Configuring DNSSEC On BIND9 (9.7.3) On Debian Squeeze/Ubuntu 11.10 - Page 4

6 Setting The DS Record At The Registry / Setting A DLV Record

If your parent zone is signed, you should set the DS record at the registry - this is preferred over using DLV records at a DLV provider such as https://dlv.isc.org/.

(You can find a list of signed TLDs on http://stats.research.icann.org/dns/tld_report/ and http://www.tldwithdnssec.se/.)

Unfortunately this task cannot be automated. Some registrar's allow you to upload your DS records (the contents of the /etc/bind/dsset-example.org. file) through their web interface, while you can email it to others. Contact your registrar and ask if they support DNSSEC and what the preferred way is to submit your DS records.

If your parent zone isn't signed or your registrar has no way of submitting your DS records to the registry, you can use DLV. For example, you can go to https://dlv.isc.org/, register and follow their instructions.

 

7 Key Rolling

server1 (master):

By default, keys (KSKs and ZSKs) expire after some time to make it harder for hackers to compromise them. You can set the expiry date with the -endtime switch when you run zonesigner together with the -genkeys switch. If you don't specify the -endtime switch, the value is taken from /etc/dnssec-tools/dnssec-tools.conf.

Because keys expire, we have to change them - this is called "key rolling". Fortunately, this task can be automated by a daemon called rollerd which takes care of creating new keys, signing zones, etc.

Go to /etc/bind:

cd /etc/bind

Create a file called all.rollrec that contains details about your signed zones, their keys, the contact person for the zone, etc.:

rollinit -zonefile /etc/bind/pri.example.org.signed -keyrec /etc/bind/example.org.krf -admin zonemaster@example.com example.org >> all.rollrec

Repeat this for every signed zone you have.

Then start the rollerd daemon as follows:

rollerd -rrfile /etc/bind/all.rollrec -directory /etc/bind

The service automatically goes to the background. Unfortunately it has no init script, so we have to add the command to /etc/rc.local (before the exit 0 line) to make it start automatically when the system boots:

vi /etc/rc.local

[...]
/usr/sbin/rollerd -rrfile /etc/bind/all.rollrec -directory /etc/bind
[...]

 

8 Automatic Zone File Checks With donutsd

server1 (master):

Finally we can set up automated zone file checks with donutsd (this is optional, but nice to have). donutsd is the damon belonging to the donuts command we used earlier. It runs in the background, checks your signed zones from time to time and sends an email if there's anything wrong.

First, we create the file /etc/bind/checkzones.txt - it has the format <path to signed zone file> <zone name> <email of contact person>:

vi /etc/bind/checkzones.txt

Add your zones, one zone per line:

/etc/bind/pri.example.org.signed       example.org      zonemaster@example.com

Start the donutsd service afterwards:

donutsd -i /etc/bind/checkzones.txt &

Like rollerd, donutsd has no init script. Therefore we add the following command to /etc/rc.local (before the exit 0 line) to make it start automatically when the system boots:

vi /etc/rc.local

[...]
/usr/sbin/donutsd -i /etc/bind/checkzones.txt &
[...]

That's it! Have fun with your DNSSEC setup!

 

9 Links

 

About The Author

Falko Timme is the owner of nginx-WebhostingTimme Hosting (ultra-fast nginx web hosting). He is the lead maintainer of HowtoForge (since 2005) and one of the core developers of ISPConfig (since 2000). He has also contributed to the O'Reilly book "Linux System Administration".

Share this page:

6 Comment(s)

Add comment

Comments

From: Norbert Seibert at: 2012-09-11 05:02:16

Seems to me as if the IP addresses for NS1 and NS2 are backwards.

In the example NS1 has 192.168.0.100 as master.

                             NS2 has 192.168.0.101 as slave.

Later on the master shows as 192.168.0.101 and the slave is 192.168.0.100.

Actually no big deal, however someone that stricly follows the howto will possibly wind up in the dark.

 Cheers

From: Raman at: 2013-02-15 15:30:35

Setting up DNSSEC on my Nameservers was actually a breeze with this excellent tutorial. Thanks a million.

From: coldje at: 2013-09-29 15:49:10

The example file:  pri.example.org  sometimes shows example.com and other times example.org.  Which is it?  This is so confusing.  Where's the example sec.example.org file?

From: Asterix at: 2013-06-23 15:58:56

The section that explains how to modify a zone doesn't work. the .signed file is not updated.

From: Popi at: 2013-10-29 08:59:23

Very good tutorial which makes DNSSEC surprisingly easy to implement!

From: tom at: 2015-01-20 16:54:36

nice howto. I tried it on an server with ispconfig3. Unfortunately ISPconfig delets some same manual configs when any dns zone file was changed. Any ideas to solve that?