User Tools

Site Tools


bdnog11:netsec:bind-implementing-dnssec

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
Last revision Both sides next revision
bdnog11:netsec:bind-implementing-dnssec [2020/01/13 13:56]
Muhammad Moinur Rahman [B.Signing the zone]
bdnog11:netsec:bind-implementing-dnssec [2020/01/13 15:14]
Muhammad Moinur Rahman [C.Publishing the zone]
Line 36: Line 36:
  
 ==== B. Signing the zone ==== ==== B. Signing the zone ====
-  - Generate the key pair in ''/​etc/​bind/​master''​ directory. This command generates the ZSK.<​code>​dnssec-keygen –a <​algorithm>​ –b <​keysize>​ -n ZONE <​groupXX></​code>​ example: <​code>​dnssec-keygen -a RSASHA256 -b 1024 -n ZONE groupXX.net</​code>​The defaults are RSASHA1 for the algorithm, with 1024 bits for ZSK and 2048 bits for KSK. Since these are all defaults, we can just issue the command:<​code>​dnssec-keygen -n ZONE groupXX.net</​code>​This will generate two file. Now generate KSK. This command generates the KSK<​code>​dnssec-keygen -a <​algorithm>​ -b <​keysize>​ -f KSK -n ZONE <​groupXX></​code>​Or simply<​code>​dnssec-keygen -f KSK -n ZONE groupXX.net</​code>​ +  - Generate the key pair in ''/​etc/​bind/​master''​ directory. This command generates the ZSK.<​code>​dnssec-keygen –a <​algorithm>​ –b <​keysize>​ -n ZONE <​groupXX></​code>​ example: <​code>​dnssec-keygen -a RSASHA256 -b 1024 -n ZONE groupXX.net</​code>​The defaults are RSASHA1 for the algorithm, with 1024 bits for ZSK and 2048 bits for KSK. Since these are all defaults, we can just issue the command:<​code>​dnssec-keygen -n ZONE groupXX.net</​code>​This will generate two file. Now generate KSK. This command generates the KSK<​code>​dnssec-keygen -a <​algorithm>​ -b <​keysize>​ -f KSK -n ZONE <​groupXX></​code>​Or simply<​code>​dnssec-keygen ​-a RSASHA256 -b 1024 -f KSK  -n ZONE groupXX.net</​code>​ 
-  - Include the public DNSKEYs in the zone file. You can either copy the entire file or reference to it using the $INCLUDE directive. To do the latter, simply add the lines below. Note that you are including only the public portion (.key) into the zone file. The private portion (.private) must be kept secure.<​code>​+  - Include the public DNSKEYs in the zone file. You can either copy the entire file or reference to it using the $INCLUDE directive. Note that you are including only the public portion (.key) into the zone file. The private portion (.private) must be kept secure.<​code>​cat Kgroup*.key >> db.groupXX.net</​code>​OR<​code>​
 $INCLUDE “K<​groupXX>​.+005+<​id_of_zsk>​.key” $INCLUDE “K<​groupXX>​.+005+<​id_of_zsk>​.key”
 $INCLUDE “K<​groupXX>​.+005+<​id_of_ksk>​.key”</​code>​ $INCLUDE “K<​groupXX>​.+005+<​id_of_ksk>​.key”</​code>​
Line 69: Line 69:
  file “db.groupXX.net.signed”;​  file “db.groupXX.net.signed”;​
 };</​code>​Change the file to point to the signed zone.  };</​code>​Change the file to point to the signed zone. 
-  - Start/​Reload named service. Check if for the DNSKEY record using dig on the same server.<​code>​dig DNSKEY groupXX.net. @localhost +multiline</​code>​Check for the presence of RRSIG records.<​code>​dig groupXX.net. @localhost +multiline +dnssec A</​code>​+  - Start/​Reload named service. Check if for the DNSKEY record using dig on the same server.<​code>​dig DNSKEY groupXX.net. @localhost +multiline</​code>​Check for the presence of RRSIG records.<​code>​dig ​ns.groupXX.net. @localhost +multiline +dnssec A</​code>​
   - When we ran the ''​dnssec-signzone''​ command apart from the ''​.signed''​ zone file, a file named ''​dsset-groupXX.net''​ was also created, this contains the DS records. Push the DS record up to your parent domain. Open the file ''​dsset-<​yourdomain>''​ (ex: ''​dsset-groupXX.net''​). This contains your DS records (see example below).<​code>​   - When we ran the ''​dnssec-signzone''​ command apart from the ''​.signed''​ zone file, a file named ''​dsset-groupXX.net''​ was also created, this contains the DS records. Push the DS record up to your parent domain. Open the file ''​dsset-<​yourdomain>''​ (ex: ''​dsset-groupXX.net''​). This contains your DS records (see example below).<​code>​
 groupXX.net. IN DS 4297 5 1 C5A8C518B2208463F87CB30E35F247DD7EACCDB1 groupXX.net. IN DS 4297 5 1 C5A8C518B2208463F87CB30E35F247DD7EACCDB1
bdnog11/netsec/bind-implementing-dnssec.txt · Last modified: 2020/01/14 12:34 by Muhammad Moinur Rahman