HomeLinuxBIND – preparing for DNSSEC

BIND – preparing for DNSSEC

Posted on May 19, 2012 by NetWiz No Comments ↓
Buffer
0

“The Domain Name System Security Extensions (DNSSEC) is a suite of Internet Engineering Task Force (IETF) specifications for securing certain kinds of information provided by the Domain Name System (DNS) as used on Internet Protocol (IP) networks. It is a set of extensions to DNS which provide to DNS clients (resolvers) origin authentication of DNS data, authenticated denial of existence, and data integrity, but not availability or confidentiality.” wikipedia

Preparing your domain for DNSSEC and signing it is a fairly straightforward task. In this post I will be signing one of my domains, and publishing the new signed domain. I am working on an install based on the following -:

BIND home – /chroot/named
BIND config – /chroot/named/etc
Zone files – /chroot/named/etc/pri

Preparing and generating DNSSEC keys

Firstly create a folder to keep all of your key files in, in my case I chose /chroot/named/etc/keys

mkdir /chroot/named/etc/keys
chown bind.bind /chroot/named/etc/keys
cd /chroot/named/etc/keys

Next you need to tell BIND where your keys are stored, so add the following in named.conf

key-directory "/etc/keys";

Now generate key files for the domain you are signing -:

dnssec-keygen -a rsasha1 -b 1024 -n zone netwizards.co.uk 
dnssec-keygen -k -a rsasha1 -b 1024 -n zone netwizards.co.uk

Add keys to zone file

Now you need to add the key information to your zone file, this is simply achieved with one command (replacing the paths to suit your install) -:

cat Knetwizards.co.uk.*.key >> /chroot/named/etc/pri/netwizards.co.uk

Sign your zone

Now you can sign your zone, again this a fairly painless process -:

cd /chroot/named/etc/pri
dnssec-signzone -t -g -o netwizards.co.uk netwizards.co.uk 
   /chroot/named/etc/keys/Knetwizards.co.uk.+005+21018.private

If you get an error at this point you are using the wrong key file, you will have two to choose from so just try the other.

Publish the zone file

Now that you have signed your zone, you need to publish the signed zone, simple add .signed to the end of the zone filename in your zone definition. I have also added an update-policy to enable secure updates via nsupdate -:

zone "netwizards.co.uk" IN {
   type master;
   file "pri/netwizards.co.uk.signed";
   update-policy {
      grant netwizards.co.uk subdomain netwizards.co.uk. any;
   };
};

That’s it, restart bind and if you have any slave servers, they don’t need any work, they will just publish what the master tells them.

 

Tagged with: , , , , , ,
Posted in Linux
No Comments » for BIND – preparing for DNSSEC
2 Pings/Trackbacks for "BIND – preparing for DNSSEC"
  1. DNSSEC Deployment Update | ConnectNationwide | Call 1-855-626-8452 says:
    December 13, 2011 at 1:30 am

    [...] .INFO mit DNSSECnamesmashOpen DNSSEC 1.3.4Atomia – The Automation CompanyDomain and Trademark BlogBIND – preparing for DNSSEC @font-face { font-family: "custom-one"; src: [...]

  2. Comcast Completes DNSSEC Deployment | ConnectNationwide | Call 1-855-626-8452 says:
    February 18, 2012 at 9:37 pm

    [...] Address Weak DNSSEC DemandDynadot Take $1 off .ME domains!RSA’s December Online Fraud ReportBIND – preparing for DNSSEC @font-face { font-family: "custom-one"; src: [...]

Leave a Reply

Your email address will not be published. Required fields are marked *

*

* Copy this password:

* Type or paste password here:

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>