Add the following into your named.conf:
options { dnssec-enable yes; dnssec-validation auto; };
Restart your DNS server now with:
/etc/rc.d/named restart
To test it you should execute the command and the RRSIG should be displayed:
dig +dnssec isc.org soa
You should see in the flags ad that ensures that the everything is fine:
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1
We use a complete new feature of bind 9.9.5-P1. Bind will handle all the key and signing for us. So it is not necessary to resign your zones after one month, bind will do that automatically for you.
I assume you have your configuration in folder:
/usr/local/etc/namedb
Zonefiles are in:
/usr/local/etc/namedb/master
Keyfiles in:
/usr/local/etc/namedb/keys
To start:
mkdir -p /usr/local/etc/namedb/keys chown bind:bind /usr/local/etc/namedb/keys chown bind:bind /usr/local/etc/namedb/master
Edit your named.conf:
options { ... // enable dnssec dnssec-enable yes; dnssec-validation auto; managed-keys-directory "working/"; key-directory "keys/"; allow-new-zones yes; } logging { channel log_zone_transfers { file "/var/log/named/named-axfr.log"; print-time yes; print-category yes; print-severity yes; }; channel named_log { file "/var/log/named/named.log" versions 3 size 2m; severity info; print-severity yes; print-time yes; print-category yes; }; category xfer-in { log_zone_transfers; }; category xfer-out { log_zone_transfers; }; category notify { log_zone_transfers; }; category default { named_log; }; category lame-servers { null; }; };
Define your zone like this:
zone "fechner.net" { type master; file "master/fechner.net/fechner.net"; allow-transfer { inwx; }; auto-dnssec maintain; inline-signing yes; };
Now we generate the keys using RSA and SHA512:
cd /usr/local/etc/namedb/keys dnssec-keygen -3 -a RSASHA512 -b 4096 fechner.net dnssec-keygen -3 -a RSASHA512 -b 4096 -f KSK fechner.net
We load the keys:
rndc loadkeys fechner.net
you should see in the log file something like (if not check that bind can write to the directory where the zone file is located, as bind generate some additional files there):
28-Jul-2014 16:04:55.746 general: info: zone fechner.net/IN (signed): reconfiguring zone keys 28-Jul-2014 16:04:55.748 general: info: zone fechner.net/IN (signed): next key event: 28-Jul-2014 17:04:55.746
Queue them for automatic signing:
rndc signing -nsec3param 1 0 10 `hexdump -n 8 -v -e '/1 "%02X"' /dev/urandom` fechner.net.
If everything is currect you should see your dnskey with:
dig @localhost dnskey fechner.net.
To display the zone including the dynamically added key and signatures execute:
cd /usr/local/etc/namedb/master/fechner.net named-checkzone -D -f raw -o - fechner.net fechner.net.signed | less
The KSK has ID 257 and ZSK has 256.
dig +multi fechner.net DNSKEY ... fechner.net. 3600 IN DNSKEY 256 3 13 ( yZQLC3g4RnT2knGmQBJABr9PxjnhcIZuY2mpFT+mb2M2 VVWWP+EY//A/fbqCoqfZMneUmVCz+6rzSRCg7xPNlg== ) ; ZSK; alg = ECDSAP256SHA256 ; key id = 31203 fechner.net. 3600 IN DNSKEY 257 3 13 ( /W0+wjfR0nKcRiyL3tYYjz1QHffK0ynn5/b2N6oYDbE8 zRzoU11XkeQ8pX8lok66EcRFUQtkyRySw65G8Bbsdg== ) ; KSK; alg = ECDSAP256SHA256 ; key id = 15520 ...
So the keyid for the KSK 15520. We use this keyid in the next command to get the DS which is required for the parent for the chain of trust.
To get the fingerprint of your signing key we can execute one of the following command this:
dig @localhost dnskey fechner.net | dnssec-dsfromkey -f - fechner.net # or (13 is the algo, 15520 is the keyid) dnssec-dsfromkey Kfechner.net.+013+15520.key
For INWX go in the webinterface to Nameserver→DNSSEC and click on `DNSSEC hinzufügen`. Remove checkbox for `automatischer Modus`.
Fill your domain: fmdata.net.
To get the keyid for the KSK you can use:
dig dnskey fmdata.net. +multi ;; ANSWER SECTION: fmdata.net. 3411 IN DNSKEY 256 3 13 ( WcoWkUyFAX+51FQGPI70nyTHPWagCJZZq/GmhKg8sxK2 ZPQh6Cu+dpfLrAWxr8udthyJeFCscaPsv1+3mMVT2A== ) ; ZSK; alg = ECDSAP256SHA256 ; key id = 38157 fmdata.net. 3411 IN DNSKEY 257 3 13 ( sd2MViZMwa7hpKUMCKlZWFMwUJVYO31q+Fzte9IFUHVe wQwvbdb9Ah9Si9mV6lSLqJOPvews+ytYoICE/7MmbQ== ) ; KSK; alg = ECDSAP256SHA256 ; key id = 7947
So the keyid we need here for the KSK is 7947. You have now two possibilities to get the record (I suggest both and make sure they match): From your keys directory
cat Kfmdata.net.+013+07947.key ... fmdata.net. 3600 IN DNSKEY 257 3 13 sd2MViZMwa7hpKUMCKlZWFMwUJVYO31q+Fzte9IFUHVewQwvbdb9Ah9S i9mV6lSLqJOPvews+ytYoICE/7MmbQ==
Using dig (make sure you take the 257!):
dig dnskey fmdata.net. +dnssec ... fmdata.net. 3201 IN DNSKEY 257 3 13 sd2MViZMwa7hpKUMCKlZWFMwUJVYO31q+Fzte9IFUHVewQwvbdb9Ah9S i9mV6lSLqJOPvews+ytYoICE/7MmbQ== ...
Make sure you remove the TTL so use the following line:
fmdata.net. IN DNSKEY 257 3 13 sd2MViZMwa7hpKUMCKlZWFMwUJVYO31q+Fzte9IFUHVewQwvbdb9Ah9S i9mV6lSLqJOPvews+ytYoICE/7MmbQ==
Put this line into the first field (DNSKEY RR:).
To get the DS:
dnssec-dsfromkey Kfmdata.net.+013+07947.key fmdata.net. IN DS 7947 13 2 05F14B98499079F564FA8DFAAAC06051F9929B8AB3921F2FA354E17C39F9CBA6
Compare this with:
dig dnskey fmdata.net. +dnssec | dnssec-dsfromkey -f - fmdata.net. fmdata.net. IN DS 7947 13 2 05F14B98499079F564FA8DFAAAC06051F9929B8AB3921F2FA354E17C39F9CBA6
If the match, insert this line into the second field in the webinterface (DS Record:).
Missing step is now to add anchor of trust.
rndc signing -list fechner.net
To read the content of the fechner.net.signed:
named-checkzone -D -f raw -o - fechner.net fechner.net.signed
cd /usr/local/etc/apache24/ssl_keys openssl x509 -in newcert.pem -outform DER |openssl sha256
Take the fingerprint and create a new line in your zone file:
_25._tcp.<domain>. 1H IN TLSA 3 0 1 <fingerprint> _465._tcp.<domain>. 1H IN TLSA 3 0 1 <fingerprint>
or with sha512:
cd /usr/local/etc/apache24/ssl_keys openssl x509 -in newcert.pem -outform DER |openssl sha512
_25._tcp.<domain>. 1H IN TLSA 3 0 2 <fingerprint> _465._tcp.<domain>. 1H IN TLSA 3 0 2 <fingerprint>
cd /usr/ports/dns/sshfp make install clean sshfp idefix.fechner.net
Take the line and add it to your zonefile:
idefix.fechner.net IN SSHFP 1 1 26282825A61D967F751BB74E8B7930FCF3A25120 idefix.fechner.net IN SSHFP 2 1 963DDFF48B3FCCC379AC07D5A7759C89EA2B45B7
Make sure to add a dot after the hostname.
echo 'local_unbound_enable="YES"' >> /etc/rc.conf
Check every nameserver from /etc/resolv.conf:
drill -S fechner.net @213.133.98.98
Start unbound to generate new config files:
service local_unbound onestart
Recheck resolving:
drill -S fechner.net
;; Chasing: fechner.net. A Warning: No trusted keys specified DNSSEC Trust tree: fechner.net. (A) |---fechner.net. (DNSKEY keytag: 37748 alg: 10 flags: 256) |---fechner.net. (DNSKEY keytag: 64539 alg: 10 flags: 257) |---fechner.net. (DS keytag: 64539 digest type: 1) | |---net. (DNSKEY keytag: 6647 alg: 8 flags: 256) | |---net. (DNSKEY keytag: 35886 alg: 8 flags: 257) | |---net. (DS keytag: 35886 digest type: 2) | |---. (DNSKEY keytag: 22603 alg: 8 flags: 256) | |---. (DNSKEY keytag: 19036 alg: 8 flags: 257) |---fechner.net. (DS keytag: 64539 digest type: 2) |---net. (DNSKEY keytag: 6647 alg: 8 flags: 256) |---net. (DNSKEY keytag: 35886 alg: 8 flags: 257) |---net. (DS keytag: 35886 digest type: 2) |---. (DNSKEY keytag: 22603 alg: 8 flags: 256) |---. (DNSKEY keytag: 19036 alg: 8 flags: 257) You have not provided any trusted keys. ;; Chase successful
http://alan.clegg.com/files/DNSSEC_in_6_minutes.pdf
Create the ZSK:
dnssec-keygen -a RSASHA1 -b 1024 -n ZONE idefix.lan
Create the KSK:
dnssec-keygen -a RSASHA1 -b 4096 -n ZONE -f KSK idefix.lan
Add the keys to your zone file:
cat K*.key >> idefix.lan
Sign the zone:
dnssec-signzone -N INCREMENT -l dlv.isc.org. idefix.lan
Now change the file loaded to the signed one:
zone "idefix.lan" IN { file "/etc/namedb/master/idefix.lan.signed"; };
Reload the zone with:
rndc reconfig rndc flush
We start to install a toolset to automate all the resigning and recreation (rolling) of the keys.
cd /usr/ports/security/softhsm make install make clean cd /usr/ports/dns/opendnssec make install make clean
Configure some basic settings like pin in /usr/local/etc/opendnssec/conf.xml. Also set in section Signer:
<NotifyCommand>/usr/sbin/rndc reload %zone</NotifyCommand>
Now we create the key holding database:
softhsm --init-token --slot 0 --label "OpenDNSSEC"
Enter the pin used in the config.xml.
Setup the database with:
ods-ksmutil setup
Create a start-up file that start opendnssec everytime you start your server. Create for this the file /usr/local/etc/rc.d/opendnssec:
- !/bin/sh - PROVIDE: opendnssec - REQUIRE: named - - Add the following line to /etc/rc.conf to enable radvd: - - opendnssec_enable="YES" - . /etc/rc.subr name=opendnssec rcvar=`set_rcvar` pidfile=/usr/local/var/run/opendnssec/signerd.pid command="/usr/local/sbin/ods-control" command_args="start" load_rc_config $name > ${opendnssec_enable="no"} run_rc_command "$1"
And make it executeable with:
chmod +x /usr/local/etc/rc.d/opendnssec
Now enable the startup script in /etc/rc.conf with:
opendnssec="YES"
and start it with
/usr/local/etc/rc.d/opendsnsec start
Check the logfile /var/log/messages that everything is fine.
Now add the zones with:
ods-ksmutil zone add --zone example.com