Configuring DNSSEC On BIND9 (9.7.3) On Debian Squeeze/Ubuntu 11.10 - Page 3

Want to support HowtoForge? Become a subscriber!
 
Submitted by falko (Contact Author) (Forums) on Sun, 2012-04-15 19:38. ::

3 Modifying A Signed Zone (server1)

server1 (master):

If you want to modify the example.org zone (e.g. add/update/delete records), you don't modify pri.example.org.signed, but the unsigned version pri.example.org. After you are finished with your modifications, run

zonesigner -zone example.org pri.example.org

This will increase the serial number of the zone file (so you don't have to increase it manually) and create a new pri.example.org.signed file.

 

4 Enabling DNSSEC On The Slave (server2)

server2 (slave):

Go to the /etc/bind directory:

cd /etc/bind

Do the same changes to named.conf.options that you did on the master (set dnssec-enable yes;, dnssec-validation yes; and dnssec-lookaside auto; in the options area and include /etc/bind/bind.keys):

vi named.conf.options

options {
        directory "/var/cache/bind";

        // If there is a firewall between you and nameservers you want
        // to talk to, you may need to fix the firewall to allow multiple
        // ports to talk.  See http://www.kb.cert.org/vuls/id/800113

        // If your ISP provided one or more IP addresses for stable
        // nameservers, you probably want to use them as forwarders.
        // Uncomment the following block, and insert the addresses replacing
        // the all-0's placeholder.

        // forwarders {
        //      0.0.0.0;
        // };

        auth-nxdomain no;    # conform to RFC1035
        listen-on-v6 { any; };
        dnssec-enable yes;
        dnssec-validation yes;
        dnssec-lookaside auto;
        //bindkeys-file "/etc/bind/bind.keys";
};

include "/etc/bind/bind.keys";

That would be sufficient to configure DNSSEC on the slave, but I want the signed zone file to be named sec.example.org.signed instead of sec.example.org (this is just a personal preference and therefore optional), therefore I edit named.conf.local...

vi named.conf.local

... and change sec.example.org to sec.example.org.signed:

zone "example.org" {
        type slave;
        masters {192.168.0.100;};
        allow-notify {192.168.0.100;};
        allow-transfer {none;};
        file "/etc/bind/slave/sec.example.org.signed";
};

Restart BIND:

/etc/init.d/bind9 restart

If you have modified the zone file name in named.conf.local, there should now be two zone files for example.org in the slave/ directory, one with the old name and one with the new name:

ls -l slave/

root@server2:/etc/bind# ls -l slave/
total 16
-rw-r--r-- 1 bind bind 5578 Apr 13 10:24 sec.example.org
-rw-r--r-- 1 bind bind 5578 Apr 13 10:30 sec.example.org.signed
root@server2:/etc/bind#

Delete the one with the old name (it's unused now):

rm -f slave/sec.example.org

That's all for the slave - as you see, no keys have to be created or transferred (well, they are transferred as part of the signed zone).

 

5 Enabling DNSSEC On The Resolving DNS (server3)

server3 (resolver):

To make resolving, non-authoritative name servers speak and understand DNSSEC, you essentially just have to do the same changes to named.conf.options as on the master and slave, i.e. set dnssec-enable yes;, dnssec-validation yes; and dnssec-lookaside auto; in the options area and include /etc/bind/bind.keys:

cd /etc/bind
vi named.conf.options

options {
        directory "/var/cache/bind";

        // If there is a firewall between you and nameservers you want
        // to talk to, you may need to fix the firewall to allow multiple
        // ports to talk.  See http://www.kb.cert.org/vuls/id/800113

        // If your ISP provided one or more IP addresses for stable
        // nameservers, you probably want to use them as forwarders.
        // Uncomment the following block, and insert the addresses replacing
        // the all-0's placeholder.

        // forwarders {
        //      0.0.0.0;
        // };

        auth-nxdomain no;    # conform to RFC1035
        listen-on-v6 { any; };
        dnssec-enable yes;
        dnssec-validation yes;
        dnssec-lookaside auto;
        //bindkeys-file "/etc/bind/bind.keys";
};

include "/etc/bind/bind.keys";

Restart BIND:

/etc/init.d/bind9 restart

That would normally be sufficient for a resolver.

Now I want to test DNSSEC on the master and slave (test means I haven't submitted the DS records to the registry yet) with the dig command from this resolver, therefore I have to change the configuration a bit.

First I modify /etc/resolv.conf so that this box is the resolver's own client:

vi /etc/resolv.conf

Remove or comment out all other nameservers so that the only nameserver is 127.0.0.1:

nameserver 127.0.0.1

Next open named.conf.options again...

vi named.conf.options

... and add the IP addresses of the master and the slave DNS server to the forwarders section AND add a managed-keys section that includes the KSK from the example.org zone (see chapter 2) (this is our trust anchor right now so that we can test; after the DS records have been set up at your registry, this trust anchor isn't needed anymore because we have the root zone key in our configuration - in the bind.keys file):

options {
        directory "/var/cache/bind";

        // If there is a firewall between you and nameservers you want
        // to talk to, you may need to fix the firewall to allow multiple
        // ports to talk.  See http://www.kb.cert.org/vuls/id/800113

        // If your ISP provided one or more IP addresses for stable
        // nameservers, you probably want to use them as forwarders.
        // Uncomment the following block, and insert the addresses replacing
        // the all-0's placeholder.

        forwarders {
              192.168.0.100; 192.168.0.101;
        };

        auth-nxdomain no;    # conform to RFC1035
        listen-on-v6 { any; };
        dnssec-enable yes;
        dnssec-validation yes;
        dnssec-lookaside auto;
};

include "/etc/bind/bind.keys";

managed-keys {
        example.org. initial-key 257 3 8 "AwEAAbjthg82WErIMm+gcsOeNlI6j7/9VuihQtYVnt9dOFWeddfZxlbv VIFKklxBLMmBt4Z5GULTDKg+2BA6hGq3UGTHJMg1cpYTZtUBF4R1LnxL 2KB15rBFtU8b3C8OtrpGsEI/VUWeii5IPopFU04QMDCQkXBiulwHbG6Z cynlvYeaUC94CVabjTPpO95BysAZqBrxQsWyokMWwMtX6V0+uYlzGIU2 OJazpYkWsIrAfpY2dRL15pugx4gCWMZwdsrfiHZSS7nlDCaDbAgsTS5t QiU4zy2YQ7vst7U4Zmh0+WbfHefeyVByCdiQaF2UmVsmnTxuEtu1Y3SS ClmDzq2/wW8=";
};

Restart BIND:

/etc/init.d/bind9 restart

Now we can test the example.org zone with DNSSEC:

dig +dnssec example.org

If everything goes well, you should get an answer to the ad flag set (ad = authenticated data):

root@server3:/etc/bind# dig +dnssec example.org

; <<>> DiG 9.7.3 <<>> +dnssec example.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 756
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 3, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;example.org.                   IN      A

;; ANSWER SECTION:
example.org.            3600    IN      A       1.2.3.4
example.org.            3600    IN      RRSIG   A 8 2 3600 20120514071934 20120413071934 31560 example.org. 
oGCbVz6tro67wrwDKeG5UOugTjGxXaC1BODdLZtNHo4NAk9iuTQIOdWb ITsNotXqx8qpwhVpxSXEqcjqdyAKH3530A/lxntEDJzAfzLP7s
FIQfpY n2WedeFox6J9U1uNmkg45ddIsWE67AGC8emmsxj2+WieGJ4BpiIvaZgu OuI=

;; AUTHORITY SECTION:
example.org.            86400   IN      NS      server1.example.com.
example.org.            86400   IN      NS      server2.example.com.
example.org.            86400   IN      RRSIG   NS 8 2 86400 20120514071934 20120413071934 31560 example.org. 
OYzDYsxaKvzEmI+DCtgbjycy1I1l+O+42UwyR/YAKzEEwRTswIbj/cjb mBb7HmWJVHkqLHw/xWPt9MwjSPyJZyGQtVgrHhmxZSf1vNByqHFU
evUh g1qsRBwFQfoayDKQWC77MkCn6qzYa5W4VxChDYP2rCkgaCuYnWLPm3o8 2RY=

;; Query time: 4 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Fri Apr 13 10:37:42 2012
;; MSG SIZE  rcvd: 453

root@server3:/etc/bind#

Congratulations! Everything is fine with your DNSSEC setup. Now you can make your registrar create DS records in the parent zone or - if your parent zone isn't signed yet - upload your keys to a DLV repository such as https://dlv.isc.org/. After you have done that, you can remove the managed-keys section for example.org from the named.conf.options file and restart BIND.


Please do not use the comment function to ask for help! If you need help, please use our forum.
Comments will be published after administrator approval.
Submitted by Asterix (not registered) on Sun, 2013-06-23 16:58.
The section that explains how to modify a zone doesn't work. the .signed file is not updated.