Agenda: dnssec-bind-signing-howto.txt

File dnssec-bind-signing-howto.txt, 5.4 KB (added by admin, 6 years ago)
Line 
1Automated zone signing with BIND
2--------------------------------
3
4Remember that if you see '#' before a command, it means
5you need to run this command as root, either via:
6
7a) sudo -s
8
9b) sudo command
10
11*** ON YOUR MASTER (auth1) SERVER ***
12
131. First, verify that DNSSEC is enabled in /etc/namedb/named.conf
14   In the options { .. }; section, add the following, if it's not
15   already there:
16
17   dnssec-enable yes;
18
19   Then find the definition for your zone ("mytld").
20 
21   * Note: in a previous lab, you may have modified the definition of your
22   zone, so that you were loading the signed version of the zone (.signed) -
23   so check if If your zone file configuration is already pointing to
24   "mytld.signed", and revert this to "mytld", like in the example below:
25
26        zone "mytld" {
27        file "/etc/namedb/master/mytld";
28        type master;
29        allow-transfer { key mydomain-key; };   
30
31        key-directory "/etc/namedb/keys";       // <--- Add this
32        auto-dnssec maintain;                   // <--- Add this
33        update-policy local;                    // <--- Add this
34        // dnssec-secure-to-insecure yes;       // <--- Add this
35        };
36
37    Save and exit
38
392. If you have made a backup of your zone file, let's copy it back over
40   our zone:
41
42        # cd /etc/namedb/master
43        # cp mytld.backup mytld
44
453. Now reconfig the nameserver
46
47    # rndc reconfig
48
49        Make sure that your server still answers for your zone, using dig!
50
51        # dig @localhost mytld NS
52
53    Create a directory for the keys:
54
55    # mkdir /etc/namedb/keys
56    # chown bind /etc/namedb/keys
57
58    Give ownership of the /etc/namedb/master directory so BIND can sign
59    your zone and write the file:
60
61    # chown -R bind /etc/namedb/master
62
63
64
654. Preparing the keys
66
67        If you've done the manual lab from before, you have already
68        generated keys, and we can reuse those. Otherwise, we'll generate
69        a new set of keys.
70
71    a) You already have keys
72
73        # cd /etc/namedb/master
74        # mv Kmytld* ../keys
75
76        ... and skip to step 5
77
78        b) If you don't have keys yet:
79
80    # cd /etc/namedb/keys
81
82        - Generate first key pair (Zone Signing Key)
83
84    # dnssec-keygen mytld
85
86    (  will output something like:
87    Generating key pair......................+++++ + ....
88    Kmytld.+005+43116)
89
90        - Generate second key pair (Key Signing Key)
91
92    # dnssec-keygen -f KSK mytld
93    Kmytld.+005+52159
94
95    (once again, some output will show)
96
97        Notice that we don't specify any flags such as algorithm, key size,
98        etc... We're using the defaults
99
1005. Let's look at the keys:
101
102        # cd /etc/namedb/keys
103
104    # ls -l Kmytld*
105    -rw-r--r--  1 root  wheel   591 Feb 18 15:52 Kmytld.+005+32044.key
106    -rw-------  1 root  wheel  1774 Feb 18 15:52 Kmytld.+005+32044.private
107    -rw-r--r--  1 root  wheel   417 Feb 18 15:52 Kmytld.+005+64860.key
108    -rw-------  1 root  wheel  1010 Feb 18 15:52 Kmytld.+005+64860.private
109
110    Make the keys readable by BIND:
111
112    # chgrp bind K*
113    # chmod g+r K*
114
1156. We're ready to sign!
116
117    First take a backup of the zone before it was signed
118
119    # cd /etc/namedb/master
120    # cp mytld mytld.unsigned
121
122        If there is an old "mytld.signed" file, you can get rid of it just in
123        case, but it won't be used anyway (this is just to avoid confusion):
124
125        # rm mytld.signed
126
127    Signal BIND to sign the zone (the backup made above will be untouched)
128
129    # rndc sign mytld
130
131    Take a look at the /etc/namedb/log/general log:
132
133    # tail -10 /etc/namedb/log/general
134
13518-Feb-2011 15:57:41.168 set up managed keys zone for view _default, file 'managed-keys.bind'
13618-Feb-2011 15:57:41.184 reloading configuration succeeded
13718-Feb-2011 15:57:41.193 any newly configured zones are now loaded
13818-Feb-2011 15:57:43.666 received control channel command 'sign mytld'
13918-Feb-2011 15:57:43.668 zone mytlf/IN: reconfiguring zone keys
14018-Feb-2011 15:57:43.693 zone mytlf/IN: next key event: 19-Feb-2011 03:57:43.693
141
1427. Take a look at the signed zone:
143
144    # cd /etc/namedb/master
145    # ls -l mytld*
146
147    Notice the ".jnl" file:
148
149    -rw-r--r--  1 bind  wheel   535 Feb 18 14:22 mytld
150    -rw-r--r--  1 bind  wheel  3473 Feb 18 15:57 mytld.jnl
151
152    The zone is now DYNAMICALLY managed by bind.
153
154    If you want to make changes, you either need to:
155
156    a) freeze the zone, edit, thaw:
157   
158        # rndc freeze mytld
159        # vi ...   // remember the serial!
160        # rndc thaw mytld
161
162    b) use nsupdate
163
164        # nsupdate -l
165        > update add mail.mytld. 300 A 1.2.3.4
166        > send
167        > quit
168
169    # tail -10 /etc/namedb/log/general
170
17118-Feb-2011 16:07:00.374 client 127.0.0.1#57195: updating zone 'mytld/IN': adding an RR at 'mail.phil' A
172
173        If you use the nsupdate method, check the SOA after every update --
174        what do you notice ?
175
1768. Now we need to include the DS in the parent zone !
177
178    (DS = digest fingerprint of the Key Signing Key).
179
180   Generate a "DS" from your key:
181
182    Find which key is the key signing key:
183
184    # cd /etc/namedb/keys
185    # more Kmytld*key
186   
187    Look at which one has "IN DNSKEY 257". Find the "keyid" and replace
188    the string "+005+32044" below with "+005+keyid" where "keyid" is the
189    number displayed.
190
191    # dnssec-dsfromkey Kmytld.+005+32044 >dsset-mytld.
192
193    REMEMBER the dot!
194
1959. Upload the dsset for your zone (containing the hash of your zone) to the
196   ROOT server:
197
198    # scp dsset-mytld. adm@a.root-servers.net:
199
200    The password is the same as in class
201
20210. Tell the instructor you have done so!
203
204    The instructor will include the DS-set in the root and re-sign the zone