6

Could anybody provide a step-by-step procedure to set up DNSSEC under BIND 9.7? I think the version is relevant because it is supposed to make life easier. In fact, there is a document published by ISC called DNSSEC for Humans, which I used as a starting point, though it's not quite a tutorial.

The main reason I'm using 9.7 (say, instead of the brand new 9.9) is that it is the stable version under Debian 6. I should mention that I have a basic BIND configuration up and running.

What I tried:

  1. Included inside the appropriate curly brackets in /etc/bind/named.conf.options the line

    dnssec-enable yes;

    and restarted BIND.

  2. Ran dnssec-keygen example.com

  3. Ran dnssec-keygen -fk example.com

  4. Tried dnssec-signzone –S example.com

However, the last step gives me the error

dnssec-signzone: fatal: No signing keys specified or found.

I can see this is a likely error, as there seem to be missing options indicating where my keys are, but on the hand the referred guide by ISC cites specifically this last example. Indeed, the flag -S stands in fact for "smart signing", so I was hoping having the keys in the same directory from where I execute the last command (/etc/bind) could suffice.

Since this is a toy, non-production project, I don't mind repeating these steps, say, every 30 days, but I'd like to keep them as simple as possible and... get them right!

Any ideas/pointers? Thanks in advance.

sadpluto
  • 183
  • 1
  • 4

1 Answers1

8

The simplest way to enable DNSSEC with BIND is automatic signing, below is a step-by-step tutorial:

Prerequisites: I will assume that your zone file is /var/lib/bind/example.net/db. Zone file and the folder should be writable for bind process ! You may need to adjust permissions, and/or edit your /etc/apparmor.d/usr.sbin.named.

Step 1: Generate DNSSEC keys:

dnssec-keygen -K /var/lib/bind/example.net example.net

-K specifies output folder for the newly generated keys, the second parameter is the zone name. This command may take very long to complete because it will wait until enough entropy is available on your system. If all you want is to try the configuration, and you aren't generating keys for a production system, you may add -r /dev/urandom - it will quickly generate not-so-secure keys. Note also that if you run this command multiple times, each time it will generate a new set of keys, and all the sets will be used to sign your zone.

Step 2: Configure BIND to enable automatic signing for your zone:

zone example.net {
    type master;
    file "/var/lib/bind/example.net/db";        
    auto-dnssec maintain;
//Enable The Magic
    key-directory "/var/lib/bind/example.net";
//Look for DNSSEC keys in "/etc/bind/example.net" folder
    update-policy local;
//Enable dynamic updates (required for auto-dnssec)
};

auto-dnssec maintain tells bind to periodically search the folder, specified in key-directory, for new DNSSEC keys, add those keys to the zone and sign the zone. All automatically, without your interaction. Core DNSSEC support itself is already enabled by default. Your named.conf may well consist of this zone section alone.

Step 3: Reload bind

rndc reload Will load the new configuration and bind will load your DNSSEC keys and sign the zone.

Done. Confirm that it works with dig +dnssec @localhost example.net DNSKEY. You should get DNSKEY and RRSIG records.

Secure Delegation

If you add a DNNSEC to a real domain, to fully enable DNNSEC validation, you need to add DS records to your parent zone - this is done same way as NS records - via your domain registrar.

To verify that it all works, you may use online tools like dnsviz.net and dnssec-debugger.verisignlabs.com

ADDITION:

Some may ask: what about ZSKs and KSKs ? - This process will sign the whole zone with a single ZSK, there's no KSK here. What I tried to do is provide simplest possible "guide" which would result in a good working DNSSEC. I did not try to cover all the possible details. And there's no need for everbody to care about all the possible details. IMHO.

Sandman4
  • 4,045
  • 2
  • 20
  • 27
  • Note that today you may have DNSSEC for your domain without running your own nameserver - some DNS hostings already support DNSSEC, like [Dyn](http://dyn.com/dns/dns-comparison/), (Oh No!)[GoDaddy](http://support.godaddy.com/help/article/6420/enabling-dnssec-in-your-premium-dns-account), and my own [net-me.net](https://www.net-me.net/services) – Sandman4 Jul 07 '12 at 22:35
  • Another note: since it's Bind 9.7.x it will not load DNSSEC look-aside validation (DLV) keys automatically - get most recent keys here: http://ftp.isc.org/isc/bind9/keys/9.7/ and add them to your bind configuration. – c2h5oh Jul 07 '12 at 23:16
  • This question is for __authoritative__ server, not a resolver. Besides, I don't think DLV is of much use today. – Sandman4 Jul 07 '12 at 23:32
  • Thank you for such a thorough answer. I came across in the meantime with [DNSSEC-Tools](https://www.dnssec-tools.org). It's a more manual (cron-able) process that mainly involves `apt-get install dnssec-tools; zonesigner -genkeys -zone example.com db.example.com`. – sadpluto Jul 09 '12 at 16:09
  • 1
    Can you add a few words on how to get the details of the DS records to add? I tried `dnssec-dsfromkey` but my registrar doesn't seem to accept it - am I getting a ZSK or KSK, and which algorithm? – Calimo Jun 28 '16 at 20:24