Domain Name System Security Extensions (DNSSEC) is a set of extensions to DNS documented since 2005 by RFCs 4033, 4034, 4035. Today there are some additions to those extensions.
DNSSEC adds an end to end security: it provides to DNS clients origin authentication of DNS data.
To install and configure NSD please refer to my article How to configure master and slave NSD on Ubuntu 11.10.
Here I’m going to show you the basic steps to make your zones signed.
[Jan Piet Mens @digdns suggests:
Tired of issuing sudo?
By the command sudo -i
you open a bash shell as root so…]
Prepare the new tree just to keep things clear:
sudo mkdir /etc/nsd3/SIGNED /etc/nsd3/KSK /etc/nsd3/ZSK
Time to install ldns, a NLnet Labs’ project:
sudo apt-get install ldnsutils
and, using the zone myzone.demo created in my previous article, issue the following commands to create two keys, Zone signing key (ZSK) and Key signing key (KSK):
cd /etc/nsd3/ZSK
sudo ldns-keygen -a RSASHA1_NSEC3 -b 1024 myzone.demo
cd /etc/nsd3/KSK
sudo ldns-keygen -a RSASHA1_NSEC3 -b 2048 -k myzone.demo
It depends on your CPU, but key creation is a time consuming task, so be patient.
ldns-keygen will create 3 files: a .key file with the public DNSKEY, a .private file with the private keydata and a .ds with the DS record of the DNSKEY record.
Let’s check:
sudo ls /etc/nsd3/KSK
Kmyzone.demo.+007+22050.ds
Kmyzone.demo.+007+22050.key
Kmyzone.demo.+007+22050.private
sudo ls /etc/nsd3/ZSK
Kmyzone.demo.+007+22049.ds
Kmyzone.demo.+007+22049.key
Kmyzone.demo.+007+22049.private
Edit /etc/nsd3/nsd.conf to change the path for the signed zones:
zonesdir: "/etc/nsd3/SIGNED"
more changes:
zone:
name: “myzone.demo”
zonefile: “myzone.demo.zone.signed”
Now use the ldns-signzone command to sign myzone.demo and to create a new file ready for DNSSEC queries.
sudo ldns-signzone /etc/nsd3/UNSIGNED/myzone.demo.zone /etc/nsd3/KSK/Kmyzone.demo.+007+22050 /etc/nsd3/ZSK/Kmyzone.demo.+007+22049 -f /etc/nsd3/SIGNED/myzone.demo.zone.signed
I just created an easy shell script to automate the process of zone signing:
#!/bin/bash
# Usage: ./signzone myzone.demo
DOMAIN=$1
ZONE=/etc/nsd3/UNSIGNED/$DOMAIN.zone
echo "Finding a proper Key signing key for" $DOMAIN
KSK=$(find . -name "K$DOMAIN.+007+*.key" -printf '%s %f\n' | sort -nr | head -1 | sed 's/[0-9]\+ //;s/.key$//')
echo "Finding a proper Zone signing key for" $DOMAIN
ZSK=$(find . -name "K$DOMAIN.+007+*.key" -printf '%s %f\n' | sort -n | head -1 | sed 's/[0-9]\+ //;s/.key$//')
echo "Signing zone $ZONE with KSK $KSK and ZSK $ZSK"
ldns-signzone $ZONE /etc/nsd3/KSK/$KSK /etc/nsd3/ZSK/$ZSK -f /etc/nsd3/SIGNED/$DOMAIN.zone.signed
Try a query to check the presence of DNSSEC extensions:
dig +norec @localhost -t ANY myzone.demo
; <<>> DiG 9.7.3 <<>> +norec @localhost -t ANY myzone.demo
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER< ;; flags: qr aa; QUERY: 1, ANSWER: 12, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;myzone.demo. IN ANY
;; ANSWER SECTION:
myzone.demo. 600 IN SOA ns1.myzone.demo. hostmaster.myzone.demo. 2012041402 86400 7200 604800 86400
myzone.demo. 3600 IN A 192.0.2.10
myzone.demo. 3600 IN NS ns1.myzone.demo.
myzone.demo. 3600 IN NS ns2.myzone.demo.
myzone.demo. 3600 IN MX 0 aspmx.l.google.com.
myzone.demo. 3600 IN MX 5 alt1.aspmx.l.google.com.
myzone.demo. 3600 IN MX 5 alt2.aspmx.l.google.com.
myzone.demo. 3600 IN MX 10 aspmx2.googlemail.com.
myzone.demo. 3600 IN MX 10 aspmx3.googlemail.com.
myzone.demo. 600 IN DNSKEY 256 3 7 AwEAAeUOnBNBlI/U4Awgm4M/cas5U8OD
myzone.demo. 600 IN DNSKEY 257 3 7 AwEAAQFk7s2/BykQQi9ptOiDz9W5xErG6Q==
myzone.demo. 86400 IN NSEC ftp.myzone.demo. A NS SOA MX RRSIG NSEC DNSKEY
;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Mon Apr 16 18:13:42 2012
;; MSG SIZE rcvd: 380
Now on your NSD slave.
Create a directory to contain the zones
sudo mkdir /etc/nsd3/SIGNED
then edit nsd.conf to instruct NSD where to find the zones:
zonesdir: “/etc/nsd3/SIGNED”
more changes:
zone:
name: “myzone.demo”
zonefile: “myzone.demo.zone.signed”
Now rebuild NSD database and reload:
sudo nsdc rebuild
sudo nsdc reload
You’ll see the following message:
warning: slave zone myzone.demo with no zonefile ‘myzone.demo.zone.signed'(No such file or directory) will force zone transfer.
Once the zone is transferred from master to slave you can check making a query on your slave:
dig +norec @localhost -t ANY myzone.demo
; <<>> DiG 9.7.3 <<>> +norec @localhost -t ANY myzone.demo
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER< ;; flags: qr aa; QUERY: 1, ANSWER: 12, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;myzone.demo. IN ANY
;; ANSWER SECTION:
myzone.demo. 3600 IN A 192.0.2.10
myzone.demo. 3600 IN NS ns1.myzone.demo.
myzone.demo. 3600 IN NS ns2.myzone.demo.
myzone.demo. 3600 IN MX 0 aspmx.l.google.com.
myzone.demo. 3600 IN MX 5 alt1.aspmx.l.google.com.
myzone.demo. 3600 IN MX 5 alt2.aspmx.l.google.com.
myzone.demo. 3600 IN MX 10 aspmx2.googlemail.com.
myzone.demo. 3600 IN MX 10 aspmx3.googlemail.com.
myzone.demo. 600 IN DNSKEY 256 3 7 AwEAAeUOnBNBlI/U4Awgm4M/cas5U8OD
myzone.demo. 600 IN DNSKEY 257 3 7 AwEAAQFk7s2/BykQQi9ptOiDz9W5xErG6Q==
myzone.demo. 86400 IN NSEC ftp.myzone.demo. A NS SOA MX RRSIG NSEC DNSKEY
myzone.demo. 600 IN SOA ns1.myzone.demo. hostmaster.myzone.demo. 2012041402 86400 7200 604800 86400
;; Query time: 1 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Mon Apr 16 18:27:56 2012
;; MSG SIZE rcvd: 380
Everything is fine so far.
DNSSEC is useful when a chain is trusted so what you are supposed to do now is to inform your parent zone about your key.
The chain is:
. (rootserver)
TLD. (top level domain, in our example demo.)
yourzone.TLD. (in our example myzone.demo.)
TLDs are operated by registrars who should allow you to submit your KSK for a given zone. Look at ICANN website for registrars that support end user DNSSEC management.
When your registrar doesn’t support end user DNSSEC management you can use DLV – DNSSEC Look-aside Validation that provides an additional entry point (besides the root zone) from which to obtain DNSSEC validation information. It’s a service provided by ISC – Internet Systems Consortium.
Use DNSviz to analyze your zone.
This is just a quick guide, you are encouraged to read carefully the background documentation and the manuals as well:
man 1 ldns-keygen
man 1 ldns-signzone