1) a working bind nameserver
2) A DNSSEC friendly registrar like dyndns.com
3) A domain, I'll use example.com for documentation purposes.
Once you have a domain example.org stored in a file db.example.org run these commands:
1. Create your key signing key (KSK). DNSKEY 257 inside the resulting key file indicates it's a KSK. Note the name of the produced KSK file for future commands:
$ dnssec-keygen -r /dev/random -f KSK -a RSASHA1 -b 2048 -n ZONE example.org
2. Create your zone signing key (ZSK). DNSKEY 256 inside the resulting key file indicates it's a ZSK. Note the name of the produced ZSK file for future commands:
$ dnssec-keygen -r /dev/random -a RSASHA1 -b 1024 -n ZONE example.org
3. Create a DS key for uploading to your registrar/dyndns.com:
$ dnssec-dsfromkey -a sha-256 Kexample.org.+<rest of KSK filename> > dskey.key
4. Include the keys in your zone, append these two lines to db.example.com:
$INCLUDE Kexample.org.+<rest of KSK filename> $INCLUDE Kexample.org.+<rest of ZSK filename>
5. Sign the zone, note this has to be done at least monthly:
$ dnssec-signzone -r /dev/random -o example.org -k Kexample.org.+<rest of KSK filename> db.example.org Kexample.org.+<rest of ZSK filename>
6. Turn on dnssec in bind, usually in /etc/bind/named.conf.options, add (or uncomment) "dnssec-enable yes" and "dnssec-validation yes".
7. Copy the resulting db.example.org.signed to where ever bind previously got the zone from and run:
rndc reload
8. To check run (assuming a dnssec aware client):
dig @<ip of your nameserver> example.com +dnssec | grep flags | head -1 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 3, ADDITIONAL: 5
9. Update your registrar with the DS key.
Login to your registrar, dyndns.com for this example.
Go to the "My zones/Domains"
Click on the domain to manage.
Click on "Create New DS Record"
Fill out the form with:
New Key Tag = 5 Digit number from the filename of your KSK.
DNSKEY Alg = RSA/SHA-1
Digest Type = SHA-256
Digest Value = cut/paste the 56 hex digits from the 7th column of dskey.key
10. This may take awhile to propagate. Once propagated you can check again with from any DNSSEC aware client (see other posts tagged with DNSSEC) with:
$ dig @localhost example.com +dnssec | grep flags | head -1 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 3, ADDITIONAL: 5
11. Implement a plan to update the serial number and resign the zone before the key expires (somewhere around 28 days). Your DNS will disappear to all DNSSEC aware clients if your key expires. I believe OSX clients are DNSSEC aware by default.
Now the rest of the world will be able to securely lookup your DNS records. Besides the obvious benefits this makes secondary uses of DNS such as SPF, DKIM, and SSH host keys more secure. SSH will not accept host keys without user intervention unless they are DNSSEC protected.
No comments:
Post a Comment