Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > ISPConfig 3 > Tips/Tricks/Mods

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Reply
 
Thread Tools Display Modes
  #1  
Old 27th April 2014, 21:58
frprim frprim is offline
Member
 
Join Date: Apr 2014
Posts: 71
Thanks: 0
Thanked 9 Times in 9 Posts
 
Default Simple complicated DNSSEC with ISPconfig

If you are like me you would like to have signed zones for your domains. Its not something you have to do but soon, I think, we all are going to be obliged to sign our zones.
Read here : http://blog.icann.org/2014/01/dnssec-surpasses-50/
Anyhow, I visit ISPconfig roadmap and I really like how developers of ISPconfig are doing their job. I mean everyone wants something. Me too. So heres something in return but I do not promise its worth reading.
How to sign your zones with ISPconfig on Ubuntu 12.04 LTS

::Easy Part::
0. become a root on your sistem by typing : sudo su
1. Enable DNSSEC in /etc/bind/named.conf.options
-- you can use vi or nano to do this so :
Code:
vi /etc/bind/named.conf.options
Add lines inside options :
dnssec-enable yes;
dnssec-validation yes;
dnssec-lookaside auto;

my named.conf.options looks like this:
Code:
options {
	directory "/var/cache/bind";

	// If there is a firewall between you and nameservers you want
	// to talk to, you may need to fix the firewall to allow multiple
	// ports to talk.  See http://www.kb.cert.org/vuls/id/800113

	// If your ISP provided one or more IP addresses for stable 
	// nameservers, you probably want to use them as forwarders.  
	// Uncomment the following block, and insert the addresses replacing 
	// the all-0's placeholder.

	// forwarders {
	// 	0.0.0.0;
	// };

	//========================================================================
	// If BIND logs error messages about the root key being expired,
	// you will need to update your keys.  See https://www.isc.org/bind-keys
	//========================================================================
	// dnssec-validation auto;
	dnssec-enable yes;
	dnssec-validation yes;
        dnssec-lookaside auto;
	auth-nxdomain no;    # conform to RFC1035
	listen-on-v6 { any; };
};
2. Go to the folder where your zones are stored. On my sistem they are located in /etc/bind
so you type: cd /etc/bind

3. Install haveged. This little thing speeds up generating keys.
so you type :
Code:
apt-get install haveged
4. Generate a zone signing key ie. zsk by typing:
Code:
dnssec-keygen -a NSEC3RSASHA1 -b 2048 -n ZONE example.com
5.Generate key signing key aka ksk :
Code:
dnssec-keygen -f KSK -a NSEC3RSASHA1 -b 4096 -n ZONE example.com
6. Now u will have 2 pair of keys -- public and private for ZSK and KSK. We need to add public keys that contain the DNSKEY to zone file.
type:

Code:
vi loop.sh
and add this :

Code:
for key in `ls Kexample.com*.key`
do
echo "\$INCLUDE $key">> pri.example.com
done
Now execute loop.sh by typing:
Code:
sh loop.sh
7. Sign the zone with dnssec-signzone command:
Code:
dnssec-signzone -A -3 $(head -c 1000 /dev/random | sha1sum | cut -b 1-16) -N INCREMENT -o example.com -t pri.example.com
This will create signed zone named : pri.example.com.signed

8. edit named.conf.local file located in /etc/bind folder

so type:
Code:
vi /etc/bind/named.conf.local
and add those lines in it:
Code:
zone "example.com" {
    type master;
    file "pri.example.com.signed";
    allow-transfer { 2.2.2.2; };
    allow-update { none; };
};
9. Reload bind type:
Code:
service bind9 reload
10. check DNSKEY record with this command:
Code:
dig DNSKEY example.com. @localhost +multiline
you must have something like this:
Code:
;; QUESTION SECTION:
;example.com.       IN DNSKEY

;; ANSWER SECTION:
example.com.        86400 IN DNSKEY   256 3 7 (
                AwEAActPMYurNEyhUgHjPctbLCI1VuSj3xcjI8QFTpdM
                8k3cYrfwB/WlNKjnnjt98nPmHv6frnuvs2LKIvvGzz++
                kVwVc8uMLVyLOxVeKhygDurFQpLNNdPumuc2MMRvV9me
                fPrdKWtEEtOxq6Pce3DW2qRLjyE1n1oEq44gixn6hjgo
                sG2FzV4fTQdxdYCzlYjsaZwy0Kww4HpIaozGNjoDQVI/
                f3JtLpE1MYEb9DiUVMjkwVR5yH2UhJwZH6VVvDOZg6u6
                YPOSUDVvyofCGcICLqUOG+qITYVucyIWgZtHZUb49dpG
                aJTAdVKlOTbYV9sbmHNuMuGt+1/rc+StsjTPTHU=
                ) ; key id = 40400
example.com.        86400 IN DNSKEY   257 3 7 (
                AwEAAa2BE0dAvMs0pe2f+D6HaCyiFSHw47BA82YGs7Sj
                qSqH3MprNra9/4S0aV6SSqHM3iYZt5NRQNTNTRzkE18e
                3j9AGV8JA+xbEow74n0eu33phoxq7rOpd/N1GpCrxUsG
                kK4PDkm+R0hhfufe1ZOSoiZUV7y8OVGFB+cmaVb7sYqB
                RxeWPi1Z6Fj1/5oKwB6Zqbs7s7pmxl/GcjTvdQkMFtOQ
                AFGqaaSxVrisjq7H3nUj4hJIJ+SStZ59qfW3rO7+Eqgo
                1aDYaz+jFHZ+nTc/os4Z51eMWsZPYRnPRJG2EjJmkBrJ
                huZ9x0qnjEjUPAcUgMVqTo3hkRv0D24I10LAVQLETuw/
                QOuWMG1VjybzLbXi5YScwcBDAgtEpsQA9o7u6VC00DGh
                +2+4RmgrQ7mQ5A9MwhglVPaNXKuI6sEGlWripgTwm425
                JFv2tGHROS55Hxx06A416MtxBpSEaPMYUs6jSIyf9cjB
                BMV24OjkCxdz29zi+OyUyHwirW51BFSaOQuzaRiOsovM
                NSEgKWLwzwsQ5cVJBEMw89c2V0sHa4yuI5rr79msRgZT
                KCD7wa1Hyp7s/r+ylHhjpqrZwViOPU7tAGZ3IkkJ2SMI
                e/h+FGiwXXhr769EHbVE/PqvdbpcsgsDqFu0K2oqY70u
                SxnsLB8uVKYlzjG+UIoQzefBluQl
                ) ; key id = 62910

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Wed Nov 27 18:18:30 2013
;; MSG SIZE  rcvd: 839
10. When we used dnssec-signzone command a file named dsset-example.com was created containing DS records for our domain that we must enter into DS records on the domain registrar panel. I used Godaddy to do this.

Important note: every time when you change something in the zone file like adding a subdomain etc etc you will have to recreate a signed zone for the domain. Also, you have to make changes to unsigned zone not the signed one. Once you made the changes you will have to sign a zone ... again.
So in order to save us some time we will create a script:
Code:
vi /usr/sbin/zonesigner.sh
and add those lines in it:

Code:
#!/bin/sh
PDIR=`pwd`
ZONEDIR="/var/cache/bind" #location of your zone files
ZONE=$1
ZONEFILE=$2
DNSSERVICE="bind9" #On CentOS/Fedora replace this with "named"
cd $ZONEDIR
SERIAL=`/usr/sbin/named-checkzone $ZONE $ZONEFILE | egrep -ho '[0-9]{10}'`
sed -i 's/'$SERIAL'/'$(($SERIAL+1))'/' $ZONEFILE
/usr/sbin/dnssec-signzone -A -3 $(head -c 1000 /dev/random | sha1sum | cut -b 1-16) -N increment -o $1 -t $2
service $DNSSERVICE reload
cd $PDIR
make it executible: chmod +x /usr/sbin/zonesigner.sh

So everytime you change something to your zone file (again dont make any changes in signed zone but to unsigned one) type this:
Code:
zonesigner.sh example.com pri.example.com
this will recreate a file pri.example.com.signed

Now this one was easy. Now the hard part with ISPconfig.

Ispconfig is not created to handle signed zones. so every time you make changes to your zone file it will overwrite named.conf.local and put normal aka unsigned zone file instead of one we signed. This is normal. Also it will overwrite the named.conf.local even if we do resync DNS zones with Tools--> resync option.
I have 5 domains on my VPS but only one is signed, so I copied pri.example.com file to my home folder. Then I deleted the zone from ISPconfig and then put back the pri.example.com file in /etc/bind Now there I have among other zones two of my own : pri.example.com and pri.example.com.signed
In order to avoid ISPconfig overwirting named.conf.local with resync DNS I created a file : named.conf.signed
and put this into it:
Quote:
zone "example.com" {
type master;
allow-transfer {some IP that u want transfer;};
allow-update { none; };
file "/etc/bind/pri.example.com.signed";
};
then edit named.conf
Code:
vi /etc/bind/named.conf
and put this :
Code:
include "/etc/bind/named.conf.signed"
Thats it for now

Oh yeah, this is not my wisdom. I documented what I did in a txt file. As soon as I find source for this how-to I will post the link.

Last edited by frprim; 27th April 2014 at 22:03.
Reply With Quote
The Following User Says Thank You to frprim For This Useful Post:
nokia80 (29th September 2014)
Sponsored Links
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Relay access denied when using SMTP to external recipients Kamran Shah Installation/Configuration 111 14th May 2014 19:10
reinstall postfix after securing-short question fxs Installation/Configuration 12 30th January 2012 11:10
PHP warnings after upgrade to ISP config 3.03 stevegjacobs Installation/Configuration 5 30th October 2010 15:31
ISPConfig 3.0.1 released till General 36 29th March 2009 15:30
Loads of mysql connections to dbispconfig StrikerNL General 2 5th March 2009 15:31


All times are GMT +2. The time now is 09:58.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.