Agenda: dnssec-bind-signing-howto.txt

File dnssec-bind-signing-howto.txt, 5.4 KB (added by admin, 6 years ago)

Line
1	Automated zone signing with BIND
2	--------------------------------
3
4	Remember that if you see '#' before a command, it means
5	you need to run this command as root, either via:
6
7	a) sudo -s
8
9	b) sudo command
10
11	* ON YOUR MASTER (auth1) SERVER *
12
13	1. First, verify that DNSSEC is enabled in /etc/namedb/named.conf
14	In the options { .. }; section, add the following, if it's not
15	already there:
16
17	dnssec-enable yes;
18
19	Then find the definition for your zone ("mytld").
20
21	* Note: in a previous lab, you may have modified the definition of your
22	zone, so that you were loading the signed version of the zone (.signed) -
23	so check if If your zone file configuration is already pointing to
24	"mytld.signed", and revert this to "mytld", like in the example below:
25
26	zone "mytld" {
27	file "/etc/namedb/master/mytld";
28	type master;
29	allow-transfer { key mydomain-key; };
30
31	key-directory "/etc/namedb/keys"; // <--- Add this
32	auto-dnssec maintain; // <--- Add this
33	update-policy local; // <--- Add this
34	// dnssec-secure-to-insecure yes; // <--- Add this
35	};
36
37	Save and exit
38
39	2. If you have made a backup of your zone file, let's copy it back over
40	our zone:
41
42	# cd /etc/namedb/master
43	# cp mytld.backup mytld
44
45	3. Now reconfig the nameserver
46
47	# rndc reconfig
48
49	Make sure that your server still answers for your zone, using dig!
50
51	# dig @localhost mytld NS
52
53	Create a directory for the keys:
54
55	# mkdir /etc/namedb/keys
56	# chown bind /etc/namedb/keys
57
58	Give ownership of the /etc/namedb/master directory so BIND can sign
59	your zone and write the file:
60
61	# chown -R bind /etc/namedb/master
62
63
64
65	4. Preparing the keys
66
67	If you've done the manual lab from before, you have already
68	generated keys, and we can reuse those. Otherwise, we'll generate
69	a new set of keys.
70
71	a) You already have keys
72
73	# cd /etc/namedb/master
74	# mv Kmytld* ../keys
75
76	... and skip to step 5
77
78	b) If you don't have keys yet:
79
80	# cd /etc/namedb/keys
81
82	- Generate first key pair (Zone Signing Key)
83
84	# dnssec-keygen mytld
85
86	( will output something like:
87	Generating key pair......................+++++ + ....
88	Kmytld.+005+43116)
89
90	- Generate second key pair (Key Signing Key)
91
92	# dnssec-keygen -f KSK mytld
93	Kmytld.+005+52159
94
95	(once again, some output will show)
96
97	Notice that we don't specify any flags such as algorithm, key size,
98	etc... We're using the defaults
99
100	5. Let's look at the keys:
101
102	# cd /etc/namedb/keys
103
104	# ls -l Kmytld*
105	-rw-r--r-- 1 root wheel 591 Feb 18 15:52 Kmytld.+005+32044.key
106	-rw------- 1 root wheel 1774 Feb 18 15:52 Kmytld.+005+32044.private
107	-rw-r--r-- 1 root wheel 417 Feb 18 15:52 Kmytld.+005+64860.key
108	-rw------- 1 root wheel 1010 Feb 18 15:52 Kmytld.+005+64860.private
109
110	Make the keys readable by BIND:
111
112	# chgrp bind K*
113	# chmod g+r K*
114
115	6. We're ready to sign!
116
117	First take a backup of the zone before it was signed
118
119	# cd /etc/namedb/master
120	# cp mytld mytld.unsigned
121
122	If there is an old "mytld.signed" file, you can get rid of it just in
123	case, but it won't be used anyway (this is just to avoid confusion):
124
125	# rm mytld.signed
126
127	Signal BIND to sign the zone (the backup made above will be untouched)
128
129	# rndc sign mytld
130
131	Take a look at the /etc/namedb/log/general log:
132
133	# tail -10 /etc/namedb/log/general
134
135	18-Feb-2011 15:57:41.168 set up managed keys zone for view _default, file 'managed-keys.bind'
136	18-Feb-2011 15:57:41.184 reloading configuration succeeded
137	18-Feb-2011 15:57:41.193 any newly configured zones are now loaded
138	18-Feb-2011 15:57:43.666 received control channel command 'sign mytld'
139	18-Feb-2011 15:57:43.668 zone mytlf/IN: reconfiguring zone keys
140	18-Feb-2011 15:57:43.693 zone mytlf/IN: next key event: 19-Feb-2011 03:57:43.693
141
142	7. Take a look at the signed zone:
143
144	# cd /etc/namedb/master
145	# ls -l mytld*
146
147	Notice the ".jnl" file:
148
149	-rw-r--r-- 1 bind wheel 535 Feb 18 14:22 mytld
150	-rw-r--r-- 1 bind wheel 3473 Feb 18 15:57 mytld.jnl
151
152	The zone is now DYNAMICALLY managed by bind.
153
154	If you want to make changes, you either need to:
155
156	a) freeze the zone, edit, thaw:
157
158	# rndc freeze mytld
159	# vi ... // remember the serial!
160	# rndc thaw mytld
161
162	b) use nsupdate
163
164	# nsupdate -l
165	> update add mail.mytld. 300 A 1.2.3.4
166	> send
167	> quit
168
169	# tail -10 /etc/namedb/log/general
170
171	18-Feb-2011 16:07:00.374 client 127.0.0.1#57195: updating zone 'mytld/IN': adding an RR at 'mail.phil' A
172
173	If you use the nsupdate method, check the SOA after every update --
174	what do you notice ?
175
176	8. Now we need to include the DS in the parent zone !
177
178	(DS = digest fingerprint of the Key Signing Key).
179
180	Generate a "DS" from your key:
181
182	Find which key is the key signing key:
183
184	# cd /etc/namedb/keys
185	# more Kmytld*key
186
187	Look at which one has "IN DNSKEY 257". Find the "keyid" and replace
188	the string "+005+32044" below with "+005+keyid" where "keyid" is the
189	number displayed.
190
191	# dnssec-dsfromkey Kmytld.+005+32044 >dsset-mytld.
192
193	REMEMBER the dot!
194
195	9. Upload the dsset for your zone (containing the hash of your zone) to the
196	ROOT server:
197
198	# scp dsset-mytld. adm@a.root-servers.net:
199
200	The password is the same as in class
201
202	10. Tell the instructor you have done so!
203
204	The instructor will include the DS-set in the root and re-sign the zone