Implementing DNSSEC using BindModifying a Signed ZoneAll signed zones are located in /var/named/dnssec_zones. To modify a signed zone, simply modify the unsigned zone file in the same directory (e.g. /var/named/db.domain.gov), increment its time-stamp then sign the zone again with the existing keys using the following commands: cd /var/dnssec
dnssec-signzone -a -k <KSK filename, without extension> -o
domain.gov -e +7776000 /var/named/dnssec_zones/db.domain.gov <ZSK
filename, without extension> Note that you can find which key is the key signing key (KSK) and which one is the zone signing kye (ZSK) by looking at the includes in the unsigned zone (e.g. /var/named/db.domain.gov). After signing the new zone, you can simply reload the signed zone by runing: cd /var/named/dnssec_zones
reloadzones db.domain.gov.signed <--- notice the .signed - it won't reload if you just do .gov Signing a ZoneHere in this example, I sign domain.gov. You can use the same method to sign any zone for DNSSEC implementation. DNSSEC cd /var/dnssec
dnssec-keygen -r /dev/urandom -f KSK -a RSASHA1 -b 2048 -n ZONE domain.gov
dnssec-keygen -r /dev/urandom -a RSASHA1 -b 1024 -e -n ZONE domain.gov
dnssec-keygen -r /dev/urandom -a RSASHA1 -b 1024 -e -n ZONE domain.gov (yes, run it twice) *Here is what's returned* Kdomain.gov.+005+01729
Kdomain.gov.+005+15032
Kdomain.gov.+005+20027 Copy *domain.gov*.key files to /var/named/dnssec_keys/ *Sign the zone* Add the following at the end of the zone and increment the timestamp of the zone: $include /var/named/dnssec_keys/Kdomain.gov.+005+01729.key ; KSK
$include /var/named/dnssec_keys/Kdomain.gov.+005+15032.key ; ZSK
$include /var/named/dnssec_keys/Kdomain.gov.+005+20027.key ; pre-published ZSK cd /var/dnssec *Here is whats returned* /var/named/db.domain.gov.signed *Move both Zones (original and signed) to /var/named/dnssec_zones* mv /var/named/db.domain.gov* /var/named/dnssec_zones *Load the signed Zone* vim /var/named/zones.dnssec add the zone section for domain.gov with the following: zone "domain.gov" {
type master;
file "dnssec_zones/db.domain.gov.signed";
}; Remove the zone section for domain.gov from /var/named/zones.main move the regular zone to dnssec_zones folder cd /var/named
svn move db.domain.gov dnssec_zones/ Customer needs /var/dnssec/keyset-domain.gov. to enable DNSSEC with the zone root servers:
*If the bind9 server is not setup for dnssec yet do the following* vim /etc/bind/named.conf.options in the in the 'options' section add: dnssec-enable yes; then restart bind /etc/init.d/bind9 restart Now you are ready to upload the keyset you generated to the parent DNS delegate. Rollover ZSKPhase1 Rolling over ZSK for db.domain2.gov Change the following lines in /var/named/dnssec_zones/db.domain2.gov $include /var/named/dnssec_keys/Kdomain2.gov.+005+11011.key ; KSK
$include /var/named/dnssec_keys/Kdomain2.gov.+005+37064.key ; ZSK
$include /var/named/dnssec_keys/Kdomain2.gov.+005+03968.key ; pre-published ZSK to: $include /var/named/dnssec_keys/Kdomain2.gov.+005+11011.key ; KSK
$include /var/named/dnssec_keys/Kdomain2.gov.+005+37064.key ; Standby ZSK
$include /var/named/dnssec_keys/Kdomain2.gov.+005+03968.key ; ZSK Update the timestamp then sign the zone with the Standby ZSK (which would make it the active ZSK) using this command: # cd /var/dnssec
# dnssec-signzone -a -k Kdomain2.gov.+005+11011 -o domain2.gov -e + 15552000 /var/named/dnssec_zones/db.domain2.gov Kdomain2.gov.+005+03968 \ /var/named/dnssec_zones/db.domain2.gov.signed Regenerating Keys
|