Linux‎ > ‎bind‎ > ‎

DNSSEC

Implementing DNSSEC using Bind

Modifying a Signed Zone

All signed zones are located in /var/named/dnssec_zones. To modify a signed zone, simply modify the unsigned zone file in the same directory (e.g. /var/named/db.domain.gov), increment its time-stamp then sign the zone again with the existing keys using the following commands:

cd /var/dnssec
dnssec-signzone -a -k <KSK filename, without extension> -o domain.gov -e +7776000 /var/named/dnssec_zones/db.domain.gov <ZSK filename, without extension>

Note that you can find which key is the key signing key (KSK) and which one is the zone signing kye (ZSK) by looking at the includes in the unsigned zone (e.g. /var/named/db.domain.gov).

After signing the new zone, you can simply reload the signed zone by runing:

cd /var/named/dnssec_zones
reloadzones db.domain.gov.signed <--- notice the .signed - it won't reload if you just do .gov

Signing a Zone

Here in this example, I sign domain.gov. You can use the same method to sign any zone for DNSSEC implementation.

DNSSEC

cd /var/dnssec
dnssec-keygen -r /dev/urandom -f KSK -a RSASHA1 -b 2048 -n ZONE domain.gov
dnssec-keygen -r /dev/urandom -a RSASHA1 -b 1024 -e -n ZONE domain.gov
dnssec-keygen -r /dev/urandom -a RSASHA1 -b 1024 -e -n ZONE domain.gov

(yes, run it twice)

*Here is what's returned*

Kdomain.gov.+005+01729
Kdomain.gov.+005+15032
Kdomain.gov.+005+20027

Copy *domain.gov*.key files to /var/named/dnssec_keys/

*Sign the zone*
vim /var/named/db.domain.gov

Add the following at the end of the zone and increment the timestamp of the zone:

$include /var/named/dnssec_keys/Kdomain.gov.+005+01729.key ; KSK
$include /var/named/dnssec_keys/Kdomain.gov.+005+15032.key ; ZSK
$include /var/named/dnssec_keys/Kdomain.gov.+005+20027.key ; pre-published ZSK

cd /var/dnssec
dnssec-signzone -a -k Kdomain.gov.+005+01729 -o domain.gov -e +7776000 /var/named/db.domain.gov Kdomain.gov.+005+15032

*Here is whats returned*

/var/named/db.domain.gov.signed

*Move both Zones (original and signed) to /var/named/dnssec_zones*

mv /var/named/db.domain.gov* /var/named/dnssec_zones

*Load the signed Zone*

vim /var/named/zones.dnssec

add the zone section for domain.gov with the following:

zone "domain.gov" {
type master;
file "dnssec_zones/db.domain.gov.signed";
};

Remove the zone section for domain.gov from /var/named/zones.main

move the regular zone to dnssec_zones folder

cd /var/named
svn move db.domain.gov dnssec_zones/

Customer needs /var/dnssec/keyset-domain.gov. to enable DNSSEC with the zone root servers:

$ORIGIN .
domain.gov            600     IN DNSKEY 257 3 5 (
                                        AwEAAcacKLXhmESZgCL7OlqNhH7W/FMdVndm
                                        zzxjJ3nzbvZyhasdfsdfsdfsdfdfdCMPtERd
                                        i6hi2bn5wasdfasdfasdfasdfasdfoh6M5fE
                                        nOGQkotJ976U8XpABg6SVlAPn+avTtG8zaJQ
                                        I63aJEx6O1/dhZ7ATTgzUxvuWmJQipcgApxZ
                                        158Cy175QsAjJtR2QBg+QYLCRfPWpXEYnFhI
                                        7DtAasdfasdfasdfasVxLQASgv4T0dmeyMFf
                                        7VC9dc9kXDasdfsdfsadfsadfasdfaDKMaFb
                                        ZiaasdfasdfasdfasdfasdfasdfasdfasL0m
                                        FfoOI1uYUM9cs16wRys6qXU=
                                        ) ; key id = 1729

*If the bind9 server is not setup for dnssec yet do the following*

vim /etc/bind/named.conf.options

in the in the 'options' section add:

dnssec-enable yes;

then restart bind

/etc/init.d/bind9 restart

Now you are ready to upload the keyset you generated to the parent DNS delegate.

Rollover ZSK

Phase1

Rolling over ZSK for db.domain2.gov

Change the following lines in /var/named/dnssec_zones/db.domain2.gov

$include /var/named/dnssec_keys/Kdomain2.gov.+005+11011.key ; KSK
$include /var/named/dnssec_keys/Kdomain2.gov.+005+37064.key ; ZSK
$include /var/named/dnssec_keys/Kdomain2.gov.+005+03968.key ; pre-published ZSK

to:

$include /var/named/dnssec_keys/Kdomain2.gov.+005+11011.key ; KSK
$include /var/named/dnssec_keys/Kdomain2.gov.+005+37064.key ; Standby ZSK
$include /var/named/dnssec_keys/Kdomain2.gov.+005+03968.key ; ZSK

Update the timestamp then sign the zone with the Standby ZSK (which would make it the active ZSK) using this command:

# cd /var/dnssec
# dnssec-signzone -a -k Kdomain2.gov.+005+11011 -o domain2.gov -e +15552000 /var/named/dnssec_zones/db.domain2.gov Kdomain2.gov.+005+03968 \
/var/named/dnssec_zones/db.domain2.gov.signed

Regenerating Keys

  1. Generate new keys for the domain in question 
    cd /var/dnssec
dnssec-keygen \-r /dev/urandom \-f KSK \-a RSASHA1 \-b 2048 \-n ZONE [domain.tld]
dnssec-keygen \-r /dev/urandom \-a RSASHA1 \-b 1024 \-e \-n ZONE [domain.tld]
dnssec-keygen \-r /dev/urandom \-a RSASHA1 \-b 1024 \-e \-n ZONE [domain.tld]
cp [domain.tld]*.key /var/named/dnssec_keys/
  2. Generate new zonefile (do not overwrite existing zone) 
    cp /var/named/db.[domain.tld] /var/named/new.[domain.tld]
  3. Update new zone file (vim /var/named/new.domain.tld)
    Replace the existing key include lines as shown below with the new output produced by the keys generated in step #1 
    $include /var/named/dnssec_keys/K[domain.tld].+005+01729.key ; KSK
$include /var/named/dnssec_keys/K[domain.tld].+005+15032.key ; ZSK
$include /var/named/dnssec_keys/K[domain.tld].+005+20027.key ; pre-published ZSK
  4. Sign the new zone file 
    cd /var/dnssec
dnssec-signzone \-a \-k K[domain.tld].+005+01729 \-o [domain.tld] \-e \+7776000 /var/named/new.[domain.tld] K[domain.tld].+005+15032
mv /var/named/new.[domain.tld].signed /var/named/dnssec_zones
  5. Provide the customer with the updated public key from /var/dnssec/keyset-domain.tld.signed

  6. Schedule cut over from old zonefile to new zonefile, this should be done in concert with the customer's update of the registrar's TLD copy 
    mv /var/named/dnssec_zones/new.[domain.tld].signed /var/named/dnssec_zones/db.[domain.tld].signed
rndc reload [domain.tld]



Comments