Configuring DNSSEC On BIND9 (9.7.3) On Debian Squeeze/Ubuntu 11.10 - Page 3

3 Modifying A Signed Zone (server1)

server1 (master):

If you want to modify the example.org zone (e.g. add/update/delete records), you don't modify pri.example.org.signed, but the unsigned version pri.example.org. After you are finished with your modifications, run

zonesigner -zone example.org pri.example.org

This will increase the serial number of the zone file (so you don't have to increase it manually) and create a new pri.example.org.signed file.

 

4 Enabling DNSSEC On The Slave (server2)

server2 (slave):

Go to the /etc/bind directory:

cd /etc/bind

Do the same changes to named.conf.options that you did on the master (set dnssec-enable yes;, dnssec-validation yes; and dnssec-lookaside auto; in the options area and include /etc/bind/bind.keys):

vi named.conf.options

options {
        directory "/var/cache/bind";

        // If there is a firewall between you and nameservers you want
        // to talk to, you may need to fix the firewall to allow multiple
        // ports to talk.  See http://www.kb.cert.org/vuls/id/800113

        // If your ISP provided one or more IP addresses for stable
        // nameservers, you probably want to use them as forwarders.
        // Uncomment the following block, and insert the addresses replacing
        // the all-0's placeholder.

        // forwarders {
        //      0.0.0.0;
        // };

        auth-nxdomain no;    # conform to RFC1035
        listen-on-v6 { any; };
        dnssec-enable yes;
        dnssec-validation yes;
        dnssec-lookaside auto;
        //bindkeys-file "/etc/bind/bind.keys";
};

include "/etc/bind/bind.keys";

That would be sufficient to configure DNSSEC on the slave, but I want the signed zone file to be named sec.example.org.signed instead of sec.example.org (this is just a personal preference and therefore optional), therefore I edit named.conf.local...

vi named.conf.local

... and change sec.example.org to sec.example.org.signed:

zone "example.org" {
        type slave;
        masters {192.168.0.100;};
        allow-notify {192.168.0.100;};
        allow-transfer {none;};
        file "/etc/bind/slave/sec.example.org.signed";
};

Restart BIND:

/etc/init.d/bind9 restart

If you have modified the zone file name in named.conf.local, there should now be two zone files for example.org in the slave/ directory, one with the old name and one with the new name:

ls -l slave/

root@server2:/etc/bind# ls -l slave/
total 16
-rw-r--r-- 1 bind bind 5578 Apr 13 10:24 sec.example.org
-rw-r--r-- 1 bind bind 5578 Apr 13 10:30 sec.example.org.signed
root@server2:/etc/bind#

Delete the one with the old name (it's unused now):

rm -f slave/sec.example.org

That's all for the slave - as you see, no keys have to be created or transferred (well, they are transferred as part of the signed zone).

 

5 Enabling DNSSEC On The Resolving DNS (server3)

server3 (resolver):

To make resolving, non-authoritative name servers speak and understand DNSSEC, you essentially just have to do the same changes to named.conf.options as on the master and slave, i.e. set dnssec-enable yes;, dnssec-validation yes; and dnssec-lookaside auto; in the options area and include /etc/bind/bind.keys:

cd /etc/bind
vi named.conf.options

options {
        directory "/var/cache/bind";

        // If there is a firewall between you and nameservers you want
        // to talk to, you may need to fix the firewall to allow multiple
        // ports to talk.  See http://www.kb.cert.org/vuls/id/800113

        // If your ISP provided one or more IP addresses for stable
        // nameservers, you probably want to use them as forwarders.
        // Uncomment the following block, and insert the addresses replacing
        // the all-0's placeholder.

        // forwarders {
        //      0.0.0.0;
        // };

        auth-nxdomain no;    # conform to RFC1035
        listen-on-v6 { any; };
        dnssec-enable yes;
        dnssec-validation yes;
        dnssec-lookaside auto;
        //bindkeys-file "/etc/bind/bind.keys";
};

include "/etc/bind/bind.keys";

Restart BIND:

/etc/init.d/bind9 restart

That would normally be sufficient for a resolver.

Now I want to test DNSSEC on the master and slave (test means I haven't submitted the DS records to the registry yet) with the dig command from this resolver, therefore I have to change the configuration a bit.

First I modify /etc/resolv.conf so that this box is the resolver's own client:

vi /etc/resolv.conf

Remove or comment out all other nameservers so that the only nameserver is 127.0.0.1:

nameserver 127.0.0.1

Next open named.conf.options again...

vi named.conf.options

... and add the IP addresses of the master and the slave DNS server to the forwarders section AND add a managed-keys section that includes the KSK from the example.org zone (see chapter 2) (this is our trust anchor right now so that we can test; after the DS records have been set up at your registry, this trust anchor isn't needed anymore because we have the root zone key in our configuration - in the bind.keys file):

options {
        directory "/var/cache/bind";

        // If there is a firewall between you and nameservers you want
        // to talk to, you may need to fix the firewall to allow multiple
        // ports to talk.  See http://www.kb.cert.org/vuls/id/800113

        // If your ISP provided one or more IP addresses for stable
        // nameservers, you probably want to use them as forwarders.
        // Uncomment the following block, and insert the addresses replacing
        // the all-0's placeholder.

        forwarders {
              192.168.0.100; 192.168.0.101;
        };

        auth-nxdomain no;    # conform to RFC1035
        listen-on-v6 { any; };
        dnssec-enable yes;
        dnssec-validation yes;
        dnssec-lookaside auto;
};

include "/etc/bind/bind.keys";

managed-keys {
        example.org. initial-key 257 3 8 "AwEAAbjthg82WErIMm+gcsOeNlI6j7/9VuihQtYVnt9dOFWeddfZxlbv VIFKklxBLMmBt4Z5GULTDKg+2BA6hGq3UGTHJMg1cpYTZtUBF4R1LnxL 2KB15rBFtU8b3C8OtrpGsEI/VUWeii5IPopFU04QMDCQkXBiulwHbG6Z cynlvYeaUC94CVabjTPpO95BysAZqBrxQsWyokMWwMtX6V0+uYlzGIU2 OJazpYkWsIrAfpY2dRL15pugx4gCWMZwdsrfiHZSS7nlDCaDbAgsTS5t QiU4zy2YQ7vst7U4Zmh0+WbfHefeyVByCdiQaF2UmVsmnTxuEtu1Y3SS ClmDzq2/wW8=";
};

Restart BIND:

/etc/init.d/bind9 restart

Now we can test the example.org zone with DNSSEC:

dig +dnssec example.org

If everything goes well, you should get an answer to the ad flag set (ad = authenticated data):

root@server3:/etc/bind# dig +dnssec example.org

; <<>> DiG 9.7.3 <<>> +dnssec example.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 756
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 3, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;example.org.                   IN      A

;; ANSWER SECTION:
example.org.            3600    IN      A       1.2.3.4
example.org.            3600    IN      RRSIG   A 8 2 3600 20120514071934 20120413071934 31560 example.org. 
oGCbVz6tro67wrwDKeG5UOugTjGxXaC1BODdLZtNHo4NAk9iuTQIOdWb ITsNotXqx8qpwhVpxSXEqcjqdyAKH3530A/lxntEDJzAfzLP7s
FIQfpY n2WedeFox6J9U1uNmkg45ddIsWE67AGC8emmsxj2+WieGJ4BpiIvaZgu OuI=

;; AUTHORITY SECTION:
example.org.            86400   IN      NS      server1.example.com.
example.org.            86400   IN      NS      server2.example.com.
example.org.            86400   IN      RRSIG   NS 8 2 86400 20120514071934 20120413071934 31560 example.org. 
OYzDYsxaKvzEmI+DCtgbjycy1I1l+O+42UwyR/YAKzEEwRTswIbj/cjb mBb7HmWJVHkqLHw/xWPt9MwjSPyJZyGQtVgrHhmxZSf1vNByqHFU
evUh g1qsRBwFQfoayDKQWC77MkCn6qzYa5W4VxChDYP2rCkgaCuYnWLPm3o8 2RY=

;; Query time: 4 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Fri Apr 13 10:37:42 2012
;; MSG SIZE  rcvd: 453

root@server3:/etc/bind#

Congratulations! Everything is fine with your DNSSEC setup. Now you can make your registrar create DS records in the parent zone or - if your parent zone isn't signed yet - upload your keys to a DLV repository such as https://dlv.isc.org/. After you have done that, you can remove the managed-keys section for example.org from the named.conf.options file and restart BIND.

Share this page:

1 Comment(s)

Add comment

Comments

From: Asterix at: 2013-06-23 15:58:56

The section that explains how to modify a zone doesn't work. the .signed file is not updated.