User Tools

Site Tools


bdnog11:netsec:bind-implementing-dnssec

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
bdnog11:netsec:bind-implementing-dnssec [2020/01/13 12:39]
Muhammad Moinur Rahman [D.Signing the reverse zones.]
bdnog11:netsec:bind-implementing-dnssec [2020/01/14 12:34] (current)
Muhammad Moinur Rahman
Line 21: Line 21:
 To allow your recursive DNS servers to validate DNSSEC-signed zones. To allow your recursive DNS servers to validate DNSSEC-signed zones.
  
-  - Update the DNS configuration. ​Add options in the configuration file ''/​etc/​bind/​named.conf.local''​ to allow DNSSEC. These options must be enabled:\\ <​code>​ +  - Update the DNS configuration. ​Change ​options in the configuration file ''/​etc/​bind/​named.conf.options''​ to allow DNSSEC. These options must be enabled ​for this lab to success. This option is required only for LAB purpose and not applicable to real life:\\ <​code>​ 
-dnssec-enable yes; +dnssec-validation yes;</​code>​\\ **dnssec-enable** allows named to respond to DNS requests from DNSSEC-aware clients. The default is yes, but is best added in the `named.conf` so you know how to turn it off.\\ If `dnssec-validation` is set to auto, it defaults to the DNS root zone as the trust anchor.\\ If set to yes, a trust anchor must be explicitly configured using the trusted-keys option ​in ''/​etc/​bind/​named.conf.local''​.\\ <​code>​
-dnssec-validation yes|auto;</​code>​\\ **dnssec-enable** allows named to respond to DNS requests from DNSSEC-aware clients. The default is yes, but is best added in the `named.conf` so you know how to turn it off.\\If `dnssec-validation` is set to auto, it defaults to the DNS root zone as the trust anchor.\\ If set to yes, a trust anchor must be explicitly configured using the trusted-keys option.\\ <​code>​+
 trusted-keys { trusted-keys {
- // parent zone + . 257 3 8 "AwEAAeBVrjcVk2End+jIb/​0b5vRZJlQVgh2nspHrcDISSyeslhEiLWUr W9M8Bl/​LrUM0PYbfzkzhwtDayPm3Pz1hJN4cdr/​zXcjgG/​iuOZzXuAK+ GJmhEbM7QS1Tw7YrZLPO8OjqpnSt+vZirfsfCR44KtN9klrx6YFKrFt0 jB6C4gP4S955RyViqLnhNQfW3sq6LIkiUhpVgO82X0GHfe7FFCgqVxG+ 9nmaTu3M6mE9bsiAjuHyxlc+je8Ll12n56cpCMU+f+46hRSSDH6vtMUl sYaP2rvzjn1Mo1txtTLL8K0eXtHPYIaH6mDU8gcfPNFX+7mdECqMbs7B y0JQRykIHtgDTa9pCCIamrpquXvuAIQSAsnZ6ENzpPLRiaLCU92lCrYm +xL2RwQ4i3Y1sbPVfn6D73OWockfGf+Yc6CSxBCk8LvDM5LKtlN7CvkO DF8Jd9hajAL32ZVF2GlW6ps5+9coE0zJgkaWpNicMczIvL1WYtb+hmaK yR48cPDjdgnnezHifHix3C74zpdL4QmN10muzyGqULUKqYZOXiMQff5i TMtFO5MwAFrAfwmgfw+o+NAryhRwFqWaY0h4z8TTCh3rVRYR5PfOzFcd aoewfzOm90XihvoqRrajaEK1W6F+IS/​3UVEo4YR7M8mdZK1QF+g94bg0 4yCZkSGN8Z+xnu0p";
- IN DNSKEY ​257 3 8 AwEAAeBVrjcVk2End+jIb/​0b5vRZJlQVgh2nspHrcDISSyeslhEiLWUr W9M8Bl/​LrUM0PYbfzkzhwtDayPm3Pz1hJN4cdr/​zXcjgG/​iuOZzXuAK+ GJmhEbM7QS1Tw7YrZLPO8OjqpnSt+vZirfsfCR44KtN9klrx6YFKrFt0 jB6C4gP4S955RyViqLnhNQfW3sq6LIkiUhpVgO82X0GHfe7FFCgqVxG+ 9nmaTu3M6mE9bsiAjuHyxlc+je8Ll12n56cpCMU+f+46hRSSDH6vtMUl sYaP2rvzjn1Mo1txtTLL8K0eXtHPYIaH6mDU8gcfPNFX+7mdECqMbs7B y0JQRykIHtgDTa9pCCIamrpquXvuAIQSAsnZ6ENzpPLRiaLCU92lCrYm +xL2RwQ4i3Y1sbPVfn6D73OWockfGf+Yc6CSxBCk8LvDM5LKtlN7CvkO DF8Jd9hajAL32ZVF2GlW6ps5+9coE0zJgkaWpNicMczIvL1WYtb+hmaK yR48cPDjdgnnezHifHix3C74zpdL4QmN10muzyGqULUKqYZOXiMQff5i TMtFO5MwAFrAfwmgfw+o+NAryhRwFqWaY0h4z8TTCh3rVRYR5PfOzFcd aoewfzOm90XihvoqRrajaEK1W6F+IS/​3UVEo4YR7M8mdZK1QF+g94bg0 4yCZkSGN8Z+xnu0p;​+
 };</​code>​ };</​code>​
 +  - Change the root-hint to the lab root server. This part is also required for this lab only and not required in real life. Create a file named lab-root.hints using the command ''​vi /​etc/​bind/​lab-root.hints''​ with the following contents:<​code>​. 8600000 IN NS X.ROOT-SERVER.LOC.
 +X.ROOT-SERVER.LOC. IN A 192.168.30.51</​code>​
 +  - Change the ''​zone "​."''​ block in ''/​etc/​bind/​named.conf.default-zones''​ to reflect the following<​code>​zone "​."​ {
 + type hint;
 + file "/​etc/​bind/​lab-root.hints";​
 +};</​code>​
 +  - Reload bind with ''​systemctl reload named''​
 +
  
 ==== B. Signing the zone ==== ==== B. Signing the zone ====
-  - Generate the key pair. This command generates the ZSK.<​code>​dnssec-keygen –a <​algorithm>​ –b <​keysize>​ -n ZONE <​groupXX></​code>​ example: <​code>​dnssec-keygen -a RSASHA256 -b 1024 -n ZONE groupXX.net</​code>​The defaults are RSASHA1 for the algorithm, with 1024 bits for ZSK and 2048 bits for KSK. Since these are all defaults, we can just issue the command:<​code>​dnssec-keygen -n ZONE groupXX.net</​code>​This will generate two file. Now generate KSK. This command generates the KSK<​code>​dnssec-keygen -a <​algorithm>​ -b <​keysize>​ -f KSK -n ZONE <​groupXX></​code>​Or simply<​code>​dnssec-keygen -f KSK -n ZONE groupXX.net</​code>​ +  - Generate the key pair in ''/​etc/​bind/​master''​ directory. This command generates the ZSK.<​code>​dnssec-keygen –a <​algorithm>​ –b <​keysize>​ -n ZONE <​groupXX></​code>​ example: <​code>​dnssec-keygen -a RSASHA256 -b 1024 -n ZONE groupXX.net</​code>​The defaults are RSASHA1 for the algorithm, with 1024 bits for ZSK and 2048 bits for KSK. Since these are all defaults, we can just issue the command:<​code>​dnssec-keygen -n ZONE groupXX.net</​code>​This will generate two file. Now generate KSK. This command generates the KSK<​code>​dnssec-keygen -a <​algorithm>​ -b <​keysize>​ -f KSK -n ZONE <​groupXX></​code>​Or simply<​code>​dnssec-keygen ​-a RSASHA256 -b 1024 -f KSK  -n ZONE groupXX.net</​code>​ 
-  - Include the public DNSKEYs in the zone file. You can either copy the entire file or reference to it using the $INCLUDE directive. To do the latter, simply add the lines below. Note that you are including only the public portion (.key) into the zone file. The private portion (.private) must be kept secure.<​code>​+  - Include the public DNSKEYs in the zone file. You can either copy the entire file or reference to it using the $INCLUDE directive. Note that you are including only the public portion (.key) into the zone file. The private portion (.private) must be kept secure.<​code>​cat Kgroup*.key >> db.groupXX.net</​code>​OR<​code>​
 $INCLUDE “K<​groupXX>​.+005+<​id_of_zsk>​.key” $INCLUDE “K<​groupXX>​.+005+<​id_of_zsk>​.key”
 $INCLUDE “K<​groupXX>​.+005+<​id_of_ksk>​.key”</​code>​ $INCLUDE “K<​groupXX>​.+005+<​id_of_ksk>​.key”</​code>​
Line 63: Line 69:
  file “db.groupXX.net.signed”;​  file “db.groupXX.net.signed”;​
 };</​code>​Change the file to point to the signed zone.  };</​code>​Change the file to point to the signed zone. 
-  - Start/​Reload named service. Check if for the DNSKEY record using dig on the same server.<​code>​dig DNSKEY groupXX.net. @localhost +multiline</​code>​Check for the presence of RRSIG records.<​code>​dig groupXX.net. @localhost +multiline +dnssec A</​code>​+  - Start/​Reload named service. Check if for the DNSKEY record using dig on the same server.<​code>​dig DNSKEY groupXX.net. @localhost +multiline</​code>​Check for the presence of RRSIG records.<​code>​dig ​ns.groupXX.net. @localhost +multiline +dnssec A</​code>​
   - When we ran the ''​dnssec-signzone''​ command apart from the ''​.signed''​ zone file, a file named ''​dsset-groupXX.net''​ was also created, this contains the DS records. Push the DS record up to your parent domain. Open the file ''​dsset-<​yourdomain>''​ (ex: ''​dsset-groupXX.net''​). This contains your DS records (see example below).<​code>​   - When we ran the ''​dnssec-signzone''​ command apart from the ''​.signed''​ zone file, a file named ''​dsset-groupXX.net''​ was also created, this contains the DS records. Push the DS record up to your parent domain. Open the file ''​dsset-<​yourdomain>''​ (ex: ''​dsset-groupXX.net''​). This contains your DS records (see example below).<​code>​
 groupXX.net. IN DS 4297 5 1 C5A8C518B2208463F87CB30E35F247DD7EACCDB1 groupXX.net. IN DS 4297 5 1 C5A8C518B2208463F87CB30E35F247DD7EACCDB1
bdnog11/netsec/bind-implementing-dnssec.1578897563.txt.gz · Last modified: 2020/01/13 12:39 by Muhammad Moinur Rahman