How-To: DNSSEC with DLV (with some notes)

How-To: DNSSEC with DLV (with some notes)

I sometimes wonder how come I’ve never done any DNS-related How-To. I write them mainly to remind myself anyway, not for other people (but it’s a plus if someone gets something from it)… Maybe that’s it, I don’t need reminder for something I do so often.

At least DNSSEC is something that’s not-so new – I haven’t implemented them in authoritative nameservers before, just for resolvers and caching nameservers. So here’s a guide, mostly taken from ISC DLV with some sidenote¬† I inserted while working on my implementation.

Steps:

1. Enable DNSSEC on authoritative/recursive servers
2. Generate ZSK and KSK
3. Include keys into zonefile
4. Sign the zone
5. Point named.conf at the signed zone.
6. Reload zone.
7. Provide parent zone with DS records -OR-
8. Provide DLV registry with DLV record

****IN DETAIL****

1. Enable DNSSEC on authoritative/recursive servers
++++++++++++++++++++++++++++++++++++++++++++++++
options {
dnssec-enable yes;
dnssec-validation yes; //on recursive servers only
};

++++++++++++++++++++++++++++++++++++++++++++++++

2. Generate ZSK and KSK for EACH ZONE.

a. Zone Signing Key (ZSK)
$> dnssec-keygen -aRSASHA1 -b1024 -n ZONE myzone

this creates two files:
Kzonename+005+<id_of_zsk>.key
Kzonename+005+<id_of_zsk>.private

b. Key Signing Key (KSK)
$> dnssec-keygen -a RSASHA1 -b2048 -n ZONE -f KSK myzone

this creates two files:
Kzonename+005+<id_of_ksk>.key
Kzonename+005+<id_of_ksk>.private

3. Include keys into zonefile. (NOTE: .key is the public portion, .private is the well, private portion)

$INCLUDE "Kzonename+005+<id_of_ksk>.key"
-OR-
cat Kzonename+*.key >> zonefile

4. Sign the zone.
dnssec-signzone [-o zonename] [-N INCREMENT] [-k KSKfile] zonefile [ZSKfile]

this creates two files:
dsset-zonename (DS RRs)
keyset-zonename (DNSKEY RRs)

if using DLV:
dnssec-signzone [-o zonename] [-N INCREMENT] -l dlvzone[-k KSKfile] zonefile [ZSKfile]
ex: dnssec-signzone -l dlv.isc.org -r /dev/random -o zonename -k KSKfile zonefile ZSKfile

this creates dlvset-zonename

5. . Point named.conf at the signed zone.
++++++++++++++++++++++++++++++++++++++++++++++++
zone "zonename" {
file "master/zonefile.signed";
};

++++++++++++++++++++++++++++++++++++++++++++++++

6. Reload zone.
$> rndc reconfig
$> rndc flush

7. Provide parent zone with DS records -OR-
note: parent will insert DS RR

8. Provide DLV registry with DLV record
provide dnskey to 3rd party registry if parent is not signed yet

Register/login to dlv.isc.org
Manage/upload your zone.

Edit named.conf to enable DLV.
++++++++++++++++++++++++++++++++++++++++++++++++
trusted keys {
dlv.isc.org. 257 3 5 "BEAAA[...]BNh";
}

++++++++++++++++++++++++++++++++++++++++++++++++
-OR-
include "dlv.isc.org.named.conf"; (Note: download file from dlv.isc.org)

++++++++++++++++++++++++++++++++++++++++++++++++
options {
dnssec-lookaside . trust-anchor dlv.isc.org.;
};

++++++++++++++++++++++++++++++++++++++++++++++++

***MAINTENANCE***

1. Re-signing the zone.
When? everytime you modify or before expiration date (30days)

2. Rotating keys (rollover).
no expiration, but needs rollover regularly
KSK – yearly
ZSK – every 3 months

For those who want to do some reading on DNSSEC, there’s a a section at NSRC.ORG which is a great place to start. It’s from Phil Regnauld and Harvey Allen, our instructors at APRICOT2009.

Comments are closed.