Configuring DNSSEC On BIND9 (9.7.3) On Debian Squeeze/Ubuntu 11.10

Want to support HowtoForge? Become a subscriber!
 
Submitted by falko (Contact Author) (Forums) on Sun, 2012-04-15 19:32. :: BIND | Debian | Ubuntu | DNS | Security

Configuring DNSSEC On BIND9 (9.7.3) On Debian Squeeze/Ubuntu 11.10

Version 1.0
Author: Falko Timme <ft [at] falkotimme [dot] com>
Follow me on Twitter
Last edited 04/13/2012

This guide explains how you can configure DNSSEC on BIND9 (version 9.7.3 that comes with Debian Squeeze/Ubuntu 11.10) on Debian Squeeze and Ubuntu 11.10. It covers how to enable DNSSEC on authoritative nameservers (master and slave) and on resolving nameservers, creation of keys (KSKs and ZSKs), signing of zones, key rolling with rollerd, zone file checking with donuts, creation of trust anchors, using DLV (DNSSEC look-aside validation), and getting your DS records into the parent's zone.

I do not issue any guarantee that this will work for you!

 

1 Preliminary Note

I'm using three Debian Squeeze servers here:

  • server1.example.com (Master DNS server, authoritative): IP address 192.168.0.100
  • server2.example.com (Slave DNS server, authoritative): IP address 192.168.0.101
  • server3.example.com (resolving DNS server, not authoritative): IP address 192.168.0.102

I'm assuming that BIND is already installed and working on all three servers.

I'm using the zone example.org throughout this tutorial to demonstrate the DNSSEC setup. That zone is already set up and working (through "normal" DNS) on the master (server1) and slave (server2).

server1 (master):

The BIND configuration directory is /etc/bind on Debian Squeeze/Ubuntu 11.10. That directory looks as follows:

cd /etc/bind/
ls -l

root@server1:/etc/bind# ls -l
total 60
-rw-r--r-- 1 root root  665 Jan 15  2011 bind.keys
-rw-r--r-- 1 root root  237 Jan 15  2011 db.0
-rw-r--r-- 1 root root  271 Jan 15  2011 db.127
-rw-r--r-- 1 root root  237 Jan 15  2011 db.255
-rw-r--r-- 1 root root  353 Jan 15  2011 db.empty
-rw-r--r-- 1 root root  270 Jan 15  2011 db.local
-rw-r--r-- 1 root root 2994 Jan 15  2011 db.root
-rw-r--r-- 1 root bind  463 Jan 15  2011 named.conf
-rw-r--r-- 1 root bind  490 Jan 15  2011 named.conf.default-zones
-rw-r--r-- 1 root bind  167 Apr 13 10:06 named.conf.local
-rw-r--r-- 1 root bind  572 Jan 15  2011 named.conf.options
-rw-r--r-- 1 root bind  722 Apr 13 10:06 pri.example.org
-rw-r----- 1 bind bind   77 Feb  7  2011 rndc.key
drwxr-s--- 2 root bind 4096 Feb  7  2011 slave
-rw-r--r-- 1 root root 1317 Jan 15  2011 zones.rfc1918
root@server1:/etc/bind#

As you see, my example.org zone file is named pri.example.org. Yours might be named differently, so you have to adjust the zone name in the commands from this tutorial.

My example.org zone looks as follows (nothing special, a normal BIND zone):

cat pri.example.org

$TTL        3600
@       IN      SOA     server1.example.com. zonemaster.example.com. (
                        2012041305       ; serial, todays date + todays serial #
                        7200              ; refresh, seconds
                        540              ; retry, seconds
                        604800              ; expire, seconds
                        86400 )            ; minimum, seconds
;

example.org. 3600 A        1.2.3.4
example.org. 3600      MX    10   mail.example.org.
example.org. 86400      NS        server1.example.com.
example.org. 86400      NS        server2.example.com.
example.org. 3600      TXT        "v=spf1 a mx ptr -all"
mail 3600 A        1.2.3.4
www 3600 A        1.2.3.4

My named.conf.local looks as follows:

cat named.conf.local

zone "example.org" {
        type master;
        allow-transfer {192.168.0.101;};
        also-notify {192.168.0.101;};
        file "/etc/bind/pri.example.org";
};

server2 (slave):

I've configured the slave to store its slave zone file (called sec.example.org) in the /etc/bind/slave directory, as you can see in the /etc/bind/named.conf.local file:

cat /etc/bind/named.conf.local

zone "example.org" {
        type slave;
        masters {192.168.0.100;};
        allow-notify {192.168.0.100;};
        allow-transfer {none;};
        file "/etc/bind/slave/sec.example.org";
};

The slave is notified of zone file changes on the master so that it can retrieve a new zone file.

As you see, nothing special here - a normal BIND setup.

 

2 Enabling DNSSEC On The Master (server1)

server1 (master):

I will use the dnssec-tools package in this tutorial as it comes with some handy tools such as zonesigner and rollerd that make DNSSEC management a lot easier.

We can install it (and some other recommended packages) as follows:

apt-get install dnssec-tools libnet-dns-sec-perl libmailtools-perl libcrypt-openssl-random-perl

Now go to the /etc/bind directory:

cd /etc/bind

Open named.conf.options...

vi named.conf.options

... and add dnssec-enable yes;, dnssec-validation yes;, and dnssec-lookaside auto; to the options section:

options {
        directory "/var/cache/bind";

        // If there is a firewall between you and nameservers you want
        // to talk to, you may need to fix the firewall to allow multiple
        // ports to talk.  See http://www.kb.cert.org/vuls/id/800113

        // If your ISP provided one or more IP addresses for stable
        // nameservers, you probably want to use them as forwarders.
        // Uncomment the following block, and insert the addresses replacing
        // the all-0's placeholder.

        // forwarders {
        //      0.0.0.0;
        // };

        auth-nxdomain no;    # conform to RFC1035
        listen-on-v6 { any; };
        dnssec-enable yes;
        dnssec-validation yes;
        dnssec-lookaside auto;
        //bindkeys-file "/etc/bind/bind.keys";
};

The bindkeys-file line is needed only if your bind.keys file is in a location other than /etc/bind/bind.keys - if it's /etc/bind/bind.keys, it's loaded by default.

dnssec-lookaside auto; makes that named reads the DLV key from bind.keys the first time it executes. This is the dlv.isc.org key.

Normally, there should be a fully signed path from the root zone (.) down to your own zone, which means that your parent zones (e.g. .org for example.org) must be signed as well. Unfortunately, not all TLDs have been signed yet. If any of your parents aren't signed, the chain is broken, and you cannot use the root zone's key as a trusted anchor in your BIND configuration.

That's why DNSSEC look-aside validation (DLV) was invented. In short, DLV serves as an alternative repository for trusted keys where you can submit your zone keys if there's no fully signed path to your zone. The most prominent DLV repository is dlv.isc.org (ISC is the company that makes BIND). Both the root zone key and the dlv.isc.org key are included in /etc/bind/bind.keys (if not, please update BIND...

apt-get install bind9

... and check again).

You can find out more about DNSSEC look-aside validation (DLV) on https://www.isc.org/solutions/dlv and https://dlv.isc.org/about/background. If you want to submit your keys to the dlv.isc.org repository, you can register on https://dlv.isc.org/.

You can find a list of signed TLDs on http://stats.research.icann.org/dns/tld_report/ and http://www.tldwithdnssec.se/. If your TLD is signed, the preferred method is to submit your keys to your registry so that they can create a DS record for your zone. You don't need a DLV record then.

In BIND 9.8 and 9.9, the root zone key from bind.keys can be loaded with dnssec-validation auto; - unfortunately, in BIND 9.7 (which we use) there's no auto option for dnssec-validation (that's why we use dnssec-validation yes;) which means the root zone key isn't loaded (see https://www.isc.org/bind-keys). To overcome this issue, we can either add the root zone key from bind.keys...

cat bind.keys

[...]
managed-keys {
        # ISC DLV: See https://www.isc.org/solutions/dlv for details.
        # NOTE: This key is activated by setting "dnssec-lookaside auto;"
        # in named.conf.
        dlv.isc.org. initial-key 257 3 5 "BEAAAAPHMu/5onzrEE7z1egmhg/WPO0+juoZrW3euWEn4MxDCE1+lLy2
                brhQv5rN32RKtMzX6Mj70jdzeND4XknW58dnJNPCxn8+jAGl2FZLK8t+
                1uq4W+nnA3qO2+DL+k6BD4mewMLbIYFwe0PG73Te9fZ2kJb56dhgMde5
                ymX4BI/oQ+cAK50/xvJv00Frf8kw6ucMTwFlgPe+jnGxPPEmHAte/URk
                Y62ZfkLoBAADLHQ9IrS2tryAe7mbBZVcOwIeU/Rw/mRx/vwwMCTgNboM
                QKtUdvNXDrYJDSHZws3xiRXF1Rf+al9UmZfSav/4NWLKjHzpT59k/VSt
                TDN0YUuWrBNh";

        # ROOT KEY: See https://data.iana.org/root-anchors/root-anchors.xml
        # for current trust anchor information.
        # NOTE: This key is activated by setting "dnssec-validation auto;"
        # in named.conf.
        . initial-key 257 3 8 "AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF
                FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX
                bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD
                X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz
                W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS
                Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq
                QxA+Uk1ihz0=";
};

to named.conf.options, or we simply include bind.keys in named.conf.options (I prefer the latter method):

vi named.conf.options

options {
        directory "/var/cache/bind";

        // If there is a firewall between you and nameservers you want
        // to talk to, you may need to fix the firewall to allow multiple
        // ports to talk.  See http://www.kb.cert.org/vuls/id/800113

        // If your ISP provided one or more IP addresses for stable
        // nameservers, you probably want to use them as forwarders.
        // Uncomment the following block, and insert the addresses replacing
        // the all-0's placeholder.

        // forwarders {
        //      0.0.0.0;
        // };

        auth-nxdomain no;    # conform to RFC1035
        listen-on-v6 { any; };
        dnssec-enable yes;
        dnssec-validation yes;
        dnssec-lookaside auto;
        //bindkeys-file "/etc/bind/bind.keys";
};

//managed-keys {
//        # ROOT KEY: See https://data.iana.org/root-anchors/root-anchors.xml
//        # for current trust anchor information.
//        . initial-key 257 3 8 "AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF
//                FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX
//                bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD
//                X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz
//                W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS
//                Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq
//                QxA+Uk1ihz0=";
//};

include "/etc/bind/bind.keys";

Restart BIND afterwards:

/etc/init.d/bind9 restart


Please do not use the comment function to ask for help! If you need help, please use our forum.
Comments will be published after administrator approval.
Submitted by coldje (not registered) on Sun, 2013-09-29 16:49.
The example file:  pri.example.org  sometimes shows example.com and other times example.org.  Which is it?  This is so confusing.  Where's the example sec.example.org file?
Submitted by Raman (not registered) on Fri, 2013-02-15 16:30.
Setting up DNSSEC on my Nameservers was actually a breeze with this excellent tutorial. Thanks a million.
Submitted by Norbert Seibert (not registered) on Tue, 2012-09-11 06:02.

Seems to me as if the IP addresses for NS1 and NS2 are backwards.

In the example NS1 has 192.168.0.100 as master.

                             NS2 has 192.168.0.101 as slave.

Later on the master shows as 192.168.0.101 and the slave is 192.168.0.100.

Actually no big deal, however someone that stricly follows the howto will possibly wind up in the dark.

 Cheers