This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision | ||
bdnog11:netsec:bind-implementing-dnssec [2020/01/13 15:12] Muhammad Moinur Rahman [B.Signing the zone] |
bdnog11:netsec:bind-implementing-dnssec [2020/01/14 12:34] Muhammad Moinur Rahman |
||
---|---|---|---|
Line 22: | Line 22: | ||
- Update the DNS configuration. Change options in the configuration file ''/etc/bind/named.conf.options'' to allow DNSSEC. These options must be enabled for this lab to success. This option is required only for LAB purpose and not applicable to real life:\\ <code> | - Update the DNS configuration. Change options in the configuration file ''/etc/bind/named.conf.options'' to allow DNSSEC. These options must be enabled for this lab to success. This option is required only for LAB purpose and not applicable to real life:\\ <code> | ||
- | dnssec-validation yes;</code>\\ **dnssec-enable** allows named to respond to DNS requests from DNSSEC-aware clients. The default is yes, but is best added in the `named.conf` so you know how to turn it off.\\ If `dnssec-validation` is set to auto, it defaults to the DNS root zone as the trust anchor.\\ If set to yes, a trust anchor must be explicitly configured using the trusted-keys option.\\ <code> | + | dnssec-validation yes;</code>\\ **dnssec-enable** allows named to respond to DNS requests from DNSSEC-aware clients. The default is yes, but is best added in the `named.conf` so you know how to turn it off.\\ If `dnssec-validation` is set to auto, it defaults to the DNS root zone as the trust anchor.\\ If set to yes, a trust anchor must be explicitly configured using the trusted-keys option in ''/etc/bind/named.conf.local''.\\ <code> |
trusted-keys { | trusted-keys { | ||
. 257 3 8 "AwEAAeBVrjcVk2End+jIb/0b5vRZJlQVgh2nspHrcDISSyeslhEiLWUr W9M8Bl/LrUM0PYbfzkzhwtDayPm3Pz1hJN4cdr/zXcjgG/iuOZzXuAK+ GJmhEbM7QS1Tw7YrZLPO8OjqpnSt+vZirfsfCR44KtN9klrx6YFKrFt0 jB6C4gP4S955RyViqLnhNQfW3sq6LIkiUhpVgO82X0GHfe7FFCgqVxG+ 9nmaTu3M6mE9bsiAjuHyxlc+je8Ll12n56cpCMU+f+46hRSSDH6vtMUl sYaP2rvzjn1Mo1txtTLL8K0eXtHPYIaH6mDU8gcfPNFX+7mdECqMbs7B y0JQRykIHtgDTa9pCCIamrpquXvuAIQSAsnZ6ENzpPLRiaLCU92lCrYm +xL2RwQ4i3Y1sbPVfn6D73OWockfGf+Yc6CSxBCk8LvDM5LKtlN7CvkO DF8Jd9hajAL32ZVF2GlW6ps5+9coE0zJgkaWpNicMczIvL1WYtb+hmaK yR48cPDjdgnnezHifHix3C74zpdL4QmN10muzyGqULUKqYZOXiMQff5i TMtFO5MwAFrAfwmgfw+o+NAryhRwFqWaY0h4z8TTCh3rVRYR5PfOzFcd aoewfzOm90XihvoqRrajaEK1W6F+IS/3UVEo4YR7M8mdZK1QF+g94bg0 4yCZkSGN8Z+xnu0p"; | . 257 3 8 "AwEAAeBVrjcVk2End+jIb/0b5vRZJlQVgh2nspHrcDISSyeslhEiLWUr W9M8Bl/LrUM0PYbfzkzhwtDayPm3Pz1hJN4cdr/zXcjgG/iuOZzXuAK+ GJmhEbM7QS1Tw7YrZLPO8OjqpnSt+vZirfsfCR44KtN9klrx6YFKrFt0 jB6C4gP4S955RyViqLnhNQfW3sq6LIkiUhpVgO82X0GHfe7FFCgqVxG+ 9nmaTu3M6mE9bsiAjuHyxlc+je8Ll12n56cpCMU+f+46hRSSDH6vtMUl sYaP2rvzjn1Mo1txtTLL8K0eXtHPYIaH6mDU8gcfPNFX+7mdECqMbs7B y0JQRykIHtgDTa9pCCIamrpquXvuAIQSAsnZ6ENzpPLRiaLCU92lCrYm +xL2RwQ4i3Y1sbPVfn6D73OWockfGf+Yc6CSxBCk8LvDM5LKtlN7CvkO DF8Jd9hajAL32ZVF2GlW6ps5+9coE0zJgkaWpNicMczIvL1WYtb+hmaK yR48cPDjdgnnezHifHix3C74zpdL4QmN10muzyGqULUKqYZOXiMQff5i TMtFO5MwAFrAfwmgfw+o+NAryhRwFqWaY0h4z8TTCh3rVRYR5PfOzFcd aoewfzOm90XihvoqRrajaEK1W6F+IS/3UVEo4YR7M8mdZK1QF+g94bg0 4yCZkSGN8Z+xnu0p"; | ||
Line 69: | Line 69: | ||
file “db.groupXX.net.signed”; | file “db.groupXX.net.signed”; | ||
};</code>Change the file to point to the signed zone. | };</code>Change the file to point to the signed zone. | ||
- | - Start/Reload named service. Check if for the DNSKEY record using dig on the same server.<code>dig DNSKEY groupXX.net. @localhost +multiline</code>Check for the presence of RRSIG records.<code>dig groupXX.net. @localhost +multiline +dnssec A</code> | + | - Start/Reload named service. Check if for the DNSKEY record using dig on the same server.<code>dig DNSKEY groupXX.net. @localhost +multiline</code>Check for the presence of RRSIG records.<code>dig ns.groupXX.net. @localhost +multiline +dnssec A</code> |
- When we ran the ''dnssec-signzone'' command apart from the ''.signed'' zone file, a file named ''dsset-groupXX.net'' was also created, this contains the DS records. Push the DS record up to your parent domain. Open the file ''dsset-<yourdomain>'' (ex: ''dsset-groupXX.net''). This contains your DS records (see example below).<code> | - When we ran the ''dnssec-signzone'' command apart from the ''.signed'' zone file, a file named ''dsset-groupXX.net'' was also created, this contains the DS records. Push the DS record up to your parent domain. Open the file ''dsset-<yourdomain>'' (ex: ''dsset-groupXX.net''). This contains your DS records (see example below).<code> | ||
groupXX.net. IN DS 4297 5 1 C5A8C518B2208463F87CB30E35F247DD7EACCDB1 | groupXX.net. IN DS 4297 5 1 C5A8C518B2208463F87CB30E35F247DD7EACCDB1 |