there:
86
87        $ ls -l Kmytld*
88
89        Notice that we don't specify any flags such as algorithm, key size,
90        etc... We're using the defaults for now.
91
92
933. Now let's take care of the zone file
94
95   If you have made a backup of your zone file, let's copy it back over
96   our zone, to start fresh:
97
98        $ cd /etc/namedb/master
99        $ sudo cp mytld.backup mytld
100
101   Remove the old .signed zone - BIND will create that automatically!
102
103    $ sudo rm mytld.signed
104
105   Again, remember to check in named.conf, that you are loading "mytld",
106   and *NOT* "mytld.signed".
107
108   We also need to make sure BIND can write in the master directory:
109
110   $ sudo chown bind /etc/namedb/master
111
1124. Now reconfig the nameserver
113
114    $ sudo rndc reconfig
115
116    At this point you should see some new files appear in the master/ dir:
117
118        $ cd /etc/namedb/master
119        $ ls -l
120
121...
122-rw-r--r--  1 root  wheel   497 Sep 13 14:56 mytld
123-rw-r--r--  1 root  wheel   497 Sep 12 09:49 mytld.backup
124-rw-r--r--  1 bind  wheel   512 Sep 13 15:04 mytld.jbk
125-rw-r--r--  1 bind  wheel  1331 Sep 13 15:04 mytld.signed
126-rw-r--r--  1 bind  wheel  3581 Sep 13 15:04 mytld.signed.jnl
127...
128
129        Check that signing did work:
130
131        $ sudo rndc signing -list mytld
132        Done signing with key 22603/RSASHA1
133        Done signing with key 39978/RSASHA1
134
135        Also look in the logs:
136
137        $ less /etc/namedb/log/general
138
13913-Sep-2012 15:04:27.444 reloading configuration succeeded
14013-Sep-2012 15:04:27.450 zone mytld/IN (unsigned): loaded serial 2012022301
14113-Sep-2012 15:04:27.451 any newly configured zones are now loaded
14213-Sep-2012 15:04:27.471 zone mytld/IN (signed): loaded serial 2012022301
14313-Sep-2012 15:04:27.493 zone mytld/IN (signed): receive_secure_serial: unchanged
14413-Sep-2012 15:04:27.501 zone mytld/IN (signed): reconfiguring zone keys
14513-Sep-2012 15:04:27.544 zone mytld/IN (signed): next key event: 13-Sep-2012 16:04:27.501
146
147
148        $ dig @localhost mytld NS +dnssec
149
150        Note that the signed zone is not stored in a human readable format.
151
152        To see the contents of the signed zone, one can either do a zone
153        transfer (axfr) or:
154
155        $ sudo named-checkzone -D -f raw -o - mytld mytld.signed | less
156
1575. Changes to the zone
158
159        So how do we update the zone and resign it ? Simple!
160
161        Let's modify the zone and add a "mail" record with the IP address
162        of the auth1 server:
163
164        mail            A               10.10.XX.1              ; X is your group
165
166        So edit the zone file "mytld" and add the line above.
167
168        Remember to change the serial.
169
170        Now, reload the zone. named will be automatically resign the zone:
171
172        $ sudo rndc reload mytld
173
174        Wait a few seconds, then:
175
176        $ tail /etc/namedb/log/general
177
178        What do you observe ?
179
180        $ dig @localhost mail.mytld a
181        $ dig @localhost mytld soa
182
183        Notice the serial!
184
185        - Do the above tests using your own resolver (10.10.X.3)
186        - Also try using the class resolver (10.10.0.230)
187
188        You should be able to resolve "mail.mytld" in all cases.
189
1906. If you haven't already uploaded the DS record in a previous lab, it's
191   time to communicate it to your parent (the root). Otherwise, you can
192   skip the rest of this lab!
193
194    (DS = digest fingerprint of the Key Signing Key).
195
196   Generate a "DS" from your key:
197
198    Find which key is the key signing key:
199
200    $ cd /etc/namedb/keys
201    $ more Kmytld*key
202   
203    Look at which one has "IN DNSKEY 257". Find the "keyid" and replace
204    the string "+005+32044" below with "+005+keyid" where "keyid" is the
205    number displayed.
206
207        $ sudo -s               # We need to be root here!
208    # dnssec-dsfromkey Kmytld.+005+32044 >dsset-mytld.
209        # exit
210        $
211
212    REMEMBER the dot!
213
2147. Upload the dsset for your zone (containing the hash of your zone) to the
215   ROOT server.
216
217   a) If using the RZM:
218
219        Log into the RZM classroom web site at https://rzm.dnssek.org/
220        using your username (your domain name) and password.
221
222    Check to see under Trust Anchor Details that your DS has automatically
223    appeared AND matches. It is NOT automatically activated - the only thing
224    the the RZM has done is "grab" the key from you and is waiting for your
225        confirmation to enable the DS in the parent zone.
226
227    If not, note that you can always add the DS record manually: cut-and-
228        paste the tag/digest data into the proper fields. Then click "Update"
229        to make the change.
230
231        The DS will automatically be included and signed shortly.
232
233        b) If not using the RZM:
234
235    $ scp dsset-mytld. adm@a.root-servers.net:
236
237    The password is the same as in class
238
239    Tell the instructor you have done so!
240
241    The instructor will include the DS-set in the root and re-sign the zone
242
2438. You should be able to verify this:
244
245                $ dig @a.root-servers.net DS mytld.
246
247        And, doing:
248
249                $ dig @10.10.X.3 +dnssec DNSKEY mytld.
250                or
251                $ dig @10.10.0.230 +dnssec DNSKEY mytld.
252
253        should show the "AD" flag bit set indicating the that the validating
254        resolvers were able to successfuly create a chain of trust to the
255        root.
256
257Optional:
258
259        If using the RZM, You may also view the MONITOR clasroom web site in
260        a few minutes to see if it has detected your newly signed TLD:
261       
262        http://monitor.dnssek.org/