Deploy DNSSEC-signed zones.
DNSSEC (or DNS Security Extensions) provide security to the zone files.
Note: In the steps below, we are using
groupXX.net : our domain db.groupXX.net : zone file for the domain KgroupXX.net.+005+12345.key/private = ZSK generated KgroupXX.net.+005+67890.key/private = KSK generated
To allow your recursive DNS servers to validate DNSSEC-signed zones.
/etc/bind/named.conf.options
to allow DNSSEC. These options must be enabled for this lab to success. This option is required only for LAB purpose and not applicable to real life:dnssec-validation yes;
dnssec-enable allows named to respond to DNS requests from DNSSEC-aware clients. The default is yes, but is best added in the `named.conf` so you know how to turn it off.
If `dnssec-validation` is set to auto, it defaults to the DNS root zone as the trust anchor.
If set to yes, a trust anchor must be explicitly configured using the trusted-keys option in /etc/bind/named.conf.local
.
trusted-keys { . 257 3 8 "AwEAAeBVrjcVk2End+jIb/0b5vRZJlQVgh2nspHrcDISSyeslhEiLWUr W9M8Bl/LrUM0PYbfzkzhwtDayPm3Pz1hJN4cdr/zXcjgG/iuOZzXuAK+ GJmhEbM7QS1Tw7YrZLPO8OjqpnSt+vZirfsfCR44KtN9klrx6YFKrFt0 jB6C4gP4S955RyViqLnhNQfW3sq6LIkiUhpVgO82X0GHfe7FFCgqVxG+ 9nmaTu3M6mE9bsiAjuHyxlc+je8Ll12n56cpCMU+f+46hRSSDH6vtMUl sYaP2rvzjn1Mo1txtTLL8K0eXtHPYIaH6mDU8gcfPNFX+7mdECqMbs7B y0JQRykIHtgDTa9pCCIamrpquXvuAIQSAsnZ6ENzpPLRiaLCU92lCrYm +xL2RwQ4i3Y1sbPVfn6D73OWockfGf+Yc6CSxBCk8LvDM5LKtlN7CvkO DF8Jd9hajAL32ZVF2GlW6ps5+9coE0zJgkaWpNicMczIvL1WYtb+hmaK yR48cPDjdgnnezHifHix3C74zpdL4QmN10muzyGqULUKqYZOXiMQff5i TMtFO5MwAFrAfwmgfw+o+NAryhRwFqWaY0h4z8TTCh3rVRYR5PfOzFcd aoewfzOm90XihvoqRrajaEK1W6F+IS/3UVEo4YR7M8mdZK1QF+g94bg0 4yCZkSGN8Z+xnu0p"; };
vi /etc/bind/lab-root.hints
with the following contents:. 8600000 IN NS X.ROOT-SERVER.LOC. X.ROOT-SERVER.LOC. IN A 192.168.30.51
zone “.”
block in /etc/bind/named.conf.default-zones
to reflect the followingzone "." { type hint; file "/etc/bind/lab-root.hints"; };
systemctl reload named
/etc/bind/master
directory. This command generates the ZSK.dnssec-keygen –a <algorithm> –b <keysize> -n ZONE <groupXX>
example:
dnssec-keygen -a RSASHA256 -b 1024 -n ZONE groupXX.net
The defaults are RSASHA1 for the algorithm, with 1024 bits for ZSK and 2048 bits for KSK. Since these are all defaults, we can just issue the command:
dnssec-keygen -n ZONE groupXX.net
This will generate two file. Now generate KSK. This command generates the KSK
dnssec-keygen -a <algorithm> -b <keysize> -f KSK -n ZONE <groupXX>
Or simply
dnssec-keygen -a RSASHA256 -b 1024 -f KSK -n ZONE groupXX.net
cat Kgroup*.key >> db.groupXX.net
OR
$INCLUDE “K<groupXX>.+005+<id_of_zsk>.key” $INCLUDE “K<groupXX>.+005+<id_of_ksk>.key”
dnssec-signzone -o <zonename> -N INCREMENT -f <output-file> -t -k <KSKfile> <zonefile> <ZSKfile>
example:
dnssec-signzone -o groupXX.net -N INCREMENT -f db.groupXX.net.signed -t -k KgroupXX.net.+005+12345 db.groupXX.net KgroupXX.net.+005+67890
`dnssec-signzone` does the following things:
groupXX.net.signed
which contains `RRSIG` records for each DNS record. If we don't add the –f
option output will automatically append a `.signed` in the zonefile.<db.groupXX.net>.signed
After successful signing it will give some output
Verifying the zone using the following algorithms: RSASHA1. Zone fully signed: Algorithm: RSASHA1: KSKs: 1 active, 0 stand-by, 0 revoked ZSKs: 1 active, 0 stand-by, 0 revoked db.groupXX.net.signed Signatures generated: 15 Signatures retained: 0 Signatures dropped: 0 Signatures successfully verified: 0 Signatures unsuccessfully verified: 0 Signing time in seconds: 0.006 Signatures per second: 2423.654 Runtime in seconds: 0.014
ls -al
or wc
.named.conf.local
and point to the signed zone. For example:zone “<groupXX>” { type master; // file “db.groupXX.net”; file “db.groupXX.net.signed”; };
Change the file to point to the signed zone.
dig DNSKEY groupXX.net. @localhost +multiline
Check for the presence of RRSIG records.
dig ns.groupXX.net. @localhost +multiline +dnssec A
dnssec-signzone
command apart from the .signed
zone file, a file named dsset-groupXX.net
was also created, this contains the DS records. Push the DS record up to your parent domain. Open the file dsset-<yourdomain>
(ex: dsset-groupXX.net
). This contains your DS records (see example below).groupXX.net. IN DS 4297 5 1 C5A8C518B2208463F87CB30E35F247DD7EACCDB1 groupXX.net. IN DS 4297 5 2 27E89E4A769F6C6BC889BB6F2E98374CA835D2B8C750D5505F32144E 1E79B881
Send this to your parent zone (for the lab, it’s the gTLD server). The parent zone will then include the DS record in their zonefile. The $INCLUDE
statement can be used at this stage.
$INCLUDE “dsset-groupXX.net.”
In the class, securely send the file to the instructors. You may then check if it has been successfully added using dig.
dig @nameserver +noadditional DS groupXX.net | grep DS
dnssec-enable yes; dnssec-validation auto | yes;
Then edit the zone section to point to the new signed zonefile. After reload, verify that this file exists in the folder specified in the config.
zone “<groupXX>” { type slave; masters { X.X.X.X; }; // file “db.groupXX.net”; file “db.groupXX.net.signed”; };
dig @localhost +dnssec +multiline groupXX.net dig @localhost +trace +dnssec groupXX.net
Also check for the `AD` bit in the message header flags. It should look something like:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 40679 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
The steps to sign the reverse zones are similar to the instructions in items B and C. Using the IP block assigned to you, create the reverse zones and sign them accordingly. Sample steps as follows using reverse domain for block `192.168.100.0/24`.
dnssec-keygen –a <algorithm> –b <keysize> –n ZONE 100.168.192.in-addr.arpa dnssec-keygen –a <algorithm> –b <keysize> –f KSK –n ZONE 100.168.192.in-addr.arpa
dnssec-signzone -o 100.168.192.in-addr.arpa -N INCREMENT -f <output-file> -t -k K100.168.192.in-addr.arpa.+005+12345 db.192.168.100 K100.168.192.in-addr.arpa.+005+67890
zone “100.168.192.in-addr.arpa” { type master; // file “db.groupXX.net”; file “db.192.168.100.signed”; };
dig @localhost +dnssec +multiline 1.100.168.192.in-addr.arpa dig –x @localhost 192.168.100.1
NSEC records are created to prove the non-existence of a record. It builds a linked list of all the records in the zone file. The problem with this is it allows anyone to list the zone content. This is called “zone walking.” Some tools, like the ldns-walk (included in the LDNS library), can be used to do exactly this. NSEC3 can be used to provide more security. It uses a hashing algorithm to output a “hash” to replace the real domain names. This makes it difficult for an attacker, but not totally impossible. In the steps above, NSEC was used by default. Let us re-do the key generation and signing this time using NSEC3.
dnssec-keygen -3 groupXX.net dnssec-keygen -f ksk -3 groupXX.net
dnssec-signzone -A -3 <salt> -o <zonename> -N INCREMENT -f <output-file> -t -k <KSKfile> <zonefile> <ZSKfile>>/code>The salt is a random hexadecimal number appended to the domain before hashing. It’s a public data that is part of the NSEC3PARAM record. It must be changed once in a while or on regular intervals. To generate the salt, you can use either of these:<code>date | sha1sum | cut –b 1-16 head –c 1000 /dev/random | sha1sum | cut –b 1-16
Example:
dnssec-signzone -A -3 $(head -c 1000 /dev/random | sha1sum | cut -b 1-16) -o groupXX.net -N INCREMENT -f <output-file> -t -k KgroupXX.net.+005+12345 db.groupXX.net KgroupXX.net.+005+67890
To use NSEC3 without a salt, simply use a single `-` (dash).
dnssec-signzone -A -3 - -o groupXX.net -N INCREMENT -f <output-file> -t -k KgroupXX.net.+005+12345 db.groupXX.net KgroupXX.net.+005+67890
cat /etc/bind/db.groupXX.net.signed|grep NSEC
). Notice that you now have NSEC3 records added with a hash value of the records in the RDATA
.