How to run OpenDNSSEC with NSD on FreeBSD 9.0

Prime knots chartDomain Name System Security Extensions (DNSSEC) is a set of extensions to DNS documented since 2005 by RFCs 4033, 4034, 4035. Today there are some additions to those extensions.
DNSSEC adds an end to end security: it provides to DNS clients origin authentication of DNS data. OpenDNSSEC is an open-source software created as a solution for DNSSEC. It secures zone data just before it is published in an authoritative name server.

To install and configure NSD please refer to my article How to configure master and slave NSD on FreeBSD 9.0.

Here I’m going to show you the basic steps to make your zones signed with OpenDNSSEC and SoftHSM.

Firts make sure that NSD can find the zones:
vi /usr/local/etc/nsd/nsd.conf

# The directory for zonefile: files.
zonesdir: “/usr/local/var/opendnssec/signed”

and reflect the changes in your directory tree:

cd /usr/local/etc/nsd
ln -s /usr/local/var/opendnssec/unsigned .
ln -s /usr/local/var/opendnssec/signed .
cp /usr/local/etc/nsd/myzone.demo.zone /usr/local/etc/nsd/unsigned/myzone.demo
nsdc rebuild
nsdc reload

Now start with OpenDNSSEC.

First step is to initialize SoftHSM databse with label “OpenDNSSEC” using demo PIN 1234:
softhsm --init-token --slot 0 --label "OpenDNSSEC"

Then prepare configuration files:

cp conf.xml.sample conf.xml
cp kasp.xml.sample kasp.xml
cp zonelist.xml.sample zonelist.xml

Initialize OpenDNSSEC database:

ods-ksmutil setup
chmod 755 /usr/local/var/softhsm
ods-control start
ods-ksmutil zone add --zone myzone.demo
ods-ksmutil update zonelist

Check that everything is ok listing your keys:
ods-ksmutil key list --verbose
SQLite database set to: /usr/local/var/opendnssec/kasp.db
Keys:
Zone: Keytype: State: Date of next transition: CKA_ID: Repository: Keytag:
myzone.demo KSK publish 2012-04-20 05:02:26 dcfdc20378081bf71f1f665d19db3a76 SoftHSM 24190
myzone.demo ZSK active 2012-05-19 15:02:26 e9c5ddce37dda5365723206fb0353f47 SoftHSM 52825

Here is a brief explanation of each key state:

Generate
Keys in the generate state have been created and stored but not used yet.
Publish
Keys in the publish state have been published in the zone, but are not yet considered safe to use. (i.e. They have not been in the zone long enough to have propagated through the system.)
Ready
Keys in the ready state have been published long enough that we could safely start to use them.
Active
Keys in the active state are those that are in use.
Retired
Keys in the retire state have been in use but have been replaced by a successor, they are post-published while signatures generated with them might still be in the system.
Dead
Keys in the dead state have been retired long enough for them to be safely removed from the zone.

Try a query to check DNSSEC extensions:
dig +norec @localhost -t ANY myzone.demo
;; Truncated, retrying in TCP mode.

; <<>> DiG 9.8.1-P1 <<>> +norec @localhost -t ANY myzone.demo
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER< ;; flags: qr aa; QUERY: 1, ANSWER: 18, AUTHORITY: 0, ADDITIONAL: 2

;; QUESTION SECTION:
;myzone.demo. IN ANY

;; ANSWER SECTION:
myzone.demo. 3600 IN SOA ns1.myzone.demo. hostmaster.myzone.demo. 2012041405 86400 7200 604800 3600
myzone.demo. 3600 IN RRSIG SOA 8 2 3600 20120426065520 20120419134623 52825 myzone.demo. vTDGXkbYSvUI/SYcs/g6IOyaR5UilrUk2kU/pU+xpaHzgR1FSeYgFmFw 4U/2EjvQ1zrUJq6YLd1BKbHk7eYXW1QyxWTnIPGILmZBqWWbPdf87vig gXw26b+vMYjNIsz1j0dTuojiT6Bzr1R6RAu/I3q/xwdlx7UBB3AILSJo T+w=
myzone.demo. 3600 IN RRSIG A 8 2 3600 20120426092649 20120419134422 52825 myzone.demo. nK/BmvwR73cEbOu1UjOy3D4cDYbYsrHt9Rv2+El9PUQfLgxCJjVskd8D DS53tQUmYuEfyBs81KJ8319skOMk2OUZ6iuQLPhUgbGWQmB5Tw7aY5mT /oQE3KefUGTR+KrnXtLjnmiP0kEP1q8jmiwzusGkOttf8NhSbbukI40n sN0=
myzone.demo. 3600 IN RRSIG NS 8 2 3600 20120426070946 20120419134422 52825 myzone.demo. AgNXTRMVZCsHqlAtJbc8D+Io+1Bl66SXK1k10HYHCqg04wi7/lLcreUl J6dgtUCLFuKHBP4SLvsjUHZSu9FqdRJv6po7hECFqIFxmChJyMfp0LSn sXpnFZfcRtJ35+RmKOiw9rEUuCbI4uZVMqg5yRTlbYPBU/uNIln4dEV5 P8Y=
myzone.demo. 3600 IN RRSIG MX 8 2 3600 20120426173831 20120419134422 52825 myzone.demo. Ny4n80HKCTn7ocOAjP3VegBHv2VryDnpr8qHVYBWZnt5qkC4NHadezOZ fAQxkINEJ/HY1ovGcq5o9Hw/qYZxxB4fnJbdbvheJUuZCUNgvvXjOoy1 uYzR9YLt1VdD04ScFmo5GyOi6M94lki4T4TcSUpB+8XO65gh/Y5KyvWe 0oU=
myzone.demo. 3600 IN RRSIG DNSKEY 8 2 3600 20120426203739 20120419134422 24190 myzone.demo. Z2KjyTaR0FiALKfOKpJvTocb8Go/TJdVWBfQHiB7h8/H+srYlo3udmuC 4j5Ji46pL/q775aAq2jB9jlozG5JHSIBch9Lm0OdRQzaPtpF5VpREjJc kDYqlM0iB7pl1p9GdAkgnS/8OmoSHbw69sA1IW4DAvohuyTW5TFQjqsH OtcDb/bKAx2PpedThyZONbtg4D6P5pB3Lz5aVfN/x6GfbxVNT/y6qGGq i237zwombyfEHdd8Sx1eQ9qj6djFcO3RDTJTO/g21M4HiRXsG2QbdcOd 4BU17am+k1qo6eoSwQ4gFLEmKCH/kppbKVKZI3tKcP42E3BRY3HGwF8r RNA+5Q==
myzone.demo. 3600 IN RRSIG NSEC3PARAM 8 2 3600 20120427021607 20120419134422 52825 myzone.demo. H3gd+uKf8fggbkMklMbtRsQBQwBzd/4evalFZktj+NfGZ84j6yqm5qhh Bgx1kV+TROjJPb0ms17McmuoTexsMGCwLAnmc9UOiVknr3Oimy5X9edc haTNqTiNagIZQh8slsg9JWNm2o1X3aPW8QIKSN4AknKLHaD74nVFcasQ a9o=
myzone.demo. 3600 IN A 192.0.2.10
myzone.demo. 3600 IN NS ns1.myzone.demo.
myzone.demo. 3600 IN NS ns2.myzone.demo.
myzone.demo. 3600 IN MX 0 aspmx.l.google.com.
myzone.demo. 3600 IN MX 5 alt1.aspmx.l.google.com.
myzone.demo. 3600 IN MX 5 alt2.aspmx.l.google.com.
myzone.demo. 3600 IN MX 10 aspmx2.googlemail.com.
myzone.demo. 3600 IN MX 10 aspmx3.googlemail.com.
myzone.demo. 3600 IN DNSKEY 256 3 8 AwEAAenNfzy6VmPGi7+fo5Ewf7AMkRgI/CFRoeRo6oLiSMoODTfQr35N LyfNsla0CIQThg+0KWxx5ipvE6anpsUUkRuqV8bkiC0rc3dM9EGawXs+ kg/AGl53o3mNKU0iSBHoTPixZAMbFp/ys+mKKsiXjWwubCbbvbMaa+Kn /9SC/B+d
myzone.demo. 3600 IN DNSKEY 257 3 8 AwEAAb659fEdufEVsdcq+cYDhJST3uTDgKA+Do90Ewa1WbNz/cQbfdNx GN3Y0IYex+/LmJ3CqGiVmuEGWTjC632ELkunl+N/ouuOzFwJAvRXxgDo YHs4SC7xHxcM/0SPFcBeS/jLmRc/HrhVY9Y+SkYX7Aohjtt8EM3vPSDM JTGyHMO45G0+3vQVn+ZPnnmCm4Vk6K9+rEPo/8WcFUYoEeQwjvr/NbH+ 5/9FkM5D+4PYK4TlfE3oPr8VDU2FxwHittdHsdhBudCSo/6aszTyZO9c oCyQCdIMCJ449ni/9XU4NUGdQQ5SJMc7pkl/3OIeCKN3QE2I/l8/xeSA 4QNP0hIgA20=
myzone.demo. 3600 IN NSEC3PARAM 1 0 5 79FAF1DC2C64311D

;; ADDITIONAL SECTION:
ns1.myzone.demo. 3600 IN A 192.0.2.1
ns2.myzone.demo. 3600 IN A 192.0.2.2

;; Query time: 168 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Thu Apr 19 16:48:23 2012
;; MSG SIZE rcvd: 1907

Our KSK is in Publish state, it means we cannot export the key yet. It would turn in Ready state on 2012-04-20 at 05:02:26.

Anyway, just for this how to’s sake:
date 1204200503

Let’s check:
date
Fri Apr 20 05:03:01 CEST 2012

Now restart enforcer and signer:

ods-control stop
ods-control start

and ask for key state:
ods-ksmutil key list --verbose
SQLite database set to: /usr/local/var/opendnssec/kasp.db
Keys:
Zone: Keytype: State: Date of next transition: CKA_ID: Repository: Keytag:
myzone.demo KSK ready waiting for ds-seen dcfdc20378081bf71f1f665d19db3a76 SoftHSM 24190
myzone.demo ZSK active 2012-05-19 15:02:26 e9c5ddce37dda5365723206fb0353f47 SoftHSM 52825

Here it is the KSK in Ready state. Now we can export it:

ods-ksmutil key export --zone myzone.demo --keystate READY
SQLite database set to: /usr/local/var/opendnssec/kasp.db

;ready KSK DNSKEY record:
myzone.demo. 3600 IN DNSKEY 257 3 8 AwEAAb659fEdufEVsdcq+cYDhJST3uTDgKA+Do90Ewa1WbNz/cQbfdNxGN3Y0IYex+/LmJ3CqGiVmuEGWTjC632ELkunl+N/ouuOzFwJAvRXxgDoYHs4SC7xHxcM/0SPFcBeS/jLmRc/HrhVY9Y+SkYX7Aohjtt8EM3vPSDMJTGyHMO45G0+3vQVn+ZPnnmCm4Vk6K9+rEPo/8WcFUYoEeQwjvr/NbH+5/9FkM5D+4PYK4TlfE3oPr8VDU2FxwHittdHsdhBudCSo/6aszTyZO9coCyQCdIMCJ449ni/9XU4NUGdQQ5SJMc7pkl/3OIeCKN3QE2I/l8/xeSA4QNP0hIgA20= ;{id = 24190 (ksk), size = 2048b}

ods-ksmutil key export --zone myzone.demo --ds --keystate READY
SQLite database set to: /usr/local/var/opendnssec/kasp.db

;ready KSK DS record (SHA1):
myzone.demo. 3600 IN DS 24190 8 1 5720f7f7eac4de8b0f5a59d1772674c751c5c37a

;ready KSK DS record (SHA256):
myzone.demo. 3600 IN DS 24190 8 2 d3d1eb07c34d5f1d0a71abc1317d2ec78a6d320a781f4600aba01bffebeeccb2

DNSSEC is useful when a chain is trusted so what you are supposed to do now is to inform your parent zone about your exported key.

The chain is:
. (rootserver)
TLD. (top level domain, in our example demo.)
yourzone.TLD. (in our example myzone.demo.)

TLDs are operated by registrars who should allow you to submit your KSK for a given zone. Look at ICANN website for registrars that support end user DNSSEC management.

When your registrar doesn’t support end user DNSSEC management you can use DLV – DNSSEC Look-aside Validation that provides an additional entry point (besides the root zone) from which to obtain DNSSEC validation information. It’s a service provided by ISC – Internet Systems Consortium.

Use DNSviz to analyze your zone.

This is just a quick guide, you are encouraged to read carefully the background documentation and the manuals as well.

Creative Commons License
How to run OpenDNSSEC with NSD on FreeBSD 9.0 by Antonio Prado is licensed under a Creative Commons Attribution-ShareAlike 4.0 International

Leave a Reply