User Tools
bdnog11:netsec:bind-implementing-dnssec
Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision Last revision Both sides next revision | ||
|
bdnog11:netsec:bind-implementing-dnssec [2020/01/13 13:59] Muhammad Moinur Rahman [B.Signing the zone] |
bdnog11:netsec:bind-implementing-dnssec [2020/01/13 15:14] Muhammad Moinur Rahman [C.Publishing the zone] |
||
|---|---|---|---|
| Line 37: | Line 37: | ||
| ==== B. Signing the zone ==== | ==== B. Signing the zone ==== | ||
| - Generate the key pair in ''/etc/bind/master'' directory. This command generates the ZSK.<code>dnssec-keygen –a <algorithm> –b <keysize> -n ZONE <groupXX></code> example: <code>dnssec-keygen -a RSASHA256 -b 1024 -n ZONE groupXX.net</code>The defaults are RSASHA1 for the algorithm, with 1024 bits for ZSK and 2048 bits for KSK. Since these are all defaults, we can just issue the command:<code>dnssec-keygen -n ZONE groupXX.net</code>This will generate two file. Now generate KSK. This command generates the KSK<code>dnssec-keygen -a <algorithm> -b <keysize> -f KSK -n ZONE <groupXX></code>Or simply<code>dnssec-keygen -a RSASHA256 -b 1024 -f KSK -n ZONE groupXX.net</code> | - Generate the key pair in ''/etc/bind/master'' directory. This command generates the ZSK.<code>dnssec-keygen –a <algorithm> –b <keysize> -n ZONE <groupXX></code> example: <code>dnssec-keygen -a RSASHA256 -b 1024 -n ZONE groupXX.net</code>The defaults are RSASHA1 for the algorithm, with 1024 bits for ZSK and 2048 bits for KSK. Since these are all defaults, we can just issue the command:<code>dnssec-keygen -n ZONE groupXX.net</code>This will generate two file. Now generate KSK. This command generates the KSK<code>dnssec-keygen -a <algorithm> -b <keysize> -f KSK -n ZONE <groupXX></code>Or simply<code>dnssec-keygen -a RSASHA256 -b 1024 -f KSK -n ZONE groupXX.net</code> | ||
| - | - Include the public DNSKEYs in the zone file. You can either copy the entire file or reference to it using the $INCLUDE directive. To do the latter, simply add the lines below. Note that you are including only the public portion (.key) into the zone file. The private portion (.private) must be kept secure.<code> | + | - Include the public DNSKEYs in the zone file. You can either copy the entire file or reference to it using the $INCLUDE directive. Note that you are including only the public portion (.key) into the zone file. The private portion (.private) must be kept secure.<code>cat Kgroup*.key >> db.groupXX.net</code>OR<code> |
| $INCLUDE “K<groupXX>.+005+<id_of_zsk>.key” | $INCLUDE “K<groupXX>.+005+<id_of_zsk>.key” | ||
| $INCLUDE “K<groupXX>.+005+<id_of_ksk>.key”</code> | $INCLUDE “K<groupXX>.+005+<id_of_ksk>.key”</code> | ||
| Line 69: | Line 69: | ||
| file “db.groupXX.net.signed”; | file “db.groupXX.net.signed”; | ||
| };</code>Change the file to point to the signed zone. | };</code>Change the file to point to the signed zone. | ||
| - | - Start/Reload named service. Check if for the DNSKEY record using dig on the same server.<code>dig DNSKEY groupXX.net. @localhost +multiline</code>Check for the presence of RRSIG records.<code>dig groupXX.net. @localhost +multiline +dnssec A</code> | + | - Start/Reload named service. Check if for the DNSKEY record using dig on the same server.<code>dig DNSKEY groupXX.net. @localhost +multiline</code>Check for the presence of RRSIG records.<code>dig ns.groupXX.net. @localhost +multiline +dnssec A</code> |
| - When we ran the ''dnssec-signzone'' command apart from the ''.signed'' zone file, a file named ''dsset-groupXX.net'' was also created, this contains the DS records. Push the DS record up to your parent domain. Open the file ''dsset-<yourdomain>'' (ex: ''dsset-groupXX.net''). This contains your DS records (see example below).<code> | - When we ran the ''dnssec-signzone'' command apart from the ''.signed'' zone file, a file named ''dsset-groupXX.net'' was also created, this contains the DS records. Push the DS record up to your parent domain. Open the file ''dsset-<yourdomain>'' (ex: ''dsset-groupXX.net''). This contains your DS records (see example below).<code> | ||
| groupXX.net. IN DS 4297 5 1 C5A8C518B2208463F87CB30E35F247DD7EACCDB1 | groupXX.net. IN DS 4297 5 1 C5A8C518B2208463F87CB30E35F247DD7EACCDB1 | ||
bdnog11/netsec/bind-implementing-dnssec.txt · Last modified: 2020/01/14 12:34 by Muhammad Moinur Rahman
Page Tools
Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 3.0 Unported
