Configuring DNSSEC on Linux /Unix box devices.
Here we go the securing the most of the common Linux devices, I mean it will
suit most of the Unix/ Linux flavor . I’m posting some example base on my
system’s DNSSEC configuration R & D result.
a) Need to enable dnssec in /etc/named.conf configuration file. This will
enable the DNSSEC feature set in bind named demon. Need to check you have the
following, or add it if it doesn’t exist:
options { dnssec-enable yes; dnssec-validation yes; dnssec-lookaside auto; }
You have to restart bind after this via service named restart or
/etc/init.d/named restart which one do match with your system.
b) Next, we have to find out where your DNS zone files are. I’ve used our
domain in this example. We now want to create the Zone Key (ZSK). The
directories below will probably be different for your system. It will also take
quite a while.
# cd /var/named/chroot/var/named/master # dnssec-keygen -a RSASHA1 -b 1024 -n
ZONE londontelecom.net
This will create two files:
• Londontelecom.net.*.key (public key)
• Londontelecom.net.*.private (private key)
c) Now we need to create the Secure Entry Key (KSK) for the domain. It also
takes quite a while.
# dnssec-keygen -a RSASHA1 -b 4096 -n ZONE -f KSK londontelecom.net
d) To make the zones use DNSSEC, we need to now add ONLY the public portions of
the generated keys to the zone file.
# cat Londontelecom.net*.key >> londontelecom.net
Note: For the love of IDEITY, make sure you use >> here so you don’t wipe out
your zone file!
e) Next step, signing the zone files and adding the fields required:
# dnssec-signzone -e +3024000 -¬N INCREMENT londontelecom.net
This signs to zone file with an end time 35 days after the start time. This
allows automations of resign the domain using a script in /etc/cron.monthly
without the domain expiring after 30 days (the default). This will also
increment the serial no on the zone files automatically.
The result will be the output file londontelecom.net.signed.
f) We now have to tell bind demon to use the new signed zone file in
/etc/named.conf. We want to replace the entry that currently refers to the
non-signed zone file (londontelecom.net) for the signed zone file
(londontelecom.net.signed).
zone " londontelecom.net " { file "/var/named/master/
londontelecom.net.signed"; };
g) We are now ready to restart bind to activate the new signed config.
# service named reload or /etc/init.d/named restart
Things to be care of:
1) By default, zone signatures (dnssec-signzone) expire 30 days after the last
time they are generated. This example extends this to 35 days to allow you to
use a cron to resign the zonefile in the monthly cron. I use a script as
follows:
#!/bin/bash SIGNZONE="/usr/sbin/dnssec-signzone" cd
/var/named/chroot/var/named/master $SIGNZONE -n INCREMENT londontelecom.net
service named reload
If we put this script in /etc/cron.monthly/, zones will be automatically
resigned every month.
2) Every time we change a zone file, we have to re-sign it.
3) The current best practice is to generate a new KSK every year, and a new ZSK
every 3 months. This is pretty much repeating this example from step 1. It can
probably be scripted – as long as you don’t double up on the public keys being
placed in the zone file (step d).
Thanks
Sent via RIPE Forum -- https://www.ripe.net/participate/mail/forum
