DNS 2: DNSSEC
Categories: [ IT ]
Second part of my DNS
setup
notes, this time about DNSSEC. The following notes assumes there is already a
running instance of Bind 9 on a Debian Jessie system for an imaginary domain
example.com, served by a name server named ns.example.com.
The version of Bind 9 (9.9.5) on Debian Jessie supports "inline signing" of the zones, meaning that the setup is much easier than in the tutorials mentioning dnssec-tools or opendnssec.
Again these notes are mostly based on the example from the ISC Knowledge Base.
Setting up a signed zone
If you have a delegated zone (like home.example.com from the first part), do
the following for both example.com and home.example.com.
Generate the keys
On a machine with enough available entropy in/dev/random (such as a
Raspberry Pi with its hardware random number
generator
) run
dnssec-keygen example.com dnssec-keygen -fk example.com
(you can add the -r /dev/urandom option to the command if you dare, if
/dev/random is too slow. It can literaly take hours to generate those keys
otherwise).
Transfer the keys to the server where Bind is running.
Configure Bind
Create a /etc/bind/keys directory where to put the keys. Ensure the
.private files belong to root, are readable by the group bind and not by
other users.
named.conf.options add to the options block:
options {
…
dnssec-enable yes;
dnssec-validation auto;
dnssec-lookaside auto;
…
};
Create in /var/cache/bind a symbolic link to /etc/bind/db.example.com.
named.conf.local, in the zone "example.com" block, add
zone "example.com" {
…
#file "/etc/bind/db.example.com";
file "/var/cache/bind/db.example.com";
key-directory "/etc/bind/keys";
auto-dnssec maintain;
inline-signing yes;
};
Note that the db file must point to a file in /var/cache/bind, not in
/etc/bind. This is because bind will create a db.example.com.signed file
(among other related journal files), constructed from the path of the "file"
entry in the zone declaration, and it will fail doing so if the file is in
/etc/bind, because Bind would attempt to create the .signed file in this
read-only directory.
rndc reconfigThen check that the zone is signed with
rndc signing -list example.com
Linking the zones
Your registrar should provide a tool (most probably Web based) where to put DS records for your domain.
On the DNS server, generate aDS record with
dig @localhost dnskey example.com | /usr/sbin/dnssec-dsfromkey -f - example.comCopy and paste these lines in the registrar's tool. After a little while, you should be able to query the
DS record with
dig @localhost -t ds example.orgIf you have a delegated zone such as
home.example.com, generate a DS
record for that zone with
dig @localhost dnskey home.example.com | /usr/sbin/dnssec-dsfromkey -f - home.example.comand place these lines in
db.example.com (i.e., the db file for the
parent zone). Change the serial number of the zone in the same file and run
rndc reloadYou should then be able to query the
DS record with
dig @localhost -t ds home.example.org
You can use Verisign's DNS debugging tool to check that the signatures are valid and DNSViz to view the chain of signatures from the TLD DNS down to your DNS. This also helped me figure out that my zone delegation was incorrect and caused discrepancies between my primary DNS server and the secondary server.
[ Posted on April 27th, 2016 at 19:21 | 1 comment | permanent link ]
Third part of my DNS setup notes: changing the DNSSEC config from NSEC to NSEC3. This has be on my TODO list for over a year now, and despite the tutorial at the ISC Knowledge Base, the ride was a bit bumpy.
Generating new keys
The previous keys were ...