Configuring DNSSEC On BIND9 (9.7.3) On Debian Squeeze/Ubuntu 11.10 - Page 2

Now let's sign our example.org zone. We do this with the handy zonesigner tool which is a wrapper around dnssec-keygen and dnssec-signzone. Take a look at

man zonesigner

to learn more about its options. (You can specify default values for zonesigner and rollerd in /etc/dnssec-tools/dnssec-tools.conf so that you don't have to specify so many options on the command line - normally the default values in /etc/dnssec-tools/dnssec-tools.conf should be ok.)

We can sign our zone as follows:

zonesigner -genkeys -usensec3 -zone example.org pri.example.org 

We use NSEC3 here to avoid zone walking.

root@server1:/etc/bind# zonesigner -genkeys -usensec3 -zone example.org pri.example.org

        if zonesigner appears hung, strike keys until the program completes
        (see the "Entropy" section in the man page for details)

Generating key pair...++++++ .................................................++++++
Generating key pair..............++++++ .........++++++
Generating key pair............................................
.........................................................................
..........................................+++ ......................
.........................................................................
.................................+++
Verifying the zone using the following algorithms: RSASHA256.
Zone signing complete:
Algorithm: RSASHA256: KSKs: 1 active, 0 stand-by, 0 revoked
                      ZSKs: 1 active, 1 stand-by, 0 revoked

zone signed successfully

example.org:
        KSK (cur) 27916  -b 2048  04/13/12      (example.org-signset-00003)
        ZSK (cur) 31560  -b 1024  04/13/12      (example.org-signset-00001)
        ZSK (pub) 29958  -b 1024  04/13/12      (example.org-signset-00002)

zone will expire in 4 weeks, 3 days, 0 seconds
DO NOT delete the keys until this time has passed.
root@server1:/etc/bind#

As you see, zonesigner has created three key pairs (private/public key pair), a key-signing key (KSK) with the ID 27916 and two zone-signing keys (ZSKs) with the IDs 31560 (active) and 29958 (passive), one active and one passive. We need two ZSKs for key rollovers later on. You can learn more about KSKs and ZSKs on https://dlv.isc.org/about/background; http://www.nlnetlabs.nl/publications/dnssec_howto/#x1-400005 has some good infos about key rollovers and why two ZSKs are needed.

Let's take a look at the /etc/bind directory now:

ls -l

root@server1:/etc/bind# ls -l
total 100
-rw-r--r-- 1 root root  665 Jan 15  2011 bind.keys
-rw-r--r-- 1 root root  237 Jan 15  2011 db.0
-rw-r--r-- 1 root root  271 Jan 15  2011 db.127
-rw-r--r-- 1 root root  237 Jan 15  2011 db.255
-rw-r--r-- 1 root root  353 Jan 15  2011 db.empty
-rw-r--r-- 1 root root  270 Jan 15  2011 db.local
-rw-r--r-- 1 root root 2994 Jan 15  2011 db.root
-rw-r--r-- 1 root bind  167 Apr 13 10:19 dsset-example.org.
-rw-r--r-- 1 root bind 1910 Apr 13 10:19 example.org.krf
-rw-r--r-- 1 root bind  605 Apr 13 10:19 Kexample.org.+008+27916.key
-rw------- 1 root bind 1776 Apr 13 10:19 Kexample.org.+008+27916.private
-rw-r--r-- 1 root bind  431 Apr 13 10:19 Kexample.org.+008+29958.key
-rw------- 1 root bind 1012 Apr 13 10:19 Kexample.org.+008+29958.private
-rw-r--r-- 1 root bind  431 Apr 13 10:19 Kexample.org.+008+31560.key
-rw------- 1 root bind 1012 Apr 13 10:19 Kexample.org.+008+31560.private
-rw-r--r-- 1 root bind  463 Jan 15  2011 named.conf
-rw-r--r-- 1 root bind  490 Jan 15  2011 named.conf.default-zones
-rw-r--r-- 1 root bind  167 Apr 13 10:18 named.conf.local
-rw-r--r-- 1 root bind 1389 Apr 13 10:17 named.conf.options
-rw-r--r-- 1 root bind  723 Apr 13 10:19 pri.example.org
-rw-r--r-- 1 root bind 5912 Apr 13 10:19 pri.example.org.signed
-rw-r----- 1 bind bind   77 Feb  7  2011 rndc.key
drwxr-s--- 2 root bind 4096 Feb  7  2011 slave
-rw-r--r-- 1 root root 1317 Jan 15  2011 zones.rfc1918
root@server1:/etc/bind#

You should see your three key pairs Kexample.org.+008+<ID>.(key|private) where Kexample.org.+008+27916.key is the public KSK and Kexample.org.+008+31560.key the active public ZSK and Kexample.org.+008+29958.key the passive public ZSK.

There's also the file dsset-example.org. which contains the DS records that have to be set up at your registry for your zone:

cat dsset-example.org. 
example.org.            IN DS 27916 8 1 20390B300F17E32838B309254E572FCC7CB139B3
example.org.            IN DS 27916 8 2 45A003E0A9FB0EE773F487A7C8FE81A8219EB14741485A925C0D418E 3E45A209

The example.org.krf file contains key management details (like zone name, zone file name, key IDs, expiry, etc.) that are used by zonesigner and rollerd for key management.

cat example.org.krf
zone    "example.org"
        serial          "2012041306"
        kskcur          "example.org-signset-00003"
        zskpub          "example.org-signset-00002"
        zskcur          "example.org-signset-00001"
        zskcount        "1"
        signedzone      "pri.example.org.signed"
        kskcount        "1"
        archivedir      "/var/lib/dnssec-tools/archive"
        kskdirectory    "/etc/bind"
        zskdirectory    "/etc/bind"
        endtime         "+2678400"
        lastset         "example.org-signset-00003"
        zonefile        "pri.example.org"
        keyrec_type     "zone"
        keyrec_signsecs "1334305175"
        keyrec_signdate "Fri Apr 13 08:19:35 2012"
set     "example.org-signset-00001"
        keys            "Kexample.org.+008+31560"
        set_type        "zskcur"
        zonename        "example.org"
        keyrec_setsecs  "1334305173"
        keyrec_setdate  "Fri Apr 13 08:19:33 2012"
set     "example.org-signset-00002"
        keys            "Kexample.org.+008+29958"
        set_type        "zskpub"
        zonename        "example.org"
        keyrec_setsecs  "1334305173"
        keyrec_setdate  "Fri Apr 13 08:19:33 2012"
key     "Kexample.org.+008+31560"
        zonename        "example.org"
        keyrec_type     "zskcur"
        algorithm       "rsasha256"
        random          "/dev/urandom"
        keypath         "/etc/bind/Kexample.org.+008+31560.key"
        zsklength       "1024"
        zsklife         "604800"
        keyrec_gensecs  "1334305173"
        keyrec_gendate  "Fri Apr 13 08:19:33 2012"
key     "Kexample.org.+008+29958"
        zonename        "example.org"
        keyrec_type     "zskpub"
        algorithm       "rsasha256"
        random          "/dev/urandom"
        keypath         "/etc/bind/Kexample.org.+008+29958.key"
        zsklength       "1024"
        zsklife         "604800"
        keyrec_gensecs  "1334305173"
        keyrec_gendate  "Fri Apr 13 08:19:33 2012"
set     "example.org-signset-00003"
        keys            "Kexample.org.+008+27916"
        set_type        "kskcur"
        zonename        "example.org"
        keyrec_setsecs  "1334305173"
        keyrec_setdate  "Fri Apr 13 08:19:33 2012"
key     "Kexample.org.+008+27916"
        zonename        "example.org"
        keyrec_type     "kskcur"
        algorithm       "rsasha256"
        random          "/dev/urandom"
        keypath         "/etc/bind/Kexample.org.+008+27916.key"
        ksklength       "2048"
        ksklife         "15552000"
        revperiod       "3888000"
        keyrec_gensecs  "1334305174"
        keyrec_gendate  "Fri Apr 13 08:19:34 2012"

The most important thing is, there's now a new zone file, pri.example.org.signed - it's the signed version of pri.example.org. This is how it looks:

cat pri.example.org.signed
; File written on Fri Apr 13 10:19:34 2012
; dnssec_signzone version 9.7.2-P3
example.org.            3600    IN SOA  server1.example.com. zonemaster.example.com. (
                                        2012041306 ; serial
                                        7200       ; refresh (2 hours)
                                        540        ; retry (9 minutes)
                                        604800     ; expire (1 week)
                                        86400      ; minimum (1 day)
                                        )
                        3600    RRSIG   SOA 8 2 3600 20120514071934 (
                                        20120413071934 31560 example.org.
                                        PBITMuBEZzMHSw53keFzfAxWzhj/iqgUZsA+
                                        XSD5eahnXSla+J6nSzeU0j0Zw+6z4TBkQeBm
                                        OzKMNjO6Zq1vK18nQH8Gg7uJgROjYU7XtPAw
                                        laCsFWcOhna9RCUayZf8Ft3Emu7BG1Bp16rz
                                        SdQhte0UPk/1k0nO1d6JpyXmCUY= )
                        86400   NS      server1.example.com.
                        86400   NS      server2.example.com.
                        86400   RRSIG   NS 8 2 86400 20120514071934 (
                                        20120413071934 31560 example.org.
                                        OYzDYsxaKvzEmI+DCtgbjycy1I1l+O+42Uwy
                                        R/YAKzEEwRTswIbj/cjbmBb7HmWJVHkqLHw/
                                        xWPt9MwjSPyJZyGQtVgrHhmxZSf1vNByqHFU
                                        evUhg1qsRBwFQfoayDKQWC77MkCn6qzYa5W4
                                        VxChDYP2rCkgaCuYnWLPm3o82RY= )
                        3600    A       1.2.3.4
                        3600    RRSIG   A 8 2 3600 20120514071934 (
                                        20120413071934 31560 example.org.
                                        oGCbVz6tro67wrwDKeG5UOugTjGxXaC1BODd
                                        LZtNHo4NAk9iuTQIOdWbITsNotXqx8qpwhVp
                                        xSXEqcjqdyAKH3530A/lxntEDJzAfzLP7sFI
                                        QfpYn2WedeFox6J9U1uNmkg45ddIsWE67AGC
                                        8emmsxj2+WieGJ4BpiIvaZguOuI= )
                        3600    MX      10 mail.example.org.
                        3600    RRSIG   MX 8 2 3600 20120514071934 (
                                        20120413071934 31560 example.org.
                                        DUAKpO9aRDfHKSxeqIkNT6NwmZNY22U3i9M2
                                        0y13FQ+fexUp+VAeAuOr2Yzl/jipTKFYkFbL
                                        vh5pcOGb3nW/uPnFsGWUKX8g9E8sW22uPPO4
                                        Xa7riEXylHAPqL7BU+/6AxAZqsAS4/ZE2MUL
                                        qY/kq5ZiY1+GptMnINjh7THNfDs= )
                        3600    TXT     "v=spf1 a mx ptr -all"
                        3600    RRSIG   TXT 8 2 3600 20120514071934 (
                                        20120413071934 31560 example.org.
                                        cWzBNj/79/HRXyHFY2Qrtwygw8lviiSS90Na
                                        qEbFIbpnMIjkjQHW1xL8CjJTg3xawWrdCi1T
                                        dyAZu4PGLZiEfRRjyWzKyvjjdOaaUBlaPkVY
                                        VWGuYAUX4e6IqRe7CRNDIdELMPxRk+AqVn36
                                        T6HPOaOnd5tXM1APW2f8OOI4hmA= )
                        3600    DNSKEY  256 3 8 (
                                        AwEAAbiLwZNsdmDJDqpRppqAxMkKMZF6F4wi
                                        /QulmN1LUi2uA9zzz8O6V+NAhYDh8GBP3dNm
                                        Zl+2DAJRm9ckL1PLc7ndTbvZYU4fIHYaCwJ+
                                        5pDztrWA4mz960RQKCVaV6g25Gr1dWF2vQtt
                                        QlXGTlnWijbPkjtBxVuTgN2HUzC1+RLj
                                        ) ; key id = 31560
                        3600    DNSKEY  256 3 8 (
                                        AwEAAcoCzDx4onsEaFuMYN7GbID8jcM7Ct5F
                                        dBKcU8FCx7wIDpsfDi0OTDsoZk9TaWBdCOh4
                                        KbL7TbI7aue30irpCb/XLTG3B1JQEWRSWoGS
                                        ZxnAA3FzI9QvpJJhNBrr1nwbNq8QDmZnA7dF
                                        00LxLtQy/G7cJew4yNxb/hM1imhHk8bx
                                        ) ; key id = 29958
                        3600    DNSKEY  257 3 8 (
                                        AwEAAbjthg82WErIMm+gcsOeNlI6j7/9Vuih
                                        QtYVnt9dOFWeddfZxlbvVIFKklxBLMmBt4Z5
                                        GULTDKg+2BA6hGq3UGTHJMg1cpYTZtUBF4R1
                                        LnxL2KB15rBFtU8b3C8OtrpGsEI/VUWeii5I
                                        PopFU04QMDCQkXBiulwHbG6ZcynlvYeaUC94
                                        CVabjTPpO95BysAZqBrxQsWyokMWwMtX6V0+
                                        uYlzGIU2OJazpYkWsIrAfpY2dRL15pugx4gC
                                        WMZwdsrfiHZSS7nlDCaDbAgsTS5tQiU4zy2Y
                                        Q7vst7U4Zmh0+WbfHefeyVByCdiQaF2UmVsm
                                        nTxuEtu1Y3SSClmDzq2/wW8=
                                        ) ; key id = 27916
                        3600    RRSIG   DNSKEY 8 2 3600 20120514071934 (
                                        20120413071934 27916 example.org.
                                        hi4iklMgcGJPeBa+vOHfXdKzC0/UcizxPO7x
                                        QCWohh9/5TMABgWyhtjjxPFeMpayqTLdS2QP
                                        LARIIMrCNERHweZ9ucq3iwUXUCywzX/opxuu
                                        UpHKiPy0+efWIOEa+oje20bnDHOApqf/iwjs
                                        5N5GKY5KYdDb7ESy/TVthc7hiWJHcEwjkp9u
                                        w98CQ6AubygmuHweR0ZGhtDRSBjssllgf7+w
                                        v7vIPfcR0M/iQVdWlZif5kfSeJwc0XwycyPr
                                        vRljcNW5rXxi76663WrFg3CgtuwF5KpNzK6+
                                        u4ai8J5nmIy9HCFDhVb2heyLqIdGXfr4A3PY
                                        whwQbSISeLukYzPcJg== )
                        3600    RRSIG   DNSKEY 8 2 3600 20120514071934 (
                                        20120413071934 31560 example.org.
                                        kvzkVv3+mf+hTQOaDnV0Da6wQp7f8j7STRnP
                                        QfbOX7L4BSgCZAC1nX3gvwUJ4++bn0qZufZk
                                        buqL+x2FP/DynKpgZBXXu72zRx9yrScHZXHT
                                        HxicYCEoFfuz0SS+OAeVFs96NpTCg1Qe7xQl
                                        +dg0nnmmq3BBSkggxble2Drz9hQ= )
                        0       NSEC3PARAM 1 0 100 BAC4DE566D0E4403
                        0       RRSIG   NSEC3PARAM 8 2 0 20120514071934 (
                                        20120413071934 31560 example.org.
                                        JgpKxiJmynRC6sI2dqSweHSCk6LYdARhP67M
                                        7N/tlBKn3LmwWUAzxFy+TUxlmz1TKYJra9AT
                                        zskc/QP0fdKubFZPgXY0AGAKWLjBUftE71jY
                                        R5+uYgUOHCrlFaSK4i7iPbeEkHRYkj2MVWkj
                                        oPQlDCZEFe0b6XtOB+c3VAkmibk= )
www.example.org.        3600    IN A    1.2.3.4
                        3600    RRSIG   A 8 3 3600 20120514071934 (
                                        20120413071934 31560 example.org.
                                        lm64+7cGoS1DmHqm73aIAB3HGh74Asih9HB/
                                        D6YUpONoVKax78aDnHCrypbTs33GKgUp2sW/
                                        ZI1AVrDAclCIO8zs6Cr3Efl6OjU2NlaMnNKk
                                        xFZk+UgD7Qna/0qfcBdpZzdfXcez3m+/ItOE
                                        mSAknyO2K+h7jqNZBsJAgUgVtmo= )
06C7U6DINN1SA2C7HK9GFBTSOU0KADR8.example.org. 86400 IN NSEC3 1 0 100 BAC4DE566D0E4403 HBSF972BMNBCF9J9LCP9453EAM3A5J96 A NS SOA MX TXT RRSIG DNSKEY NSEC3PARAM
                        86400   RRSIG   NSEC3 8 3 86400 20120514071934 (
                                        20120413071934 31560 example.org.
                                        Sj0BJA2jWC+Lcifn6F2Iavelv81hdW/UxnN9
                                        8MYikEjCAw80NJBRq7N6YMEkw0Qoh0zT06Qe
                                        zGysgca8b6+njkc3YGl5NhtwV0cnL0EC9xUj
                                        MdyoaRbgKlNIiWzwABd0YbFBSThVtBgeAqan
                                        TqZXwRMQR+BZ4IVIpEWZ891ijYI= )
HBSF972BMNBCF9J9LCP9453EAM3A5J96.example.org. 86400 IN NSEC3 1 0 100 BAC4DE566D0E4403 TNBUBU0J4E7QEMO9NNCGMJ7BK5A03GLN A RRSIG
                        86400   RRSIG   NSEC3 8 3 86400 20120514071934 (
                                        20120413071934 31560 example.org.
                                        WhobKFIWJd5g3TNckzp9ilORttoBLpXa/Ng3
                                        8RI1Hb367i7+S8gZDQD81Jm6RA0PYxDR7MgA
                                        UShRIb3UK8EjSFj+B+Dnbrs/UiwYQ/PjOYRM
                                        TzXuK8uYJ1Q8UTMdyDC9uFQ7Ju8+G0vQQBMC
                                        lkTo9MWR4a8bDsDqRytg+0WeBCs= )
TNBUBU0J4E7QEMO9NNCGMJ7BK5A03GLN.example.org. 86400 IN NSEC3 1 0 100 BAC4DE566D0E4403 06C7U6DINN1SA2C7HK9GFBTSOU0KADR8 A RRSIG
                        86400   RRSIG   NSEC3 8 3 86400 20120514071934 (
                                        20120413071934 31560 example.org.
                                        SueRnWwggy3PCVk3Z3emXVMoMIDwVi8XhDf/
                                        o0gpmnqm/1ZKXsHRKI3KvfUa3EUAqGH27ZyP
                                        GNsSbmgabAwpw8bXbc2y5hQLK9BVFTczolgh
                                        5tws4Ok/rhec5CmoPzACt/lKkP4s9b8VmltY
                                        bh7FPA9mYarlNF4OGRNDCCp97r8= )
mail.example.org.       3600    IN A    1.2.3.4
                        3600    RRSIG   A 8 3 3600 20120514071934 (
                                        20120413071934 31560 example.org.
                                        totQYEtfcNAjyUuvgaJcXeY0Bc5a5DYnmFDG
                                        1u+7wyUrpMkSGRNlcZAuqrdy8ZNx1roacrAa
                                        iaHVz3ZsuTdYS7jyLmEZe1WdQZy7DN4POoBe
                                        YWH4AXu8ixH2PIheOC+7b6v/T+1FTi92NeXY
                                        FSNSqyvKSV6zzROM/qEcUwh1Sr8=

You see, it's much larger than the intial zone file.

We can use donuts to check if there are any problems with the signed zone file:

donuts --level 8 -v pri.example.org.signed example.org

If everything is ok, you shouldn't see any warnings or errors:

root@server1:/etc/bind# donuts --level 8 -v pri.example.org.signed example.org
--- loading rule file /usr/share/dnssec-tools/donuts/rules/check_nameservers.txt
    rules: MEMORIZE_NS_ADDRS DNS_SERVERS_MATCH_DATA
--- loading rule file /usr/share/dnssec-tools/donuts/rules/dns.errors.txt
    rules: DNS_SOA_REQUIRED MEMORIZE_NS_CNAME_RECORDS DNS_NS_NO_CNAME
--- loading rule file /usr/share/dnssec-tools/donuts/rules/dnssec.rules.txt
    rules: DNSSEC_RRSIG_TTL_MATCH_ORGTTL DNSSEC_MEMORIZE_NS_RECORDS DNSSEC_CHECK_IF_NSEC3
 DNSSEC_MISSING_NSEC_RECORD DNSSEC_MISSING_RRSIG_RECORD DNSSEC_RRSIG_NOT_SIGNING_RRSIG DNSSEC_RRSIG_FOR_NS_GLUE_RECORD
 DNSSEC_NSEC_FOR_NS_GLUE_RECORD DNSSEC_RRSIG_SIGEXP DNSSEC_NSEC_TTL DNSSEC_NSEC3_TTL DNSSEC_DNSKEY_MUST_HAVE_SAME_NAME
 DNSSEC_DNSKEY_PROTOCOL_MUST_BE_3 DNSSEC_BOGUS_NS_MEMORIZE DNSSEC_MISSING_RRSIG_RECORD DNSSEC_RRSIG_TTL_MUST_MATCH_RECORD
 DNSSEC_MISSING_NSEC_RECORD DNSSEC_RRSIG_SIGNER_NAME_MATCHES DNSSEC_NSEC_RRSEC_MUST_NOT_BE_ALONE DNSSEC_MEMORIZE_KEYS
 DNSSEC_RRSIGS_VERIFY DNSSEC_TWO_ZSKS DNSSEC_OPENSSL_KEY_ISSUES
--- loading rule file /usr/share/dnssec-tools/donuts/rules/nsec_check.rules.txt
    rules: DNSSEC_NSEC_MEMORIZE DNSSEC_NSEC3_MEMORIZE DNSSEC_NSEC3_CHECK DNSSEC_NSEC_CHECK
--- loading rule file /usr/share/dnssec-tools/donuts/rules/parent_child.rules.txt
    rules: DNS_MULTIPLE_NS DNSSEC_SUB_NOT_SECURE DNSSEC_DNSKEY_PARENT_HAS_VALID_DS DNSSEC_DS_CHILD_HAS_MATCHING_DNSKEY
--- loading rule file /usr/share/dnssec-tools/donuts/rules/recommendations.rules.txt
    rules: DNS_REASONABLE_TTLS DNS_NO_DOMAIN_MX_RECORDS
--- Analyzing individual records in pri.example.org.signed
--- Analyzing records for each name in pri.example.org.signed
results on testing example.org:
  rules considered:     38
  rules tested:         30
  records analyzed:     28
  names analyzed:       6
  errors found:         0
root@server1:/etc/bind#

Let's check the contents of our KSK (we will need this later on to create a trust anchor on our resolver server3 to do some testing before we submit the DS records to the registry):

cat Kexample.org.+008+27916.key 
; This is a key-signing key, keyid 27916, for example.org.
; Created: 20120413081933 (Fri Apr 13 10:19:33 2012)
; Publish: 20120413081933 (Fri Apr 13 10:19:33 2012)
; Activate: 20120413081933 (Fri Apr 13 10:19:33 2012)
example.org. IN DNSKEY 257 3 8 AwEAAbjthg82WErIMm+gcsOeNlI6j7/9VuihQtYVnt9dOFWeddfZxlbv VIFKklxBLMmBt4Z5GULTDKg+2BA6hGq3UGTHJMg1cpYTZtUBF4R1LnxL 2KB15rBFtU8b3C8OtrpGsEI/VUWeii5IPopFU04QMDCQkXBiulwHbG6Z cynlvYeaUC94CVabjTPpO95BysAZqBrxQsWyokMWwMtX6V0+uYlzGIU2 OJazpYkWsIrAfpY2dRL15pugx4gCWMZwdsrfiHZSS7nlDCaDbAgsTS5t QiU4zy2YQ7vst7U4Zmh0+WbfHefeyVByCdiQaF2UmVsmnTxuEtu1Y3SS ClmDzq2/wW8=

Now we must update named.conf.local...

vi named.conf.local

... and replace pri.example.org with pri.example.org.signed:

zone "example.org" {
        type master;
        allow-transfer {192.168.0.101;};
        also-notify {192.168.0.101;};
        file "/etc/bind/pri.example.org.signed";
};

Restart BIND afterwards:

/etc/init.d/bind9 restart
Share this page:

0 Comment(s)