How to run NSD with DNSSEC on Ubuntu 11.10

Prime knots chartDomain Name System Security Extensions (DNSSEC) is a set of extensions to DNS documented since 2005 by RFCs 4033, 4034, 4035. Today there are some additions to those extensions.
DNSSEC adds an end to end security: it provides to DNS clients origin authentication of DNS data.

To install and configure NSD please refer to my article How to configure master and slave NSD on Ubuntu 11.10.
Here I’m going to show you the basic steps to make your zones signed.

[Jan Piet Mens @digdns suggests:

Tired of issuing sudo?
By the command sudo -i you open a bash shell as root so…]

Prepare the new tree just to keep things clear:
sudo mkdir /etc/nsd3/SIGNED /etc/nsd3/KSK /etc/nsd3/ZSK

Time to install ldns, a NLnet Labs’ project:
sudo apt-get install ldnsutils

and, using the zone myzone.demo created in my previous article, issue the following commands to create two keys, Zone signing key (ZSK) and Key signing key (KSK):

cd /etc/nsd3/ZSK
sudo ldns-keygen -a RSASHA1_NSEC3 -b 1024 myzone.demo
cd /etc/nsd3/KSK
sudo ldns-keygen -a RSASHA1_NSEC3 -b 2048 -k myzone.demo

It depends on your CPU, but key creation is a time consuming task, so be patient.

ldns-keygen will create 3 files: a .key file with the public DNSKEY, a .private file with the private keydata and a .ds with the DS record of the DNSKEY record.

Let’s check:
sudo ls /etc/nsd3/KSK
Kmyzone.demo.+007+22050.ds
Kmyzone.demo.+007+22050.key
Kmyzone.demo.+007+22050.private

sudo ls /etc/nsd3/ZSK
Kmyzone.demo.+007+22049.ds
Kmyzone.demo.+007+22049.key
Kmyzone.demo.+007+22049.private

Edit /etc/nsd3/nsd.conf to change the path for the signed zones:
zonesdir: "/etc/nsd3/SIGNED"

more changes:
zone:
name: “myzone.demo”
zonefile: “myzone.demo.zone.signed”

Now use the ldns-signzone command to sign myzone.demo and to create a new file ready for DNSSEC queries.

sudo ldns-signzone /etc/nsd3/UNSIGNED/myzone.demo.zone /etc/nsd3/KSK/Kmyzone.demo.+007+22050 /etc/nsd3/ZSK/Kmyzone.demo.+007+22049 -f /etc/nsd3/SIGNED/myzone.demo.zone.signed

I just created an easy shell script to automate the process of zone signing:

#!/bin/bash

# Usage: ./signzone myzone.demo
DOMAIN=$1
ZONE=/etc/nsd3/UNSIGNED/$DOMAIN.zone

echo "Finding a proper Key signing key for" $DOMAIN
KSK=$(find . -name "K$DOMAIN.+007+*.key" -printf '%s %f\n' | sort -nr | head -1 | sed 's/[0-9]\+ //;s/.key$//')
echo "Finding a proper Zone signing key for" $DOMAIN
ZSK=$(find . -name "K$DOMAIN.+007+*.key" -printf '%s %f\n' | sort -n | head -1 | sed 's/[0-9]\+ //;s/.key$//')

echo "Signing zone $ZONE with KSK $KSK and ZSK $ZSK"
ldns-signzone $ZONE /etc/nsd3/KSK/$KSK /etc/nsd3/ZSK/$ZSK -f /etc/nsd3/SIGNED/$DOMAIN.zone.signed

Try a query to check the presence of DNSSEC extensions:
dig +norec @localhost -t ANY myzone.demo

; <<>> DiG 9.7.3 <<>> +norec @localhost -t ANY myzone.demo
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER< ;; flags: qr aa; QUERY: 1, ANSWER: 12, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;myzone.demo. IN ANY

;; ANSWER SECTION:
myzone.demo. 600 IN SOA ns1.myzone.demo. hostmaster.myzone.demo. 2012041402 86400 7200 604800 86400
myzone.demo. 3600 IN A 192.0.2.10
myzone.demo. 3600 IN NS ns1.myzone.demo.
myzone.demo. 3600 IN NS ns2.myzone.demo.
myzone.demo. 3600 IN MX 0 aspmx.l.google.com.
myzone.demo. 3600 IN MX 5 alt1.aspmx.l.google.com.
myzone.demo. 3600 IN MX 5 alt2.aspmx.l.google.com.
myzone.demo. 3600 IN MX 10 aspmx2.googlemail.com.
myzone.demo. 3600 IN MX 10 aspmx3.googlemail.com.
myzone.demo. 600 IN DNSKEY 256 3 7 AwEAAeUOnBNBlI/U4Awgm4M/cas5U8OD
myzone.demo. 600 IN DNSKEY 257 3 7 AwEAAQFk7s2/BykQQi9ptOiDz9W5xErG6Q==
myzone.demo. 86400 IN NSEC ftp.myzone.demo. A NS SOA MX RRSIG NSEC DNSKEY

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Mon Apr 16 18:13:42 2012
;; MSG SIZE rcvd: 380

Now on your NSD slave.

Create a directory to contain the zones
sudo mkdir /etc/nsd3/SIGNED

then edit nsd.conf to instruct NSD where to find the zones:
zonesdir: “/etc/nsd3/SIGNED”

more changes:
zone:
name: “myzone.demo”
zonefile: “myzone.demo.zone.signed”

Now rebuild NSD database and reload:

sudo nsdc rebuild
sudo nsdc reload

You’ll see the following message:
warning: slave zone myzone.demo with no zonefile ‘myzone.demo.zone.signed'(No such file or directory) will force zone transfer.

Once the zone is transferred from master to slave you can check making a query on your slave:
dig +norec @localhost -t ANY myzone.demo

; <<>> DiG 9.7.3 <<>> +norec @localhost -t ANY myzone.demo
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER< ;; flags: qr aa; QUERY: 1, ANSWER: 12, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;myzone.demo. IN ANY

;; ANSWER SECTION:
myzone.demo. 3600 IN A 192.0.2.10
myzone.demo. 3600 IN NS ns1.myzone.demo.
myzone.demo. 3600 IN NS ns2.myzone.demo.
myzone.demo. 3600 IN MX 0 aspmx.l.google.com.
myzone.demo. 3600 IN MX 5 alt1.aspmx.l.google.com.
myzone.demo. 3600 IN MX 5 alt2.aspmx.l.google.com.
myzone.demo. 3600 IN MX 10 aspmx2.googlemail.com.
myzone.demo. 3600 IN MX 10 aspmx3.googlemail.com.
myzone.demo. 600 IN DNSKEY 256 3 7 AwEAAeUOnBNBlI/U4Awgm4M/cas5U8OD
myzone.demo. 600 IN DNSKEY 257 3 7 AwEAAQFk7s2/BykQQi9ptOiDz9W5xErG6Q==
myzone.demo. 86400 IN NSEC ftp.myzone.demo. A NS SOA MX RRSIG NSEC DNSKEY
myzone.demo. 600 IN SOA ns1.myzone.demo. hostmaster.myzone.demo. 2012041402 86400 7200 604800 86400

;; Query time: 1 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Mon Apr 16 18:27:56 2012
;; MSG SIZE rcvd: 380

Everything is fine so far.

DNSSEC is useful when a chain is trusted so what you are supposed to do now is to inform your parent zone about your key.
The chain is:
. (rootserver)
TLD. (top level domain, in our example demo.)
yourzone.TLD. (in our example myzone.demo.)

TLDs are operated by registrars who should allow you to submit your KSK for a given zone. Look at ICANN website for registrars that support end user DNSSEC management.

When your registrar doesn’t support end user DNSSEC management you can use DLV – DNSSEC Look-aside Validation that provides an additional entry point (besides the root zone) from which to obtain DNSSEC validation information. It’s a service provided by ISC – Internet Systems Consortium.

Use DNSviz to analyze your zone.

This is just a quick guide, you are encouraged to read carefully the background documentation and the manuals as well:

man 1 ldns-keygen
man 1 ldns-signzone

Creative Commons License
How to run NSD with DNSSEC on Ubuntu 11.10 by Antonio Prado is licensed under a Creative Commons Attribution-ShareAlike 4.0 International

Leave a Reply