DNSSEC

DNSSEC is the name for security extensions to the DNS protocol. Using advanced cryptography, it allows the validity of a DNS response to be verified, allowing a resolver to be sure that the information received is correct. It does not make DNS secret, nor prevent denial-of-service attacks.

DNSSEC operators must use tools and DNS servers to provide this service. Fudo.org uses BIND, but the different versions of the software have different features.

The rest of this page is collected notes on using DNSSEC. Hopefully they will be useful to some readers.

Sign a domain with BIND 9.9

 * name you zone file the same as your name, no trailing . (ex: fudo.org 199.181.198.in-addr.arpa)
 * create a ZSK and a KSK
 * [reaper@olympus bind]# dnssec-keygen -r/dev/urandom -a RSASHA256 -b 1024 fudo.ca
 * [reaper@olympus bind]# dnssec-keygen -f KSK -r/dev/urandom -a RSASHA256 -b 2048 fudo.ca
 * modify the nameserver to sign and maintain the zone:
 * zone "fudo.ca" in { type master; file "pri/fudo.ca"; key-directory "/etc/bind/keys"; auto-dnssec maintain; inline-signing yes; };
 * reload your nameserver
 * [reaper@olympus bind]# rndc reload; tail -f /var/log/bind/named.log
 * publish DS records
 * [root@srv1 kets]# dnssec-dsfromkey Kfudo.ca.+008+30190.
 * fudo.ca. IN DS 30190 8 1 2C9919DE89D2017FB12CC58CF3C042BA728B468D
 * fudo.ca. IN DS 30190 8 2 E9DF5ECD28C3CD875A5B46C868F84D3801B9320D594E373EB9CB372687859D21

Howto modify Fudo.org
As of 2015-11, fudo is using Bind 9.9, running on olympus.

Bind 9.9 will auto-sign the zone from a text file reference.

Edit the zone, increment the serial, and do an rndc reload fudo.org. This will publish new signed records.

Bind 9.6 method
As of 2012-12-03, we have signed the fudo.org zone. To be clear, DNSSEC is turned on for all of fudo.org. When you modify the fudo.org zone, you have some additional steps to perform. After you modify the zone, you need to sign it.

Here's how you should do it, on Thor:


 * Edit the file as normal, increment the serial
 * sudo vim fudo.org</tt>
 * Sign the zone:
 * sudo dnssec-signzone fudo.org</tt>
 * reload the zone, see the output to confirm it was loaded. You should see the slaves load the zone after a few seconds as well
 * sudo rndc reload; tail -f /var/log/bind/named.log</tt>

In the future, there may be better ways, or things may become more automated. For now we are using pretty raw tools--not automated in any way. The idea being to learn, this is OK.

MBIX.ca

 * New in 2015-11

Log of actions taken. srv1.mbix.ca, Running CentOS 6.5, with BIND 9.8.2rc1-RedHat-9.8.2-0.23.rc1.el6_5.1

We will sign as16395.net.

First, create a Zone Signing Key, (ZSK): [root@srv1 zones]# dnssec-keygen -r /dev/urandom -a RSASHA256 -b 1024 -n ZONE as16395.net Generating key pair................++++++ .........................++++++ Kas16395.net.+008+57213

Create Key Signing Key, (KSK) using more bits: [root@srv1 zones]# dnssec-keygen -f KSK -r /dev/urandom -a RSASHA256 -b 2048 -n ZONE as16395.net Generating key pair...........................................................+++ .........................................................................................................................................................................................................................................................+++ Kas16395.net.+008+03289

We now have the 2 keys needed for DNSSEC signing. I moved them to the keys directory: [root@srv1 zones]# mv K* ../keys/

Set the key permissions so they can be read by named (I created them as root: [root@srv1 keys]# chown :named * [root@srv1 keys]# chmod g+r *.private

We want BIND to auto-sign the zone, and to updates signatures as needed (monthly if no manual changes to zone). Using BIND 9.8, we'll have to update this zone using nsupdate</tt>. Bind 9.9 has more features.

We are now adding:
 * update-policy local;</tt> to allow nsupdate to function
 * key-directory "/etc/named/keys";</tt> to specify where keys are found (the filename of the key contains the zone name)
 * auto-dnssec maintain;</tt> tells BIND to auto-sign the zone, as needed:wq

zone   "as16395.net." {       type master; file "/etc/named/zones/as16395.net"; key-directory "/etc/named/keys"; auto-dnssec maintain; allow-transfer { key "mbix-master"; };       also-notify { 162.219.53.35; 162.219.53.235; // D-ZONE MASTERS }; };

Now, sign the zone with an rndc</tt> command:

[root@srv1 keys]# rndc sign as16395.net; tail -f /var/log/named/named.log 06-Nov-2015 13:28:49.733 general: info: received control channel command 'sign as16395.net' 06-Nov-2015 13:28:49.733 general: info: zone as16395.net/IN: reconfiguring zone keys 06-Nov-2015 13:28:49.784 general: info: zone as16395.net/IN: next key event: 06-Nov-2015 14:28:49.733 06-Nov-2015 13:28:49.784 notify: info: zone as16395.net/IN: sending notifies (serial 2015110404) 06-Nov-2015 13:28:49.920 xfer-out: info: client 162.219.53.35#55674: transfer of 'as16395.net/IN': IXFR started: TSIG mbix-master 06-Nov-2015 13:28:49.921 xfer-out: info: client 162.219.53.35#55674: transfer of 'as16395.net/IN': IXFR ended 06-Nov-2015 13:28:50.388 xfer-out: info: client 162.219.53.235#26127: transfer of 'as16395.net/IN': IXFR started: TSIG mbix-master 06-Nov-2015 13:28:50.389 xfer-out: info: client 162.219.53.235#26127: transfer of 'as16395.net/IN': IXFR ended 06-Nov-2015 13:28:54.733 notify: info: zone as16395.net/IN: sending notifies (serial 2015110406)

Now, [root@srv1 keys]# dig +dnssec @localhost www.as16395.net</tt> shows lots of DNSSEC output.

The zone is now signed. HOWEVER, there is no trust chain from the .net servers to as16395.net. We need to install our DS record on the .net servers.

I did this using OpenSRS, but, where can i find my DS records?

[root@srv1 zones]# dnssec-dsfromkey -f as16395.net > dsset-as16395.net [root@srv1 zones]# cat dsset-as16395.net as16395.net. IN DS 3289 8 1 1DCF1448F6FA3BD38D46218AB120A4CDFDE6E32F as16395.net. IN DS 3289 8 2 67CC93AA86AD77BDC7E89AAF98E544F7BD3352C259170F87CC9EEE89 FE52763A

This puts the DS records in a file, for later easy reference. Key tag is 3289, algorithm is 8, digest type is 2, digest is 67CC93AA86AD77BDC7E89AAF98E544F7BD3352C259170F87CC9EEE89FE52763A. You need to give this to your domain registrar.

When that's complete, you can use DNS Viz to see the results!