Bind

DNSSec

DNSSec for Caching DNS Servers

Add the following into your named.conf:

options {
     dnssec-enable yes;
     dnssec-validation auto;
};

Restart your DNS server now with:

/etc/rc.d/named restart

To test it you should execute the command and the RRSIG should be displayed:

dig +dnssec isc.org soa

You should see in the flags ad that ensures that everything is fine:

;; flags: qr rd ra ad; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1

DNSSec for Servers

We use a complete new feature of bind 9.9.5-P1. Bind will handle all the key and signing for us. So it is not necessary to resign your zones after one month, bind will do that automatically for you.

I assume you have your configuration in folder:

/usr/local/etc/namedb

Zonefiles are in:

/usr/local/etc/namedb/master

Keyfiles in:

/usr/local/etc/namedb/keys

To start:

mkdir -p /usr/local/etc/namedb/keys
chown bind:bind /usr/local/etc/namedb/keys
chown bind:bind /usr/local/etc/namedb/master

Edit your named.conf:

options {
...
        // enable dnssec
        dnssec-enable yes;
        dnssec-validation auto;
        managed-keys-directory "/usr/local/etc/namedb/working/";
        key-directory "/usr/local/etc/namedb/keys/";
        allow-new-zones yes;
}

logging {
        channel log_zone_transfers {
                file "/var/log/named/named-axfr.log";
                print-time yes;
                print-category yes;
                print-severity yes;
                };
        channel named_log {
                file "/var/log/named/named.log" versions 3 size 2m;
                severity info;
                print-severity yes;
                print-time yes;
                print-category yes;
        };
        category xfer-in { log_zone_transfers; };
        category xfer-out { log_zone_transfers; };
        category notify { log_zone_transfers; };
        category default { named_log; };
        category lame-servers { null; };
};

// define DNSSEC KASP
dnssec-policy one-year-zsk {
        keys {
                zsk lifetime 365d algorithm ecdsa256;
                ksk lifetime unlimited algorithm ecdsa256;
        };
};

Define your zone like this:

zone "fechner.net" {
        type master;
        file "/usr/local/etc/namedb/master/fechner.net/fechner.net";
        allow-transfer { inwx; };
        dnssec-policy "one-year-zsk";
        inline-signing yes;
};

Bind will now automatically create DNS keys for you and take care of renewal.

If everything is correct you should see your dnskey with:

dig @localhost dnskey fechner.net.

To display the zone including the dynamically added key and signatures execute:

cd /usr/local/etc/namedb/master/fechner.net
named-checkzone -D -f raw -o - fechner.net fechner.net.signed | less

The KSK has ID 257 and ZSK has 256.

dig +multi fechner.net DNSKEY
...
fechner.net.            3600 IN DNSKEY 256 3 13 (
                                yZQLC3g4RnT2knGmQBJABr9PxjnhcIZuY2mpFT+mb2M2
                                VVWWP+EY//A/fbqCoqfZMneUmVCz+6rzSRCg7xPNlg==
                                ) ; ZSK; alg = ECDSAP256SHA256 ; key id = 31203
fechner.net.            3600 IN DNSKEY 257 3 13 (
                                /W0+wjfR0nKcRiyL3tYYjz1QHffK0ynn5/b2N6oYDbE8
                                zRzoU11XkeQ8pX8lok66EcRFUQtkyRySw65G8Bbsdg==
                                ) ; KSK; alg = ECDSAP256SHA256 ; key id = 15520
...

So the keyid for the KSK 15520. We use this keyid in the next command to get the DS which is required for the parent for the chain of trust.

To get the fingerprint of your signing key we can execute one of the following command this:

dig @localhost dnskey fechner.net | dnssec-dsfromkey -f - fechner.net
# or (13 is the algo, 15520 is the keyid)
dnssec-dsfromkey Kfechner.net.+013+15520.key 

Register DNSKEY at Registrar

Example for INWX

For INWX go in the webinterface to Nameserver->DNSSEC and click on DNSSEC hinzufügen. Remove checkbox for automatischer Modus.

Fill your domain: fmdata.net.

To get the keyid for the KSK you can use:

dig dnskey fmdata.net. +multi
;; ANSWER SECTION:
fmdata.net.             3411 IN DNSKEY 256 3 13 (
                                WcoWkUyFAX+51FQGPI70nyTHPWagCJZZq/GmhKg8sxK2
                                ZPQh6Cu+dpfLrAWxr8udthyJeFCscaPsv1+3mMVT2A==
                                ) ; ZSK; alg = ECDSAP256SHA256 ; key id = 38157
fmdata.net.             3411 IN DNSKEY 257 3 13 (
                                sd2MViZMwa7hpKUMCKlZWFMwUJVYO31q+Fzte9IFUHVe
                                wQwvbdb9Ah9Si9mV6lSLqJOPvews+ytYoICE/7MmbQ==
                                ) ; KSK; alg = ECDSAP256SHA256 ; key id = 7947

So the keyid we need here for the KSK is 7947. You have now two possibilities to get the record (I suggest both and make sure they match): From your keys directory

cat Kfmdata.net.+013+07947.key
...
fmdata.net. 3600 IN DNSKEY 257 3 13 sd2MViZMwa7hpKUMCKlZWFMwUJVYO31q+Fzte9IFUHVewQwvbdb9Ah9S i9mV6lSLqJOPvews+ytYoICE/7MmbQ==

Using dig (make sure you take the 257!):

dig dnskey fmdata.net. +dnssec
...
fmdata.net.             3201    IN      DNSKEY  257 3 13 sd2MViZMwa7hpKUMCKlZWFMwUJVYO31q+Fzte9IFUHVewQwvbdb9Ah9S i9mV6lSLqJOPvews+ytYoICE/7MmbQ==
...

Make sure you remove the TTL so use the following line:

fmdata.net. IN DNSKEY 257 3 13 sd2MViZMwa7hpKUMCKlZWFMwUJVYO31q+Fzte9IFUHVewQwvbdb9Ah9S i9mV6lSLqJOPvews+ytYoICE/7MmbQ==

Put this line into the first field (DNSKEY RR:).

To get the DS:

dnssec-dsfromkey Kfmdata.net.+013+07947.key
fmdata.net. IN DS 7947 13 2 05F14B98499079F564FA8DFAAAC06051F9929B8AB3921F2FA354E17C39F9CBA6

Compare this with:

dig dnskey fmdata.net. +dnssec | dnssec-dsfromkey -f - fmdata.net.
fmdata.net. IN DS 7947 13 2 05F14B98499079F564FA8DFAAAC06051F9929B8AB3921F2FA354E17C39F9CBA6

If the match, insert this line into the second field in the webinterface (DS Record:).

Check

To read the content of the fechner.net.signed:

named-checkzone -D -f raw -o - fechner.net fechner.net.signed

DANE

Postfix

cd /usr/local/etc/apache24/ssl_keys
openssl x509 -in newcert.pem -outform DER |openssl sha256

Take the fingerprint and create a new line in your zone file:

_25._tcp.<domain>. 1H IN TLSA 3 0 1 <fingerprint>
_465._tcp.<domain>. 1H IN TLSA 3 0 1 <fingerprint>

or with sha512:

cd /usr/local/etc/apache24/ssl_keys
openssl x509 -in newcert.pem -outform DER |openssl sha512
_25._tcp.<domain>. 1H IN TLSA 3 0 2 <fingerprint>
_465._tcp.<domain>. 1H IN TLSA 3 0 2 <fingerprint>

SSH

cd /usr/ports/dns/sshfp
make install clean
sshfp idefix.fechner.net

Take the line and add it to your zonefile:

idefix.fechner.net IN SSHFP 1 1 26282825A61D967F751BB74E8B7930FCF3A25120
idefix.fechner.net IN SSHFP 2 1 963DDFF48B3FCCC379AC07D5A7759C89EA2B45B7

Make sure to add a dot after the hostname.

Check records

https://de.ssl-tools.net

DNSSEC for clients starting FreeBSD 10

echo 'local_unbound_enable="YES"' >> /etc/rc.conf

Check every nameserver from /etc/resolv.conf:

drill -S fechner.net @213.133.98.98

Start unbound to generate new config files:

service local_unbound onestart

Recheck resolving:

drill -S fechner.net
;; Chasing: fechner.net. A
Warning: No trusted keys specified


DNSSEC Trust tree:
fechner.net. (A)
|---fechner.net. (DNSKEY keytag: 37748 alg: 10 flags: 256)
    |---fechner.net. (DNSKEY keytag: 64539 alg: 10 flags: 257)
    |---fechner.net. (DS keytag: 64539 digest type: 1)
    |   |---net. (DNSKEY keytag: 6647 alg: 8 flags: 256)
    |       |---net. (DNSKEY keytag: 35886 alg: 8 flags: 257)
    |       |---net. (DS keytag: 35886 digest type: 2)
    |           |---. (DNSKEY keytag: 22603 alg: 8 flags: 256)
    |               |---. (DNSKEY keytag: 19036 alg: 8 flags: 257)
    |---fechner.net. (DS keytag: 64539 digest type: 2)
        |---net. (DNSKEY keytag: 6647 alg: 8 flags: 256)
            |---net. (DNSKEY keytag: 35886 alg: 8 flags: 257)
            |---net. (DS keytag: 35886 digest type: 2)
                |---. (DNSKEY keytag: 22603 alg: 8 flags: 256)
                    |---. (DNSKEY keytag: 19036 alg: 8 flags: 257)
You have not provided any trusted keys.
;; Chase successful

Manage your Zones with git and nsdiff / nsupdate (WIP)

The idea here is that you have all your zone data on another server in a directory that is managed via git. Changes can be applied directly via scripts to a server or can be pushed to gitlab and are automatically deployed via a pipeline.

It is only necessary to create a basic zonefile on the server and create a key that allows the remote update of the zone.

The DNSSEC keys, signing the zones, taking care of keys is all transparently done be the server.

So you can focus on the real work and get rid of all the administrative overhead.

Also using DNS based verification for wildcard certificates is possible

Configure the server

Create a key that is used to authenticate against the DNS server.

We use for the key name the FQDN of client and server and separate them with a -. Execute on the DNS Server:

cd /usr/local/etc/namedb
tsig-keygen clientFQDN-serverFQDN. >> keys.conf
chown bind:bind keys.conf
chmod 640 keys.conf

Now we edit named.conf and include the key just generated. I manage my master zone in an extra file, we include here too:

/usr/local/etc/namedb/named.conf
...
include "/usr/local/etc/namedb/keys.conf";
include "/usr/local/etc/namedb/named.zones.master";
...

Define the zone:

/usr/local/etc/namedb/named.zones.master
zone "fechner.net" {
        type master;
        file "/usr/local/etc/namedb/master/fechner.net/fechner.net";
        dnssec-policy "one-year-zsk";
        inline-signing yes;
        allow-transfer { key clientFQDN-serverFQDN.; };
        allow-update { key clientFQDN-serverFQDN.; };
};

Create the zone file and add a very basic definition:

mkdir -p /usr/local/etc/namedb/master/fechner.net

Edit the zone file:

/usr/local/etc/namedb/master/fechner.net
$TTL 1d ; 1 day
@                       IN SOA  ns.fechner.net. hostmaster.fechner.net. (
                                2023070201 ; serial
                                12h        ; refresh (12 hours)
                                2h         ; retry (2 hours)
                                3w         ; expire (3 weeks)
                                1d         ; minimum (1 day)
                                )

                        NS      ns.fechner.net.
                        NS      ns.catacombs.de.
ns                      A       89.58.45.13
ns                      AAAA    2a03:4000:67:cc1::2

Restart bind with:

service named restart

Configure the Client

The Client can be on the server and/or on another host. You should just ensure that you keep this directory or repository in sync, for this we use git.

I will not explain git here, I expect you know, if not, there are nice manuals existing. With normal user on your local computer the zonefiles are stored, I name the folder now zonefiles-fqdn-nameserver

At first, we need to install the tools required:

pkg install p5-DNS-nsdiff git
cd git/gitlab.fechner.net/zonefiles-fqdn-nameserver
mkdir fechner.net
touch fechner.net/fechner.net

Now edit you zone file that it matches your requirements.

You can diff your zone now to the zone on the server with:

#usage: nsdiff [options] <zone> [old] [new]
nsdiff  -k ../.key -S date -d fechner.net fechner.net

You can verify now if the changes are making sense.

If it makes sense you can apply it with:

nsdiff  -k ../.key -S date -d fechner.net fechner.net |nsupdate -k ../.key -d

OLD DNSSec for Servers

You do NOT want to do it this way anymore.

http://alan.clegg.com/files/DNSSEC_in_6_minutes.pdf

Create the ZSK:

dnssec-keygen -a RSASHA1 -b 1024 -n ZONE idefix.lan

Create the KSK:

dnssec-keygen -a RSASHA1 -b 4096 -n ZONE -f KSK idefix.lan

Add the keys to your zone file:

cat K*.key >> idefix.lan

Sign the zone:

dnssec-signzone -N INCREMENT -l dlv.isc.org. idefix.lan

Now change the file loaded to the signed one:

zone "idefix.lan" IN {
    file "/etc/namedb/master/idefix.lan.signed";
};

Reload the zone with:

rndc reconfig
rndc flush

Automation on the server

We start to install a toolset to automate all the resigning and recreation (rolling) of the keys.

cd /usr/ports/security/softhsm
make install
make clean
cd /usr/ports/dns/opendnssec
make install
make clean

Configure some basic settings like pin in /usr/local/etc/opendnssec/conf.xml. Also set in section Signer:

<NotifyCommand>/usr/sbin/rndc reload %zone</NotifyCommand>

Now we create the key holding database:

softhsm --init-token --slot 0 --label "OpenDNSSEC"

Enter the pin used in the config.xml.

Setup the database with:

ods-ksmutil setup

Create a start-up file that start opendnssec everytime you start your server. Create for this the file /usr/local/etc/rc.d/opendnssec:

  - !/bin/sh

  -  PROVIDE: opendnssec
  -  REQUIRE: named

  - 
  -  Add the following line to /etc/rc.conf to enable radvd:
  - 
  -  opendnssec_enable="YES"
  - 

. /etc/rc.subr

name=opendnssec
rcvar=`set_rcvar`

pidfile=/usr/local/var/run/opendnssec/signerd.pid
command="/usr/local/sbin/ods-control"
command_args="start"

load_rc_config $name
> ${opendnssec_enable="no"}

run_rc_command "$1"

And make it executeable with:

chmod +x /usr/local/etc/rc.d/opendnssec

Now enable the startup script in /etc/rc.conf with:

opendnssec="YES"

and start it with

/usr/local/etc/rc.d/opendsnsec start

Check the logfile /var/log/messages that everything is fine.

Now add the zones with:

ods-ksmutil zone add --zone example.com

https://sys4.de/de/blog/2014/05/24/einen-tlsa-record-fuer-dane-mit-bind-9-publizieren/