Agenda: dnssec-bind-manual-signing-howto.txt

File dnssec-bind-manual-signing-howto.txt, 4.5 KB (added by admin, 6 years ago)
Line 
1*** ON YOUR AUTHORITATIVE SERVER ***
2
31. Change to the directory where the zone resides, and make a backup
4   of the zone (assuming it's called "mytld"), just in case
5
6    # cd /etc/namedb/master
7    # cp mytld mytld.backup
8
9  Also create a directory for the keys to live in, and let's create them
10
11    # mkdir /etc/namedb/keys
12    # chown bind /etc/namedb/keys
13
14    # cd /etc/namedb/keys
15
162. Generate first key pair (Zone Signing Key)
17
18    # dnssec-keygen -a RSASHA1 -b 1024 -n ZONE mytld
19    Kmytld.+005+51333
20
214. Generate second key pair (Key Signing Key)
22
23    # dnssec-keygen -f KSK -a RSASHA1 -b 2048 -n ZONE mytld
24    Kmytld.+005+52159
25
264. Let's look at the keys:
27
28    # ls -l Kmytld.+005+5*
29    -rw-r--r--  1 root  wheel   203 Nov 29 00:07 Kmytld.+005+51333.key
30    -rw-------  1 root  wheel   937 Nov 29 00:07 Kmytld.+005+51333.private
31    -rw-r--r--  1 root  wheel   247 Nov 29 00:07 Kmytld.+005+52159.key
32    -rw-------  1 root  wheel  1125 Nov 29 00:07 Kmytld.+005+52159.private
33
344. Add the public keys to the end of the zone file:
35
36    Edit the zone file for "mytld" and add the keys at the end:
37
38        # cd /etc/namedb/master
39
40        (edit the file "mytld" or whatever name you picked, and add the
41        lines corresponding to your keys)
42
43    ; Keys to be published in DNSKEY RRset
44
45    $include "/etc/namedb/keys/Kmytld.+005+51333.key"     ; ZSK
46    $include "/etc/namedb/keys/Kmytld.+005+52159.key"     ; KSK
47
48    Increment the serial number.
49    Save and exit.
50
515. Sign the zone with the keys
52
53    # cd /etc/namedb/keys
54    # dnssec-signzone -o mytld -k Kmytld.+005+52159 ../master/mytld Kmytld.+005+51333
55    Verifying the zone using the following algorithms: RSASHA1.
56    Zone signing complete:
57    Algorithm: RSASHA1: KSKs: 1 active, 0 stand-by, 0 revoked
58                        ZSKs: 1 active, 0 stand-by, 0 revoked
59    mytld.signed
60
61    The signed zone has been written out in the master/ directory, sot let's
62    check it out:
63
64    # cd /etc/namedb/master/
65    # ls -l mytld*
66
67    -rw-r--r--  1 root  wheel   292 Nov 29 00:08 mytld
68    -rw-r--r--  1 root  wheel  4294 Nov 29 00:20 mytld.signed
69
70    Take a look at the zone contents, and observe the new records and
71    signatures.
72
736. Notice that a set of DS records has been generated, and is ready to
74   be communicated to your parent zone:
75
76    # cd /etc/namedb/keys/
77    # ls -l dsset-*
78
79    -rw-r--r--  1 root  wheel  155 Nov 29 00:22 dsset-mytld.
80
81   Look at the contents of the dsset:
82
83    # cat dsset-mytld.
84
857. Change the /etc/namedb/named.conf definition that loads the zone, to point
86   to the signed zone:
87
88    zone "mytld" {
89            type master;
90            file "/etc/namedb/master/mytld.signed"; // load the signed zone
91    };
92
938. Also in the named.conf, enable dnssec (for the authoritative part):
94
95    ... in the options { .. }; section, add the following
96
97    dnssec-enable yes;
98
999. Reconfigure/restart your nameserver
100
101    # rndc reconfig
102
10310. Test that the nameserver is answering with DNSSEC records:
104
105    # dig @127.0.0.1 mytld SOA +dnssec
106
10711. Now you need to make sure that your slave has ALSO configured their
108    nameserver to enable dnssec in their configuration (step 8). They
109    should have done it since they are working on the same lab, but check
110    anyway!
111
112    To test:
113
114    # dig @10.10.Y.1 mytld SOA +dnssec
115
116    ... where Y is the IP of the partner you picked to be slave for your
117    domain.
118
11912. You now need to communicate the DS to your parent
120
121   Talk to your root manager on the way to communicate the DS.
122   It could be using SCP or using a web interface.
123
124   If your root manager says to use scp, do as follows:
125
126   # cd /etc/namedb/keys
127   # scp dsset-mytld. adm@a.root-servers.net:
128
129   ... this will copy the file "dsset-mytld." into the "adm" user directory
130   on the a.root-server, where the root manager will include it into the root
131   zone for signing.
132
13313. Test that the AD bit is set:
134
135    # dig 10.10.0.230 +dnssec www.MYTLD.
136
137    Is it ?
138
139    If not, note that the root manager may not have necessarily signed the
140    root zone with your DS included yet, OR due to the *negative TTL*, the
141    DS record may not be in the cache of the resolver. You may have to wait,
142    but check with your root manager, and you can always check at the root:
143
144    # dig @a.root-servers.net DS mytld.
145
146    ... to verify that the DS is published. Then it's a matter of waiting
147    for the cache to expire on the resolver, before you can verify your
148    signatures.
149
150    Alternatively, don't wait and proceed to enable validation in your own
151    resolver (resolv.grpX.ws.nsrc.org) - see the relevant lab!