Deploy DNSSEC at Authoritative DNS Servers

This document will guide us in deploy DNSSEC at authoritative DNS servers.

Summary of steps:

1. Install or update tools(openssl and bind)
2. DNSSEC enable each zone
3. Periodic zone maintenance

Install or update tools

For install the last stable version of openssl without shared libraries follow the steps:

#wget http://www.openssl.org/source/openssl-0.9.8l.tar.gz
#tar -zxvf openssl-0.9.8l.tar.gz
#./config --prefix=/usr/local no-shared
#make
#make test
#make install

For install the last stable version of Bind with openssl support follow the steps:

#wget ftp://ftp.isc.org/isc/bind9/9.6.1-P2/bind-9.6.1-P2.tar.gz
#tar -zxvf bind-9.6.1-P2.tar.gz
#./configure --with-openssl=/usr/local --prefix=/usr/local --sysconfdir=/etc/bind --localstatedir=/var
#make
#make test
#make install

After install Bind determine whether the configuration is correct and that the installed version is that it is as default.

#named -V

BIND 9.6.1-P2 built with '--with-openssl=/usr/local' '--prefix=/usr/local/' '--sysconfdir=/etc/bind' '--localstatedir=/var/'

DNSSEC enable each zone

Edit your file "named.conf" and add the DNSSEC option:

...
options{
dnssec-enable yes;
}
...

After this restart your named process.

Now we generate the keys for each zone.
For example we use the zone with the name foo and parent zone is .net
For generate the Zone Signing Key(ZSK) for each zone follow the steps:

#dnssec-keygen -a NSEC3RSASHA1 -b 1024 -n ZONE foo.net

the option NSEC3RSASHA1 only available for version BIND 9.6+, for more informations

#man dnssec-keygen

The result of ZSK generation it's some thing like this:

Kfoo.net.+007+45698

For generate the Key Signing Key(KSK) for each zone follow the steps:

#dnssec-keygen -f KSK -a NSEC3RSASHA1 -b 2048 -n ZONE foo.net

the option NSEC3RSASHA1 only available for version BIND 9.6+, for more informations

#man dnssec-keygen

The result of KSK generation it's some thing like this:

Kfoo.net.+007+54789

Note: if the generation of this keys it's too slow use the option -r /dev/urandom.

After we generate the keys have to include them in files of zone:

#echo -e "\$include Kfoo.net.+007+45698.key\n\$include Kfoo.net.+007+54789.key" >> db.foo.net

Sign the zone with the keys ZSK e KSK without extensions:

#dnssec-signzone -k Kfoo.net.+007+54789 -o foo.net -t -3 - -A db.foo.net Kfoo.net.+007+45698

For more informations:

#man dnssec-signzone

Example of result of signature:

foo.net.signed
Signatures generated: 4
Signatures retained: 0
Signatures dropped: 0
Signatures successfully verified: 0
Signatures unsuccessfully verified: 0
Runtime in seconds: 0.011
Signatures per second: 574.122

Upon signature of zone is created a fine name db.foo.net.signed

To verify that zone was properly signed:

#named-checkzone foo.net db.foo.net.signed

Example of result:

zone foo.net/IN: loaded serial 2009051202 (signed)

Now edit your "named.conf" at zone section and change the name of the zone:

zone "foo.net"{
type master;
file "db.foo.net.signed"
};

Upon restart the named process.

The last step it's send to parent the DS record. This record can be found in file dsset-foo.net.

Periodic zone maintenance

Any time you modify a zone or at least every 30 days after last signature you must re-run dnssec-signzone. If you don't the zone will be stale.


Some resources

www.isc.org - information about bind and dnssec
www.openssl - information about openssl