Configuring DNSSEC On BIND9 (9.7.3) On Debian Squeeze/Ubuntu 11.10 - Page 3
3 Modifying A Signed Zone (server1)
server1 (master):
If you want to modify the example.org zone (e.g. add/update/delete records), you don't modify pri.example.org.signed, but the unsigned version pri.example.org. After you are finished with your modifications, run
zonesigner -zone example.org pri.example.org
This will increase the serial number of the zone file (so you don't have to increase it manually) and create a new pri.example.org.signed file.
4 Enabling DNSSEC On The Slave (server2)
server2 (slave):
Go to the /etc/bind directory:
cd /etc/bind
Do the same changes to named.conf.options that you did on the master (set dnssec-enable yes;, dnssec-validation yes; and dnssec-lookaside auto; in the options area and include /etc/bind/bind.keys):
vi named.conf.options
options { directory "/var/cache/bind"; // If there is a firewall between you and nameservers you want // to talk to, you may need to fix the firewall to allow multiple // ports to talk. See http://www.kb.cert.org/vuls/id/800113 // If your ISP provided one or more IP addresses for stable // nameservers, you probably want to use them as forwarders. // Uncomment the following block, and insert the addresses replacing // the all-0's placeholder. // forwarders { // 0.0.0.0; // }; auth-nxdomain no; # conform to RFC1035 listen-on-v6 { any; }; dnssec-enable yes; dnssec-validation yes; dnssec-lookaside auto; //bindkeys-file "/etc/bind/bind.keys"; }; include "/etc/bind/bind.keys"; |
That would be sufficient to configure DNSSEC on the slave, but I want the signed zone file to be named sec.example.org.signed instead of sec.example.org (this is just a personal preference and therefore optional), therefore I edit named.conf.local...
vi named.conf.local
... and change sec.example.org to sec.example.org.signed:
zone "example.org" { type slave; masters {192.168.0.100;}; allow-notify {192.168.0.100;}; allow-transfer {none;}; file "/etc/bind/slave/sec.example.org.signed"; }; |
Restart BIND:
/etc/init.d/bind9 restart
If you have modified the zone file name in named.conf.local, there should now be two zone files for example.org in the slave/ directory, one with the old name and one with the new name:
ls -l slave/
root@server2:/etc/bind# ls -l slave/
total 16
-rw-r--r-- 1 bind bind 5578 Apr 13 10:24 sec.example.org
-rw-r--r-- 1 bind bind 5578 Apr 13 10:30 sec.example.org.signed
root@server2:/etc/bind#
Delete the one with the old name (it's unused now):
rm -f slave/sec.example.org
That's all for the slave - as you see, no keys have to be created or transferred (well, they are transferred as part of the signed zone).
5 Enabling DNSSEC On The Resolving DNS (server3)
server3 (resolver):
To make resolving, non-authoritative name servers speak and understand DNSSEC, you essentially just have to do the same changes to named.conf.options as on the master and slave, i.e. set dnssec-enable yes;, dnssec-validation yes; and dnssec-lookaside auto; in the options area and include /etc/bind/bind.keys:
cd /etc/bind
vi named.conf.options
options { directory "/var/cache/bind"; // If there is a firewall between you and nameservers you want // to talk to, you may need to fix the firewall to allow multiple // ports to talk. See http://www.kb.cert.org/vuls/id/800113 // If your ISP provided one or more IP addresses for stable // nameservers, you probably want to use them as forwarders. // Uncomment the following block, and insert the addresses replacing // the all-0's placeholder. // forwarders { // 0.0.0.0; // }; auth-nxdomain no; # conform to RFC1035 listen-on-v6 { any; }; dnssec-enable yes; dnssec-validation yes; dnssec-lookaside auto; //bindkeys-file "/etc/bind/bind.keys"; }; include "/etc/bind/bind.keys"; |
Restart BIND:
/etc/init.d/bind9 restart
That would normally be sufficient for a resolver.
Now I want to test DNSSEC on the master and slave (test means I haven't submitted the DS records to the registry yet) with the dig command from this resolver, therefore I have to change the configuration a bit.
First I modify /etc/resolv.conf so that this box is the resolver's own client:
vi /etc/resolv.conf
Remove or comment out all other nameservers so that the only nameserver is 127.0.0.1:
nameserver 127.0.0.1 |
Next open named.conf.options again...
vi named.conf.options
... and add the IP addresses of the master and the slave DNS server to the forwarders section AND add a managed-keys section that includes the KSK from the example.org zone (see chapter 2) (this is our trust anchor right now so that we can test; after the DS records have been set up at your registry, this trust anchor isn't needed anymore because we have the root zone key in our configuration - in the bind.keys file):
options { directory "/var/cache/bind"; // If there is a firewall between you and nameservers you want // to talk to, you may need to fix the firewall to allow multiple // ports to talk. See http://www.kb.cert.org/vuls/id/800113 // If your ISP provided one or more IP addresses for stable // nameservers, you probably want to use them as forwarders. // Uncomment the following block, and insert the addresses replacing // the all-0's placeholder. forwarders { 192.168.0.100; 192.168.0.101; }; auth-nxdomain no; # conform to RFC1035 listen-on-v6 { any; }; dnssec-enable yes; dnssec-validation yes; dnssec-lookaside auto; }; include "/etc/bind/bind.keys"; managed-keys { example.org. initial-key 257 3 8 "AwEAAbjthg82WErIMm+gcsOeNlI6j7/9VuihQtYVnt9dOFWeddfZxlbv VIFKklxBLMmBt4Z5GULTDKg+2BA6hGq3UGTHJMg1cpYTZtUBF4R1LnxL 2KB15rBFtU8b3C8OtrpGsEI/VUWeii5IPopFU04QMDCQkXBiulwHbG6Z cynlvYeaUC94CVabjTPpO95BysAZqBrxQsWyokMWwMtX6V0+uYlzGIU2 OJazpYkWsIrAfpY2dRL15pugx4gCWMZwdsrfiHZSS7nlDCaDbAgsTS5t QiU4zy2YQ7vst7U4Zmh0+WbfHefeyVByCdiQaF2UmVsmnTxuEtu1Y3SS ClmDzq2/wW8="; }; |
Restart BIND:
/etc/init.d/bind9 restart
Now we can test the example.org zone with DNSSEC:
dig +dnssec example.org
If everything goes well, you should get an answer to the ad flag set (ad = authenticated data):
root@server3:/etc/bind# dig +dnssec example.org
; <<>> DiG 9.7.3 <<>> +dnssec example.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 756
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 3, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;example.org. IN A
;; ANSWER SECTION:
example.org. 3600 IN A 1.2.3.4
example.org. 3600 IN RRSIG A 8 2 3600 20120514071934 20120413071934 31560 example.org.
oGCbVz6tro67wrwDKeG5UOugTjGxXaC1BODdLZtNHo4NAk9iuTQIOdWb ITsNotXqx8qpwhVpxSXEqcjqdyAKH3530A/lxntEDJzAfzLP7s
FIQfpY n2WedeFox6J9U1uNmkg45ddIsWE67AGC8emmsxj2+WieGJ4BpiIvaZgu OuI=
;; AUTHORITY SECTION:
example.org. 86400 IN NS server1.example.com.
example.org. 86400 IN NS server2.example.com.
example.org. 86400 IN RRSIG NS 8 2 86400 20120514071934 20120413071934 31560 example.org.
OYzDYsxaKvzEmI+DCtgbjycy1I1l+O+42UwyR/YAKzEEwRTswIbj/cjb mBb7HmWJVHkqLHw/xWPt9MwjSPyJZyGQtVgrHhmxZSf1vNByqHFU
evUh g1qsRBwFQfoayDKQWC77MkCn6qzYa5W4VxChDYP2rCkgaCuYnWLPm3o8 2RY=
;; Query time: 4 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Fri Apr 13 10:37:42 2012
;; MSG SIZE rcvd: 453
root@server3:/etc/bind#
Congratulations! Everything is fine with your DNSSEC setup. Now you can make your registrar create DS records in the parent zone or - if your parent zone isn't signed yet - upload your keys to a DLV repository such as https://dlv.isc.org/. After you have done that, you can remove the managed-keys section for example.org from the named.conf.options file and restart BIND.