Configuring DNSSEC on Linux /Unix box  devices. 

Here we go the securing the most of the common Linux devices, I mean it will 
suit most of the Unix/ Linux flavor . I’m posting some example base on my 
system’s DNSSEC configuration R & D result. 

a)  Need to enable dnssec in /etc/named.conf    configuration file. This will 
enable the DNSSEC feature set in bind named demon. Need to check you have the 
following, or add it if it doesn’t exist:
options { dnssec-enable yes; dnssec-validation yes; dnssec-lookaside auto; }

You have to restart bind after this via service named restart or 
/etc/init.d/named  restart which one do match with your system.

b) Next, we  have to find out where your DNS zone files are. I’ve used our 
domain in this example. We now want to create the Zone Key (ZSK). The 
directories below will probably be different for your system. It will also take 
quite a while.
# cd /var/named/chroot/var/named/master # dnssec-keygen -a RSASHA1 -b 1024 -n 
This will create two files:
•*.key (public key)
•*.private (private key)

c) Now we need to create the Secure Entry Key (KSK) for the domain. It also 
takes quite a while. 
# dnssec-keygen -a RSASHA1 -b 4096 -n ZONE -f KSK

d) To make the zones use DNSSEC, we need to now add ONLY the public portions of 
the generated keys to the zone file.
# cat*.key >>

Note: For the love of IDEITY, make sure you use >> here so you don’t wipe out 
your zone file!

e) Next step, signing the zone files and adding the fields required:
# dnssec-signzone -e +3024000 -¬N INCREMENT

This signs to zone file with an end time 35 days after the start time. This 
allows automations of resign the domain using a script in /etc/cron.monthly 
without the domain expiring after 30 days (the default). This will also 
increment the serial no on the zone files automatically.
The result will be the output file

f) We now have to tell bind demon to use the new signed zone file in 
/etc/named.conf. We want to replace the entry that currently refers to the 
non-signed zone file ( for the signed zone file 
zone " " { file "/var/named/master/"; };

g) We are now ready to restart bind to activate the new signed config.
# service named reload or /etc/init.d/named  restart

Things to be care of:

1) By default, zone signatures (dnssec-signzone) expire 30 days after the last 
time they are generated. This example extends this to 35 days to allow you to 
use a cron to resign the zonefile in the monthly cron. I use a script as 

#!/bin/bash SIGNZONE="/usr/sbin/dnssec-signzone" cd 
/var/named/chroot/var/named/master $SIGNZONE -n INCREMENT 
service named reload
If we put this script in /etc/cron.monthly/,  zones will be automatically 
resigned every month.

2) Every time we change a zone file, we have to re-sign it. 

3) The current best practice is to generate a new KSK every year, and a new ZSK 
every 3 months. This is pretty much repeating this example from step 1. It can 
probably be scripted – as long as you don’t double up on the public keys being 
placed in the zone file (step d).


Sent via RIPE Forum --

Reply via email to