Configuring DNSSEC On BIND9 (9.7.3) On Debian Squeeze/Ubuntu 11.10 - Page 4
6 Setting The DS Record At The Registry / Setting A DLV Record
If your parent zone is signed, you should set the DS record at the registry - this is preferred over using DLV records at a DLV provider such as https://dlv.isc.org/.
(You can find a list of signed TLDs on http://stats.research.icann.org/dns/tld_report/ and http://www.tldwithdnssec.se/.)
Unfortunately this task cannot be automated. Some registrar's allow you to upload your DS records (the contents of the /etc/bind/dsset-example.org. file) through their web interface, while you can email it to others. Contact your registrar and ask if they support DNSSEC and what the preferred way is to submit your DS records.
If your parent zone isn't signed or your registrar has no way of submitting your DS records to the registry, you can use DLV. For example, you can go to https://dlv.isc.org/, register and follow their instructions.
7 Key Rolling
By default, keys (KSKs and ZSKs) expire after some time to make it harder for hackers to compromise them. You can set the expiry date with the -endtime switch when you run zonesigner together with the -genkeys switch. If you don't specify the -endtime switch, the value is taken from /etc/dnssec-tools/dnssec-tools.conf.
Because keys expire, we have to change them - this is called "key rolling". Fortunately, this task can be automated by a daemon called rollerd which takes care of creating new keys, signing zones, etc.
Go to /etc/bind:
Create a file called all.rollrec that contains details about your signed zones, their keys, the contact person for the zone, etc.:
rollinit -zonefile /etc/bind/pri.example.org.signed -keyrec /etc/bind/example.org.krf -admin [email protected] example.org >> all.rollrec
Repeat this for every signed zone you have.
Then start the rollerd daemon as follows:
rollerd -rrfile /etc/bind/all.rollrec -directory /etc/bind
The service automatically goes to the background. Unfortunately it has no init script, so we have to add the command to /etc/rc.local (before the exit 0 line) to make it start automatically when the system boots:
[...] /usr/sbin/rollerd -rrfile /etc/bind/all.rollrec -directory /etc/bind [...]
8 Automatic Zone File Checks With donutsd
Finally we can set up automated zone file checks with donutsd (this is optional, but nice to have). donutsd is the damon belonging to the donuts command we used earlier. It runs in the background, checks your signed zones from time to time and sends an email if there's anything wrong.
First, we create the file /etc/bind/checkzones.txt - it has the format <path to signed zone file> <zone name> <email of contact person>:
Add your zones, one zone per line:
/etc/bind/pri.example.org.signed example.org [email protected]
Start the donutsd service afterwards:
donutsd -i /etc/bind/checkzones.txt &
Like rollerd, donutsd has no init script. Therefore we add the following command to /etc/rc.local (before the exit 0 line) to make it start automatically when the system boots:
[...] /usr/sbin/donutsd -i /etc/bind/checkzones.txt & [...]
That's it! Have fun with your DNSSEC setup!
- DNSSEC HOWTO, a tutorial in disguise: http://www.nlnetlabs.nl/publications/dnssec_howto/
- DNSSEC in 6 minutes: http://www.isc.org/files/DNSSEC_in_6_minutes.pdf
- DNSSEC background: https://dlv.isc.org/about/background
- ISC DLV Registry: https://dlv.isc.org/
- Root and DLV Trust Anchors (bind.keys): https://www.isc.org/bind-keys
- List of signed TLDs: http://stats.research.icann.org/dns/tld_report/ and http://www.tldwithdnssec.se/
- Debian: http://www.debian.org/
- Ubuntu: http://www.ubuntu.com/
About The Author
Falko Timme is the owner of Timme Hosting (ultra-fast nginx web hosting). He is the lead maintainer of HowtoForge (since 2005) and one of the core developers of ISPConfig (since 2000). He has also contributed to the O'Reilly book "Linux System Administration".