Agenda: dnssec-bind-inline-signing-howto.txt

File dnssec-bind-inline-signing-howto.txt, 6.6 KB (added by admin, 6 years ago)
Line 
1Automated zone INLINE signing with BIND
2---------------------------------------
3
4Remember that if you see '#' before a command, it means
5you need to run this command as root, either via:
6
7
8a) sudo -s
9
10b) sudo command
11
12We'll build on the previous labs and enable inline signing on BIND (9.9+)
13
14When doing inline signing, the original zone is never modified: this
15allows the operator to make, for example, a dump of a DB containing the
16zone, and BIND will just sign it.
17
18When the unsigned zone is updated, named detects the changes, and re-signs.
19
20*** ON YOUR MASTER SERVER ***
21
221. We're going to add a couple of statements to the BIND named.conf
23   configuration file to enable inline dnssec signing.
24
25   First, edit named.conf under /etc/namedb/, and make the following changes:
26
27        zone "mytld" {
28        file "/etc/namedb/master/mytld";        // <--- remove ".signed", if there
29                                                   
30        type master;
31        allow-transfer { key mydomain-key; };   
32
33        key-directory "/etc/namedb/keys";       // <--- Add this if not done
34        auto-dnssec maintain;               // <--- Add this if not yet done
35                inline-signing yes;                                     // <--- Add this
36
37        // update-policy local;             // <--- Remove if it's there
38        };
39
40    Save and exit.
41
422. Preparing the keys
43
44        If you've done the manual signing lab from before, you have already
45        generated keys, and we can reuse those. Otherwise, we'll generate
46        a new set of keys.
47
48    a) If you already have keys (otherwise go to step b)
49
50   We need to make sure the directory has the right permissions - since BIND
51   will be managing this, it needs access to the files and the directory:
52
53        # chown -R bind /etc/namedb/keys
54
55   Let's look at the keys:
56
57        # cd /etc/namedb/keys/
58    # ls -l Kmytld*
59    -rw-r--r--  1 bind  wheel   591 Feb 18 15:52 Kmytld.+005+32044.key
60    -rw-------  1 bind  wheel  1774 Feb 18 15:52 Kmytld.+005+32044.private
61    -rw-r--r--  1 bind  wheel   417 Feb 18 15:52 Kmytld.+005+64860.key
62    -rw-------  1 bind  wheel  1010 Feb 18 15:52 Kmytld.+005+64860.private
63
64        b) If you don't have keys yet:
65
66        # mkdir -p /etc/namedb/keys
67        # chown -R bind /etc/namedb/keys
68    # cd /etc/namedb/keys
69
70        - Generate first key pair (Zone Signing Key)
71
72    # dnssec-keygen mytld
73
74    (  will output something like:
75    Generating key pair......................+++++ + ....
76    Kmytld.+005+43116)
77
78        - Generate second key pair (Key Signing Key)
79
80    # dnssec-keygen -f KSK mytld
81    Kmytld.+005+52159
82
83    (once again, some output will show)
84
85        Check that the keys are there:
86
87        # ls -l Kmytld*
88
89        Notice that we don't specify any flags such as algorithm, key size,
90        etc... We're using the defaults for now.
91
92
933. Now let's take care of the zone file
94
95   If you have made a backup of your zone file, let's copy it back over
96   our zone, to start fresh:
97
98        # cd /etc/namedb/master
99        # cp mytld.backup mytld
100
101   Remove the old .signed zone - BIND will create that automatically!
102
103    # rm mytld.signed
104
105   Again, remember to check in named.conf, that you are loading "mytld",
106   and *NOT* "mytld.signed".
107
108   We also need to make sure BIND can write in the master directory:
109
110   # chown bind /etc/namedb/master
111
1124. Now reconfig the nameserver
113
114    # rndc reconfig
115
116    At this point you should see some new files appear in the master/ dir:
117
118        # cd /etc/namedb/master
119        # ls -l
120
121...
122-rw-r--r--  1 root  wheel   497 Sep 13 14:56 mytld
123-rw-r--r--  1 root  wheel   497 Sep 12 09:49 mytld.backup
124-rw-r--r--  1 bind  wheel   512 Sep 13 15:04 mytld.jbk
125-rw-r--r--  1 bind  wheel  1331 Sep 13 15:04 mytld.signed
126-rw-r--r--  1 bind  wheel  3581 Sep 13 15:04 mytld.signed.jnl
127...
128
129        Check that signing did work:
130
131        # rndc signing -list mytld
132        Done signing with key 22603/RSASHA1
133        Done signing with key 39978/RSASHA1
134
135        Also look in the logs:
136
137        # less /etc/namedb/logs/general
138
13913-Sep-2012 15:04:27.444 reloading configuration succeeded
14013-Sep-2012 15:04:27.450 zone mytld/IN (unsigned): loaded serial 2012022301
14113-Sep-2012 15:04:27.451 any newly configured zones are now loaded
14213-Sep-2012 15:04:27.471 zone mytld/IN (signed): loaded serial 2012022301
14313-Sep-2012 15:04:27.493 zone mytld/IN (signed): receive_secure_serial: unchanged
14413-Sep-2012 15:04:27.501 zone mytld/IN (signed): reconfiguring zone keys
14513-Sep-2012 15:04:27.544 zone mytld/IN (signed): next key event: 13-Sep-2012 16:04:27.501
146
147
148        # dig @localhost mytld NS
149
150        Note that the signed zone is not stored in a human readable format.
151
152        To see the contents of the signed zone, one can either do a zone
153        transfer (axfr) or:
154
155        # named-checkzone -D -f raw -o - mytld mytld.signed | less
156
1575. Changes to the zone
158
159        So how do we update the zone and resign it ? Simple!
160
161        Let's modify the zone and add a "mail" record with the IP address
162        of the auth1 server:
163
164        mail            A               10.10.XX.1              ; X is your group
165
166        So edit the zone file "mytld" and add the line above.
167
168        Remember to change the serial.
169
170        Now, reload the zone. named will be automatically resign the zone:
171
172        # rndc reload mytld
173
174        Wait a few seconds, then:
175
176        # tail /etc/namedb/log/general
177
178        What do you observe ?
179
180        # dig @localhost mail.mytld a
181        # dig @localhost mytld soa
182
183        Notice the serial
184
1856. If you haven't already uploaded the DS record in a previous lab, it's
186   time to communicate it to your parent (the root). Otherwise, you can
187   skip the rest of this lab!
188
189    (DS = digest fingerprint of the Key Signing Key).
190
191   Generate a "DS" from your key:
192
193    Find which key is the key signing key:
194
195    # cd /etc/namedb/keys
196    # more Kmytld*key
197   
198    Look at which one has "IN DNSKEY 257". Find the "keyid" and replace
199    the string "+005+32044" below with "+005+keyid" where "keyid" is the
200    number displayed.
201
202    # dnssec-dsfromkey Kmytld.+005+32044 >dsset-mytld.
203
204    REMEMBER the dot!
205
2067. Upload the dsset for your zone (containing the hash of your zone) to the
207   ROOT server by logging into the RZM classroom web site.  Use your "mytld"
208   as the username and password "nsrcws".  Click "Edit" under the DS record
209   section and procceed to cut-and-paste tag/digest data into the proper
210   fields.  Then click "Add Record" to review your data and finally
211   "Commit".   RZM will lookup your DNSKEY record and attempt to match it
212   with the DS record.  If at least one of your DS records match, the
213   updates will show up in the signed root in a few seconds.
214
2158. You should be able to verify this:
216
217        # dig @a.root-servers.net DS mytld.
218
219    Doing
220
221        # dig +dnssec DNSKEY mytld.
222
223    should show the "AD" flag bit set indicating the that the class
224    validating resolver (10.10.0.230) was able to successfuly create
225    a chain of trust to the root.  You may also view the MONITOR
226    clasroom web site in a few minutes to see if it has detected your
227    newly signed TLD.
228