Configuring DNSSEC On BIND9 (9.7.3) On Debian Squeeze/Ubuntu 11.10 - Page 2
Now let's sign our example.org zone. We do this with the handy zonesigner tool which is a wrapper around dnssec-keygen and dnssec-signzone. Take a look at
man zonesigner
to learn more about its options. (You can specify default values for zonesigner and rollerd in /etc/dnssec-tools/dnssec-tools.conf so that you don't have to specify so many options on the command line - normally the default values in /etc/dnssec-tools/dnssec-tools.conf should be ok.)
We can sign our zone as follows:
zonesigner -genkeys -usensec3 -zone example.org pri.example.org
We use NSEC3 here to avoid zone walking.
root@server1:/etc/bind# zonesigner -genkeys -usensec3 -zone example.org pri.example.org
if zonesigner appears hung, strike keys until the program completes
(see the "Entropy" section in the man page for details)
Generating key pair...++++++ .................................................++++++
Generating key pair..............++++++ .........++++++
Generating key pair............................................
.........................................................................
..........................................+++ ......................
.........................................................................
.................................+++
Verifying the zone using the following algorithms: RSASHA256.
Zone signing complete:
Algorithm: RSASHA256: KSKs: 1 active, 0 stand-by, 0 revoked
ZSKs: 1 active, 1 stand-by, 0 revoked
zone signed successfully
example.org:
KSK (cur) 27916 -b 2048 04/13/12 (example.org-signset-00003)
ZSK (cur) 31560 -b 1024 04/13/12 (example.org-signset-00001)
ZSK (pub) 29958 -b 1024 04/13/12 (example.org-signset-00002)
zone will expire in 4 weeks, 3 days, 0 seconds
DO NOT delete the keys until this time has passed.
root@server1:/etc/bind#
As you see, zonesigner has created three key pairs (private/public key pair), a key-signing key (KSK) with the ID 27916 and two zone-signing keys (ZSKs) with the IDs 31560 (active) and 29958 (passive), one active and one passive. We need two ZSKs for key rollovers later on. You can learn more about KSKs and ZSKs on https://dlv.isc.org/about/background; http://www.nlnetlabs.nl/publications/dnssec_howto/#x1-400005 has some good infos about key rollovers and why two ZSKs are needed.
Let's take a look at the /etc/bind directory now:
ls -l
root@server1:/etc/bind# ls -l
total 100
-rw-r--r-- 1 root root 665 Jan 15 2011 bind.keys
-rw-r--r-- 1 root root 237 Jan 15 2011 db.0
-rw-r--r-- 1 root root 271 Jan 15 2011 db.127
-rw-r--r-- 1 root root 237 Jan 15 2011 db.255
-rw-r--r-- 1 root root 353 Jan 15 2011 db.empty
-rw-r--r-- 1 root root 270 Jan 15 2011 db.local
-rw-r--r-- 1 root root 2994 Jan 15 2011 db.root
-rw-r--r-- 1 root bind 167 Apr 13 10:19 dsset-example.org.
-rw-r--r-- 1 root bind 1910 Apr 13 10:19 example.org.krf
-rw-r--r-- 1 root bind 605 Apr 13 10:19 Kexample.org.+008+27916.key
-rw------- 1 root bind 1776 Apr 13 10:19 Kexample.org.+008+27916.private
-rw-r--r-- 1 root bind 431 Apr 13 10:19 Kexample.org.+008+29958.key
-rw------- 1 root bind 1012 Apr 13 10:19 Kexample.org.+008+29958.private
-rw-r--r-- 1 root bind 431 Apr 13 10:19 Kexample.org.+008+31560.key
-rw------- 1 root bind 1012 Apr 13 10:19 Kexample.org.+008+31560.private
-rw-r--r-- 1 root bind 463 Jan 15 2011 named.conf
-rw-r--r-- 1 root bind 490 Jan 15 2011 named.conf.default-zones
-rw-r--r-- 1 root bind 167 Apr 13 10:18 named.conf.local
-rw-r--r-- 1 root bind 1389 Apr 13 10:17 named.conf.options
-rw-r--r-- 1 root bind 723 Apr 13 10:19 pri.example.org
-rw-r--r-- 1 root bind 5912 Apr 13 10:19 pri.example.org.signed
-rw-r----- 1 bind bind 77 Feb 7 2011 rndc.key
drwxr-s--- 2 root bind 4096 Feb 7 2011 slave
-rw-r--r-- 1 root root 1317 Jan 15 2011 zones.rfc1918
root@server1:/etc/bind#
You should see your three key pairs Kexample.org.+008+<ID>.(key|private) where Kexample.org.+008+27916.key is the public KSK and Kexample.org.+008+31560.key the active public ZSK and Kexample.org.+008+29958.key the passive public ZSK.
There's also the file dsset-example.org. which contains the DS records that have to be set up at your registry for your zone:
cat dsset-example.org.
example.org. IN DS 27916 8 1 20390B300F17E32838B309254E572FCC7CB139B3 example.org. IN DS 27916 8 2 45A003E0A9FB0EE773F487A7C8FE81A8219EB14741485A925C0D418E 3E45A209 |
The example.org.krf file contains key management details (like zone name, zone file name, key IDs, expiry, etc.) that are used by zonesigner and rollerd for key management.
cat example.org.krf
zone "example.org" serial "2012041306" kskcur "example.org-signset-00003" zskpub "example.org-signset-00002" zskcur "example.org-signset-00001" zskcount "1" signedzone "pri.example.org.signed" kskcount "1" archivedir "/var/lib/dnssec-tools/archive" kskdirectory "/etc/bind" zskdirectory "/etc/bind" endtime "+2678400" lastset "example.org-signset-00003" zonefile "pri.example.org" keyrec_type "zone" keyrec_signsecs "1334305175" keyrec_signdate "Fri Apr 13 08:19:35 2012" set "example.org-signset-00001" keys "Kexample.org.+008+31560" set_type "zskcur" zonename "example.org" keyrec_setsecs "1334305173" keyrec_setdate "Fri Apr 13 08:19:33 2012" set "example.org-signset-00002" keys "Kexample.org.+008+29958" set_type "zskpub" zonename "example.org" keyrec_setsecs "1334305173" keyrec_setdate "Fri Apr 13 08:19:33 2012" key "Kexample.org.+008+31560" zonename "example.org" keyrec_type "zskcur" algorithm "rsasha256" random "/dev/urandom" keypath "/etc/bind/Kexample.org.+008+31560.key" zsklength "1024" zsklife "604800" keyrec_gensecs "1334305173" keyrec_gendate "Fri Apr 13 08:19:33 2012" key "Kexample.org.+008+29958" zonename "example.org" keyrec_type "zskpub" algorithm "rsasha256" random "/dev/urandom" keypath "/etc/bind/Kexample.org.+008+29958.key" zsklength "1024" zsklife "604800" keyrec_gensecs "1334305173" keyrec_gendate "Fri Apr 13 08:19:33 2012" set "example.org-signset-00003" keys "Kexample.org.+008+27916" set_type "kskcur" zonename "example.org" keyrec_setsecs "1334305173" keyrec_setdate "Fri Apr 13 08:19:33 2012" key "Kexample.org.+008+27916" zonename "example.org" keyrec_type "kskcur" algorithm "rsasha256" random "/dev/urandom" keypath "/etc/bind/Kexample.org.+008+27916.key" ksklength "2048" ksklife "15552000" revperiod "3888000" keyrec_gensecs "1334305174" keyrec_gendate "Fri Apr 13 08:19:34 2012" |
The most important thing is, there's now a new zone file, pri.example.org.signed - it's the signed version of pri.example.org. This is how it looks:
cat pri.example.org.signed
; File written on Fri Apr 13 10:19:34 2012 ; dnssec_signzone version 9.7.2-P3 example.org. 3600 IN SOA server1.example.com. zonemaster.example.com. ( 2012041306 ; serial 7200 ; refresh (2 hours) 540 ; retry (9 minutes) 604800 ; expire (1 week) 86400 ; minimum (1 day) ) 3600 RRSIG SOA 8 2 3600 20120514071934 ( 20120413071934 31560 example.org. PBITMuBEZzMHSw53keFzfAxWzhj/iqgUZsA+ XSD5eahnXSla+J6nSzeU0j0Zw+6z4TBkQeBm OzKMNjO6Zq1vK18nQH8Gg7uJgROjYU7XtPAw laCsFWcOhna9RCUayZf8Ft3Emu7BG1Bp16rz SdQhte0UPk/1k0nO1d6JpyXmCUY= ) 86400 NS server1.example.com. 86400 NS server2.example.com. 86400 RRSIG NS 8 2 86400 20120514071934 ( 20120413071934 31560 example.org. OYzDYsxaKvzEmI+DCtgbjycy1I1l+O+42Uwy R/YAKzEEwRTswIbj/cjbmBb7HmWJVHkqLHw/ xWPt9MwjSPyJZyGQtVgrHhmxZSf1vNByqHFU evUhg1qsRBwFQfoayDKQWC77MkCn6qzYa5W4 VxChDYP2rCkgaCuYnWLPm3o82RY= ) 3600 A 1.2.3.4 3600 RRSIG A 8 2 3600 20120514071934 ( 20120413071934 31560 example.org. oGCbVz6tro67wrwDKeG5UOugTjGxXaC1BODd LZtNHo4NAk9iuTQIOdWbITsNotXqx8qpwhVp xSXEqcjqdyAKH3530A/lxntEDJzAfzLP7sFI QfpYn2WedeFox6J9U1uNmkg45ddIsWE67AGC 8emmsxj2+WieGJ4BpiIvaZguOuI= ) 3600 MX 10 mail.example.org. 3600 RRSIG MX 8 2 3600 20120514071934 ( 20120413071934 31560 example.org. DUAKpO9aRDfHKSxeqIkNT6NwmZNY22U3i9M2 0y13FQ+fexUp+VAeAuOr2Yzl/jipTKFYkFbL vh5pcOGb3nW/uPnFsGWUKX8g9E8sW22uPPO4 Xa7riEXylHAPqL7BU+/6AxAZqsAS4/ZE2MUL qY/kq5ZiY1+GptMnINjh7THNfDs= ) 3600 TXT "v=spf1 a mx ptr -all" 3600 RRSIG TXT 8 2 3600 20120514071934 ( 20120413071934 31560 example.org. cWzBNj/79/HRXyHFY2Qrtwygw8lviiSS90Na qEbFIbpnMIjkjQHW1xL8CjJTg3xawWrdCi1T dyAZu4PGLZiEfRRjyWzKyvjjdOaaUBlaPkVY VWGuYAUX4e6IqRe7CRNDIdELMPxRk+AqVn36 T6HPOaOnd5tXM1APW2f8OOI4hmA= ) 3600 DNSKEY 256 3 8 ( AwEAAbiLwZNsdmDJDqpRppqAxMkKMZF6F4wi /QulmN1LUi2uA9zzz8O6V+NAhYDh8GBP3dNm Zl+2DAJRm9ckL1PLc7ndTbvZYU4fIHYaCwJ+ 5pDztrWA4mz960RQKCVaV6g25Gr1dWF2vQtt QlXGTlnWijbPkjtBxVuTgN2HUzC1+RLj ) ; key id = 31560 3600 DNSKEY 256 3 8 ( AwEAAcoCzDx4onsEaFuMYN7GbID8jcM7Ct5F dBKcU8FCx7wIDpsfDi0OTDsoZk9TaWBdCOh4 KbL7TbI7aue30irpCb/XLTG3B1JQEWRSWoGS ZxnAA3FzI9QvpJJhNBrr1nwbNq8QDmZnA7dF 00LxLtQy/G7cJew4yNxb/hM1imhHk8bx ) ; key id = 29958 3600 DNSKEY 257 3 8 ( AwEAAbjthg82WErIMm+gcsOeNlI6j7/9Vuih QtYVnt9dOFWeddfZxlbvVIFKklxBLMmBt4Z5 GULTDKg+2BA6hGq3UGTHJMg1cpYTZtUBF4R1 LnxL2KB15rBFtU8b3C8OtrpGsEI/VUWeii5I PopFU04QMDCQkXBiulwHbG6ZcynlvYeaUC94 CVabjTPpO95BysAZqBrxQsWyokMWwMtX6V0+ uYlzGIU2OJazpYkWsIrAfpY2dRL15pugx4gC WMZwdsrfiHZSS7nlDCaDbAgsTS5tQiU4zy2Y Q7vst7U4Zmh0+WbfHefeyVByCdiQaF2UmVsm nTxuEtu1Y3SSClmDzq2/wW8= ) ; key id = 27916 3600 RRSIG DNSKEY 8 2 3600 20120514071934 ( 20120413071934 27916 example.org. hi4iklMgcGJPeBa+vOHfXdKzC0/UcizxPO7x QCWohh9/5TMABgWyhtjjxPFeMpayqTLdS2QP LARIIMrCNERHweZ9ucq3iwUXUCywzX/opxuu UpHKiPy0+efWIOEa+oje20bnDHOApqf/iwjs 5N5GKY5KYdDb7ESy/TVthc7hiWJHcEwjkp9u w98CQ6AubygmuHweR0ZGhtDRSBjssllgf7+w v7vIPfcR0M/iQVdWlZif5kfSeJwc0XwycyPr vRljcNW5rXxi76663WrFg3CgtuwF5KpNzK6+ u4ai8J5nmIy9HCFDhVb2heyLqIdGXfr4A3PY whwQbSISeLukYzPcJg== ) 3600 RRSIG DNSKEY 8 2 3600 20120514071934 ( 20120413071934 31560 example.org. kvzkVv3+mf+hTQOaDnV0Da6wQp7f8j7STRnP QfbOX7L4BSgCZAC1nX3gvwUJ4++bn0qZufZk buqL+x2FP/DynKpgZBXXu72zRx9yrScHZXHT HxicYCEoFfuz0SS+OAeVFs96NpTCg1Qe7xQl +dg0nnmmq3BBSkggxble2Drz9hQ= ) 0 NSEC3PARAM 1 0 100 BAC4DE566D0E4403 0 RRSIG NSEC3PARAM 8 2 0 20120514071934 ( 20120413071934 31560 example.org. JgpKxiJmynRC6sI2dqSweHSCk6LYdARhP67M 7N/tlBKn3LmwWUAzxFy+TUxlmz1TKYJra9AT zskc/QP0fdKubFZPgXY0AGAKWLjBUftE71jY R5+uYgUOHCrlFaSK4i7iPbeEkHRYkj2MVWkj oPQlDCZEFe0b6XtOB+c3VAkmibk= ) www.example.org. 3600 IN A 1.2.3.4 3600 RRSIG A 8 3 3600 20120514071934 ( 20120413071934 31560 example.org. lm64+7cGoS1DmHqm73aIAB3HGh74Asih9HB/ D6YUpONoVKax78aDnHCrypbTs33GKgUp2sW/ ZI1AVrDAclCIO8zs6Cr3Efl6OjU2NlaMnNKk xFZk+UgD7Qna/0qfcBdpZzdfXcez3m+/ItOE mSAknyO2K+h7jqNZBsJAgUgVtmo= ) 06C7U6DINN1SA2C7HK9GFBTSOU0KADR8.example.org. 86400 IN NSEC3 1 0 100 BAC4DE566D0E4403 HBSF972BMNBCF9J9LCP9453EAM3A5J96 A NS SOA MX TXT RRSIG DNSKEY NSEC3PARAM 86400 RRSIG NSEC3 8 3 86400 20120514071934 ( 20120413071934 31560 example.org. Sj0BJA2jWC+Lcifn6F2Iavelv81hdW/UxnN9 8MYikEjCAw80NJBRq7N6YMEkw0Qoh0zT06Qe zGysgca8b6+njkc3YGl5NhtwV0cnL0EC9xUj MdyoaRbgKlNIiWzwABd0YbFBSThVtBgeAqan TqZXwRMQR+BZ4IVIpEWZ891ijYI= ) HBSF972BMNBCF9J9LCP9453EAM3A5J96.example.org. 86400 IN NSEC3 1 0 100 BAC4DE566D0E4403 TNBUBU0J4E7QEMO9NNCGMJ7BK5A03GLN A RRSIG 86400 RRSIG NSEC3 8 3 86400 20120514071934 ( 20120413071934 31560 example.org. WhobKFIWJd5g3TNckzp9ilORttoBLpXa/Ng3 8RI1Hb367i7+S8gZDQD81Jm6RA0PYxDR7MgA UShRIb3UK8EjSFj+B+Dnbrs/UiwYQ/PjOYRM TzXuK8uYJ1Q8UTMdyDC9uFQ7Ju8+G0vQQBMC lkTo9MWR4a8bDsDqRytg+0WeBCs= ) TNBUBU0J4E7QEMO9NNCGMJ7BK5A03GLN.example.org. 86400 IN NSEC3 1 0 100 BAC4DE566D0E4403 06C7U6DINN1SA2C7HK9GFBTSOU0KADR8 A RRSIG 86400 RRSIG NSEC3 8 3 86400 20120514071934 ( 20120413071934 31560 example.org. SueRnWwggy3PCVk3Z3emXVMoMIDwVi8XhDf/ o0gpmnqm/1ZKXsHRKI3KvfUa3EUAqGH27ZyP GNsSbmgabAwpw8bXbc2y5hQLK9BVFTczolgh 5tws4Ok/rhec5CmoPzACt/lKkP4s9b8VmltY bh7FPA9mYarlNF4OGRNDCCp97r8= ) mail.example.org. 3600 IN A 1.2.3.4 3600 RRSIG A 8 3 3600 20120514071934 ( 20120413071934 31560 example.org. totQYEtfcNAjyUuvgaJcXeY0Bc5a5DYnmFDG 1u+7wyUrpMkSGRNlcZAuqrdy8ZNx1roacrAa iaHVz3ZsuTdYS7jyLmEZe1WdQZy7DN4POoBe YWH4AXu8ixH2PIheOC+7b6v/T+1FTi92NeXY FSNSqyvKSV6zzROM/qEcUwh1Sr8= |
You see, it's much larger than the intial zone file.
We can use donuts to check if there are any problems with the signed zone file:
donuts --level 8 -v pri.example.org.signed example.org
If everything is ok, you shouldn't see any warnings or errors:
root@server1:/etc/bind# donuts --level 8 -v pri.example.org.signed example.org
--- loading rule file /usr/share/dnssec-tools/donuts/rules/check_nameservers.txt
rules: MEMORIZE_NS_ADDRS DNS_SERVERS_MATCH_DATA
--- loading rule file /usr/share/dnssec-tools/donuts/rules/dns.errors.txt
rules: DNS_SOA_REQUIRED MEMORIZE_NS_CNAME_RECORDS DNS_NS_NO_CNAME
--- loading rule file /usr/share/dnssec-tools/donuts/rules/dnssec.rules.txt
rules: DNSSEC_RRSIG_TTL_MATCH_ORGTTL DNSSEC_MEMORIZE_NS_RECORDS DNSSEC_CHECK_IF_NSEC3
DNSSEC_MISSING_NSEC_RECORD DNSSEC_MISSING_RRSIG_RECORD DNSSEC_RRSIG_NOT_SIGNING_RRSIG DNSSEC_RRSIG_FOR_NS_GLUE_RECORD
DNSSEC_NSEC_FOR_NS_GLUE_RECORD DNSSEC_RRSIG_SIGEXP DNSSEC_NSEC_TTL DNSSEC_NSEC3_TTL DNSSEC_DNSKEY_MUST_HAVE_SAME_NAME
DNSSEC_DNSKEY_PROTOCOL_MUST_BE_3 DNSSEC_BOGUS_NS_MEMORIZE DNSSEC_MISSING_RRSIG_RECORD DNSSEC_RRSIG_TTL_MUST_MATCH_RECORD
DNSSEC_MISSING_NSEC_RECORD DNSSEC_RRSIG_SIGNER_NAME_MATCHES DNSSEC_NSEC_RRSEC_MUST_NOT_BE_ALONE DNSSEC_MEMORIZE_KEYS
DNSSEC_RRSIGS_VERIFY DNSSEC_TWO_ZSKS DNSSEC_OPENSSL_KEY_ISSUES
--- loading rule file /usr/share/dnssec-tools/donuts/rules/nsec_check.rules.txt
rules: DNSSEC_NSEC_MEMORIZE DNSSEC_NSEC3_MEMORIZE DNSSEC_NSEC3_CHECK DNSSEC_NSEC_CHECK
--- loading rule file /usr/share/dnssec-tools/donuts/rules/parent_child.rules.txt
rules: DNS_MULTIPLE_NS DNSSEC_SUB_NOT_SECURE DNSSEC_DNSKEY_PARENT_HAS_VALID_DS DNSSEC_DS_CHILD_HAS_MATCHING_DNSKEY
--- loading rule file /usr/share/dnssec-tools/donuts/rules/recommendations.rules.txt
rules: DNS_REASONABLE_TTLS DNS_NO_DOMAIN_MX_RECORDS
--- Analyzing individual records in pri.example.org.signed
--- Analyzing records for each name in pri.example.org.signed
results on testing example.org:
rules considered: 38
rules tested: 30
records analyzed: 28
names analyzed: 6
errors found: 0
root@server1:/etc/bind#
Let's check the contents of our KSK (we will need this later on to create a trust anchor on our resolver server3 to do some testing before we submit the DS records to the registry):
cat Kexample.org.+008+27916.key
; This is a key-signing key, keyid 27916, for example.org. ; Created: 20120413081933 (Fri Apr 13 10:19:33 2012) ; Publish: 20120413081933 (Fri Apr 13 10:19:33 2012) ; Activate: 20120413081933 (Fri Apr 13 10:19:33 2012) example.org. IN DNSKEY 257 3 8 AwEAAbjthg82WErIMm+gcsOeNlI6j7/9VuihQtYVnt9dOFWeddfZxlbv VIFKklxBLMmBt4Z5GULTDKg+2BA6hGq3UGTHJMg1cpYTZtUBF4R1LnxL 2KB15rBFtU8b3C8OtrpGsEI/VUWeii5IPopFU04QMDCQkXBiulwHbG6Z cynlvYeaUC94CVabjTPpO95BysAZqBrxQsWyokMWwMtX6V0+uYlzGIU2 OJazpYkWsIrAfpY2dRL15pugx4gCWMZwdsrfiHZSS7nlDCaDbAgsTS5t QiU4zy2YQ7vst7U4Zmh0+WbfHefeyVByCdiQaF2UmVsmnTxuEtu1Y3SS ClmDzq2/wW8= |
Now we must update named.conf.local...
vi named.conf.local
... and replace pri.example.org with pri.example.org.signed:
zone "example.org" { type master; allow-transfer {192.168.0.101;}; also-notify {192.168.0.101;}; file "/etc/bind/pri.example.org.signed"; }; |
Restart BIND afterwards:
/etc/init.d/bind9 restart