Inhaltsverzeichnis

DNSSec
DNSSec for Caching DNS Servers
DNSSec for Servers
DANE
OLD DNSSec for Servers
- Automation on the server
- Further Links

DNSSec

DNSSec for Caching DNS Servers

Add the following into your named.conf:

options {
     dnssec-enable yes;
     dnssec-validation auto;
};

Restart your DNS server now with:

/etc/rc.d/named restart

To test it you should execute the command and the RRSIG should be displayed:

dig +dnssec isc.org soa

You should see in the flags ad that ensures that the everything is fine:

;; flags: qr rd ra ad; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1

DNSSec for Servers

We use a complete new feature of bind 9.9.5-P1. Bind will handle all the key and signing for us. So it is not necessary to resign your zones after one month, bind will do that automatically for you.

I assume you have your configuration in folder:

/usr/local/etc/namedb

Zonefiles are in:

/usr/local/etc/namedb/master

Keyfiles in:

/usr/local/etc/namedb/keys

To start:

mkdir -p /usr/local/etc/namedb/keys
chown bind:bind /usr/local/etc/namedb/keys
chown bind:bind /usr/local/etc/namedb/master

Edit your named.conf:

options {
...
        // enable dnssec
        dnssec-enable yes;
        dnssec-validation auto;
        managed-keys-directory "working/";
        key-directory "keys/";
        allow-new-zones yes;
}

logging {
        channel log_zone_transfers {
                file "/var/log/named/named-axfr.log";
                print-time yes;
                print-category yes;
                print-severity yes;
                };
        channel named_log {
                file "/var/log/named/named.log" versions 3 size 2m;
                severity info;
                print-severity yes;
                print-time yes;
                print-category yes;
        };
        category xfer-in { log_zone_transfers; };
        category xfer-out { log_zone_transfers; };
        category notify { log_zone_transfers; };
        category default { named_log; };
        category lame-servers { null; };
};

Define your zone like this:

zone "fechner.net" {
        type master;
        file "master/fechner.net/fechner.net";
        allow-transfer { inwx; };
        auto-dnssec maintain;
        inline-signing yes;
};

Now we generate the keys using RSA and SHA512:

cd /usr/local/etc/namedb/keys
dnssec-keygen -3 -a RSASHA512 -b 4096 fechner.net
dnssec-keygen -3 -a RSASHA512 -b 4096 -f KSK fechner.net

We load the keys:

rndc loadkeys fechner.net

you should see in the log file something like (if not check that bind can write to the directory where the zone file is located, as bind generate some additional files there):

28-Jul-2014 16:04:55.746 general: info: zone fechner.net/IN (signed): reconfiguring zone keys
28-Jul-2014 16:04:55.748 general: info: zone fechner.net/IN (signed): next key event: 28-Jul-2014 17:04:55.746

Queue them for automatic signing:

rndc signing -nsec3param 1 0 10 `hexdump -n 8 -v -e '/1 "%02X"' /dev/urandom` fechner.net.

If everything is currect you should see your dnskey with:

dig @localhost dnskey fechner.net.

To display the zone including the dynamically added key and signatures execute:

cd /usr/local/etc/namedb/master/fechner.net
named-checkzone -D -f raw -o - fechner.net fechner.net.signed | less

To get the fingerprint of your signing key we can execute this:

dig @localhost dnskey fechner.net | dnssec-dsfromkey -f - fechner.net

Missing step is now to add anchor of trust.

rndc signing -list fechner.net

To read the content of the fechner.net.signed:

named-checkzone -D -f raw -o - fechner.net fechner.net.signed

DANE

Postfix

cd /usr/local/etc/apache24/ssl_keys
openssl x509 -in newcert.pem -outform DER |openssl sha256

Take the fingerprint and create a new line in your zone file:

_25._tcp.<domain>. 1H IN TLSA 3 0 1 <fingerprint>
_465._tcp.<domain>. 1H IN TLSA 3 0 1 <fingerprint>

or with sha512:

cd /usr/local/etc/apache24/ssl_keys
openssl x509 -in newcert.pem -outform DER |openssl sha512

_25._tcp.<domain>. 1H IN TLSA 3 0 2 <fingerprint>
_465._tcp.<domain>. 1H IN TLSA 3 0 2 <fingerprint>

SSH

cd /usr/ports/dns/sshfp
make install clean
sshfp idefix.fechner.net

Take the line and add it to your zonefile:

idefix.fechner.net IN SSHFP 1 1 26282825A61D967F751BB74E8B7930FCF3A25120
idefix.fechner.net IN SSHFP 2 1 963DDFF48B3FCCC379AC07D5A7759C89EA2B45B7

Make sure to add a dot after the hostname.

Check records

https://de.ssl-tools.net

DNSSEC for clients starting FreeBSD 10

echo 'local_unbound_enable="YES"' >> /etc/rc.conf

Check every nameserver from /etc/resolv.conf:

drill -S fechner.net @213.133.98.98

Start unbound to generate new config files:

service local_unbound onestart

Recheck resolving:

drill -S fechner.net

;; Chasing: fechner.net. A
Warning: No trusted keys specified


DNSSEC Trust tree:
fechner.net. (A)
|---fechner.net. (DNSKEY keytag: 37748 alg: 10 flags: 256)
    |---fechner.net. (DNSKEY keytag: 64539 alg: 10 flags: 257)
    |---fechner.net. (DS keytag: 64539 digest type: 1)
    |   |---net. (DNSKEY keytag: 6647 alg: 8 flags: 256)
    |       |---net. (DNSKEY keytag: 35886 alg: 8 flags: 257)
    |       |---net. (DS keytag: 35886 digest type: 2)
    |           |---. (DNSKEY keytag: 22603 alg: 8 flags: 256)
    |               |---. (DNSKEY keytag: 19036 alg: 8 flags: 257)
    |---fechner.net. (DS keytag: 64539 digest type: 2)
        |---net. (DNSKEY keytag: 6647 alg: 8 flags: 256)
            |---net. (DNSKEY keytag: 35886 alg: 8 flags: 257)
            |---net. (DS keytag: 35886 digest type: 2)
                |---. (DNSKEY keytag: 22603 alg: 8 flags: 256)
                    |---. (DNSKEY keytag: 19036 alg: 8 flags: 257)
You have not provided any trusted keys.
;; Chase successful

OLD DNSSec for Servers

http://alan.clegg.com/files/DNSSEC_in_6_minutes.pdf

Create the ZSK:

dnssec-keygen -a RSASHA1 -b 1024 -n ZONE idefix.lan

Create the KSK:

dnssec-keygen -a RSASHA1 -b 4096 -n ZONE -f KSK idefix.lan

Add the keys to your zone file:

cat K*.key >> idefix.lan

Sign the zone:

dnssec-signzone -N INCREMENT -l dlv.isc.org. idefix.lan

Now change the file loaded to the signed one:

zone "idefix.lan" IN {
    file "/etc/namedb/master/idefix.lan.signed";
};

Reload the zone with:

rndc reconfig
rndc flush

Automation on the server

We start to install a toolset to automate all the resigning and recreation (rolling) of the keys.

cd /usr/ports/security/softhsm
make install
make clean
cd /usr/ports/dns/opendnssec
make install
make clean

Configure some basic settings like pin in /usr/local/etc/opendnssec/conf.xml. Also set in section Signer:

<NotifyCommand>/usr/sbin/rndc reload %zone</NotifyCommand>

Now we create the key holding database:

softhsm --init-token --slot 0 --label "OpenDNSSEC"

Enter the pin used in the config.xml.

Setup the database with:

ods-ksmutil setup

Create a start-up file that start opendnssec everytime you start your server. Create for this the file /usr/local/etc/rc.d/opendnssec:

  - !/bin/sh

  -  PROVIDE: opendnssec
  -  REQUIRE: named

  - 
  -  Add the following line to /etc/rc.conf to enable radvd:
  - 
  -  opendnssec_enable="YES"
  - 

. /etc/rc.subr

name=opendnssec
rcvar=`set_rcvar`

pidfile=/usr/local/var/run/opendnssec/signerd.pid
command="/usr/local/sbin/ods-control"
command_args="start"

load_rc_config $name
> ${opendnssec_enable="no"}

run_rc_command "$1"

And make it executeable with:

chmod +x /usr/local/etc/rc.d/opendnssec

Now enable the startup script in /etc/rc.conf with:

opendnssec="YES"

and start it with

/usr/local/etc/rc.d/opendsnsec start

Check the logfile /var/log/messages that everything is fine.

Now add the zones with:

ods-ksmutil zone add --zone example.com

Further Links

https://sys4.de/de/blog/2014/05/24/einen-tlsa-record-fuer-dane-mit-bind-9-publizieren/

Idefix's Wiki

Benutzer-Werkzeuge

Webseiten-Werkzeuge