This is a summary of DNSSEC Guide Chapter 4, with appropriate changes for our setup.
Introduction
- ETC is ~/etc/bind or /etc/bind
- ZONE is the DNS zone to be signed
- ZONEFILE is the name of the file containing the data for ${ZONE}
- KSK is Key Signing Key
- ZSK is Zone Signing Key
- zone files, named.conf, ... are in ${ETC}
- named runs as user bind in group bind (true for recent Debian)
We are now using Apparmor to limit file access, so the directory structure used below is required or BIND will not be able to access the files it needs. In particular, BIND needs read and write access to the keys and signed directories.
Preparation
cd ${ETC}
BIND needs runtime access to the KSK and ZSK but they should not be accessible by anyone else so squirrel them away in a protected directory:
mkdir -m 0750 keys
chgrp bind keys
BIND needs to write the signed version of the zone and a journal file into the same directory as the text zone file. So make a subdirectory to limit where things can be written:
mkdir -m 0775 signed
chgrp bind signed
cd signed
ln -s ../${ZONEFILE} .
For those using etckeeper, keep the signed zone file, but not the journal or temporary files:
echo '*.jbk' >.gitignore
echo '*.jnl' >>.gitignore
Edit named.conf (or named.conf.local) and change the file for the zone to reference the symlink created above i.e. change
file "${ETC}/${ZONEFILE}";
to
file "${ETC}/signed/${ZONEFILE}";
At this point nothing should have changed. You may want to run "/usr/sbin/rndc reconfig" and check for any errors in /var/log/syslog .
Create keys
cd ${ETC}/keys
mkdir -m 750 ${ZONE}
chgrp bind ${ZONE}
cd ${ZONE}
/usr/bin/dnssec-keygen -a RSASHA256 -b 1024 ${ZONE}
/usr/bin/dnssec-keygen -a RSASHA256 -b 2048 -f KSK ${ZONE}
chgrp bind *.private
chmod 640 *.private
# the *.key files should be 0644 already
Sign the zone
Edit the named.conf (or named.conf.local) file and in the zone section, add:
key-directory "${ETC}/keys/${ZONE}";
inline-signing yes;
auto-dnssec maintain;
Then let BIND know using
/usr/sbin/rndc reconfig
and check /var/log/syslog for errors :-)
This will also produce a few new files in ${ETC}/signed ...
At this point, you have a signed zone, but noone will use it since your parent zone does not reference it.
Testing
Fetch your 2 DNSKEY records (your KSK and ZSK):
dig @ns.ozlabs.org ${ZONE} dnskey +multiline
this should add an RRSIG record:
dig @ns.ozlabs.org ${ZONE} dnskey +dnssec +multiline
Fetch your SOA record and its RRSIG record (there may be other records as well):
dig @ns.ozlabs.org ${ZONE} soa +dnssec +multiline
Fetching a non-existant name should get an NXDOMAIN status, no answer, but the AUTHORITY section will contain the SOA record and an NSEC record:
dig @ns.ozlabs.org does-not-exist.${ZONE} a +dnssec +multiline
Dealing with your parent zone
cd ${ETC}/keys/${ZONE}
KSK=$(grep -l key-signing K*.key)
/usr/bin/dnssec-dsfromkey ${KSK}
This will print a DS record like:
${ZONE}. IN DS key-id algorithm digest-type digest
with digest-type being 2 (for SHA-256).
Your registrar will most likely have a place to upload these values for your zone and will forward them to the parent zone to be inserted as DS records. It is at this point that bad things may happen if something has gone wrong before now. See testing above. :-)
