% DNSSEC - signing

# Introduction

DNSSEC signing your zone.

## Notes

* Commands preceded with "$" imply that you should execute the command as
  a general user - not as root.
* Commands preceded with "#" imply that you should be working as root.
* Commands with more specific command lines (e.g. "rtrX>" or "mysql>")
  imply that you are executing commands on remote equipment, or within
  another program.

# On your AUTHORITATIVE server (SOA)

## Create your zone

We'll create some directories to hold our zones (replace _mytld_ with the name you picked!)

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
$ sudo mkdir -p /etc/bind/zones/mytld
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Next, we'll create a FILE _mytld_ under the directory  _/etc/bind/zones/mytld_  where _mytld_ is your chosen top-level domain (e.g. _tree_)

Remember, **you'll need to become root** to create this file.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
$ sudo -s
# cd /etc/bind/zones/mytld
# nano mytld
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Your zone contents should include the following entries:

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

$TTL 2m
@       IN      SOA     soa.grpX.dns.te-labs.training. hostmaster.mytld. (
                        2022020701    ; Serial
                        10m           ; Refresh
                        5m            ; Retry
                        2w            ; Expire
                        2m )          ; Negative

        IN      NS      soa.grpX.dns.te-labs.training.   ; your 'SOA' server name

www     IN      A       10.X.1.1
www     IN      AAAA    fd05:58a6:X:1::1


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

**Remember to replace every instance of grpX with your group number (_e.g. grp13_)**

Save your zone file by using pressing **Ctrl+x** and inputting **Y** followed by the **Enter** key

Next, check that there are no syntax errors in your zone file:

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
# named-checkconf
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

If errors occur, fix them.

Finally, restart BIND:

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
# systemctl restart bind9
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


## Backup your zone!

Change to the directory where the zone resides, and make a backup
of the zone (assuming it's called `mytld`), just in case

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
$ cd /etc/bind/zones/mytld
$ sudo cp mytld mytld.backup
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

## Generate the first key pair (Zone Signing Key - ZSK)

First we need a dedicated directory to store keys, and make sure it has
the right permissions:

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
$ sudo mkdir /etc/bind/keys
$ sudo chown -R bind:bind /etc/bind/keys
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Make sure you're in the right directory:

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
$ cd /etc/bind/keys
$ pwd
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Now, create the keys
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
$ sudo dnssec-keygen -a RSASHA256 -b 2048 -n ZONE mytld
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

You should see an output like:

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Kmytld.+008+51333
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Make a note of this on a piece of paper - label it "ZSK".

## Generate second key pair (Key Signing Key - KSK)

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
$ sudo dnssec-keygen -f KSK -a RSASHA256 -b 2048 -n ZONE mytld
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

You should see an output like:

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Kmytld.+008+52159
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Make a note of this on a piece of paper - label it "KSK".

## Inspect the keys

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
$ ls -l K*

-rw-r--r--  1 root  wheel   417 Nov 29 00:07 Kmytld.+008+51333.key
-rw-------  1 root  wheel  1012 Nov 29 00:07 Kmytld.+008+51333.private
-rw-r--r--  1 root  wheel   590 Nov 29 00:07 Kmytld.+008+52159.key
-rw-------  1 root  wheel  1776 Nov 29 00:07 Kmytld.+008+52159.private
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


We need to do a few more things before BIND can sign your zone:

## Adjust permissions on the directories

~~~
$ sudo chown -R bind:bind /etc/bind/zones
~~~

## Adjust BIND's configuration

First, edit `/etc/bind/named.conf.local`, and make the following changes:

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
zone "MYTLD" {
    file "/etc/bind/zones/mytld/mytld";

    type master;

    key-directory "/etc/bind/keys";     // <--- Add this
    auto-dnssec maintain;               // <--- Add this
    inline-signing yes;                 // <--- Add this
};
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Save and exit.

Verify the configuration:

~~~
# named-checkconf
~~~

## Time to sign the zone

Switch to the proper directory:

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
$ cd /etc/bind/zones/mytld
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Reconfigure the nameserver:

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
$ sudo rndc reconfig
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

See if some new files have appeared:

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
$ cd /etc/bind/zones/mytld
$ ls -l

...
-rw-r--r--  1 root  wheel   497 Sep 13 14:56 MYTLD
-rw-r--r--  1 root  wheel   497 Sep 12 09:49 MYTLD.backup
-rw-r--r--  1 bind  wheel   512 Sep 13 15:04 MYTLD.jbk
-rw-r--r--  1 bind  wheel  1331 Sep 13 15:04 MYTLD.signed
-rw-r--r--  1 bind  wheel  3581 Sep 13 15:04 MYTLD.signed.jnl
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Check that signing did work:

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
$ sudo rndc signing -list mytld

Done signing with key 52159/RSASHA256
Done signing with key 51333/RSASHA256
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Use `dig` to verify that DNSSEC records have appeared in the zone:

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
$ dig @10.X.1.1 mytld NS +dnssec
$ dig @10.X.1.1 mytld SOA +dnssec
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

### Now you should be able to see those changes in the entire class:

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
$ dig @10.0.0.252 www.mytld A +dnssec +multi
$ dig @10.0.0.252 mytld SOA +dnssec +multi
$ dig @10.0.0.252 mytld DNSKEY +dnssec +multi
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

<!-- Markdeep: -->
<style class="fallback">body{visibility:hidden;white-space:pre;font-family:monospace}</style>
<script src="../../../../software/markdeep.min.js"></script>
<script>window.alreadyProcessedMarkdeep||(document.body.style.visibility="visible")</script>
<!-- End footer region -->