Configuring DNSSEC On BIND9 (9.7.3) On Debian Squeeze/Ubuntu 11.10
Version 1.0
Author: Falko Timme
Follow me on Twitter
This guide explains how you can configure DNSSEC on BIND9 (version 9.7.3 that comes with Debian Squeeze/Ubuntu 11.10) on Debian Squeeze and Ubuntu 11.10. It covers how to enable DNSSEC on authoritative nameservers (master and slave) and on resolving nameservers, creation of keys (KSKs and ZSKs), signing of zones, key rolling with rollerd, zone file checking with donuts, creation of trust anchors, using DLV (DNSSEC look-aside validation), and getting your DS records into the parent's zone.
I do not issue any guarantee that this will work for you!
1 Preliminary Note
I'm using three Debian Squeeze servers here:
- server1.example.com (Master DNS server, authoritative): IP address 192.168.0.100
- server2.example.com (Slave DNS server, authoritative): IP address 192.168.0.101
- server3.example.com (resolving DNS server, not authoritative): IP address 192.168.0.102
I'm assuming that BIND is already installed and working on all three servers.
I'm using the zone example.org throughout this tutorial to demonstrate the DNSSEC setup. That zone is already set up and working (through "normal" DNS) on the master (server1) and slave (server2).
server1 (master):
The BIND configuration directory is /etc/bind on Debian Squeeze/Ubuntu 11.10. That directory looks as follows:
cd /etc/bind/
ls -l
root@server1:/etc/bind# ls -l
total 60
-rw-r--r-- 1 root root 665 Jan 15 2011 bind.keys
-rw-r--r-- 1 root root 237 Jan 15 2011 db.0
-rw-r--r-- 1 root root 271 Jan 15 2011 db.127
-rw-r--r-- 1 root root 237 Jan 15 2011 db.255
-rw-r--r-- 1 root root 353 Jan 15 2011 db.empty
-rw-r--r-- 1 root root 270 Jan 15 2011 db.local
-rw-r--r-- 1 root root 2994 Jan 15 2011 db.root
-rw-r--r-- 1 root bind 463 Jan 15 2011 named.conf
-rw-r--r-- 1 root bind 490 Jan 15 2011 named.conf.default-zones
-rw-r--r-- 1 root bind 167 Apr 13 10:06 named.conf.local
-rw-r--r-- 1 root bind 572 Jan 15 2011 named.conf.options
-rw-r--r-- 1 root bind 722 Apr 13 10:06 pri.example.org
-rw-r----- 1 bind bind 77 Feb 7 2011 rndc.key
drwxr-s--- 2 root bind 4096 Feb 7 2011 slave
-rw-r--r-- 1 root root 1317 Jan 15 2011 zones.rfc1918
root@server1:/etc/bind#
As you see, my example.org zone file is named pri.example.org. Yours might be named differently, so you have to adjust the zone name in the commands from this tutorial.
My example.org zone looks as follows (nothing special, a normal BIND zone):
cat pri.example.org
$TTL 3600
@ IN SOA server1.example.com. zonemaster.example.com. (
2012041305 ; serial, todays date + todays serial #
7200 ; refresh, seconds
540 ; retry, seconds
604800 ; expire, seconds
86400 ) ; minimum, seconds
;
example.org. 3600 A 1.2.3.4
example.org. 3600 MX 10 mail.example.org.
example.org. 86400 NS server1.example.com.
example.org. 86400 NS server2.example.com.
example.org. 3600 TXT "v=spf1 a mx ptr -all"
mail 3600 A 1.2.3.4
www 3600 A 1.2.3.4
|
My named.conf.local looks as follows:
cat named.conf.local
zone "example.org" {
type master;
allow-transfer {192.168.0.101;};
also-notify {192.168.0.101;};
file "/etc/bind/pri.example.org";
};
|
server2 (slave):
I've configured the slave to store its slave zone file (called sec.example.org) in the /etc/bind/slave directory, as you can see in the /etc/bind/named.conf.local file:
cat /etc/bind/named.conf.local
zone "example.org" {
type slave;
masters {192.168.0.100;};
allow-notify {192.168.0.100;};
allow-transfer {none;};
file "/etc/bind/slave/sec.example.org";
};
|
The slave is notified of zone file changes on the master so that it can retrieve a new zone file.
As you see, nothing special here - a normal BIND setup.
2 Enabling DNSSEC On The Master (server1)
server1 (master):
I will use the dnssec-tools package in this tutorial as it comes with some handy tools such as zonesigner and rollerd that make DNSSEC management a lot easier.
We can install it (and some other recommended packages) as follows:
apt-get install dnssec-tools libnet-dns-sec-perl libmailtools-perl libcrypt-openssl-random-perl
Now go to the /etc/bind directory:
cd /etc/bind
Open named.conf.options...
vi named.conf.options
... and add dnssec-enable yes;, dnssec-validation yes;, and dnssec-lookaside auto; to the options section:
options {
directory "/var/cache/bind";
// If there is a firewall between you and nameservers you want
// to talk to, you may need to fix the firewall to allow multiple
// ports to talk. See http://www.kb.cert.org/vuls/id/800113
// If your ISP provided one or more IP addresses for stable
// nameservers, you probably want to use them as forwarders.
// Uncomment the following block, and insert the addresses replacing
// the all-0's placeholder.
// forwarders {
// 0.0.0.0;
// };
auth-nxdomain no; # conform to RFC1035
listen-on-v6 { any; };
dnssec-enable yes;
dnssec-validation yes;
dnssec-lookaside auto;
//bindkeys-file "/etc/bind/bind.keys";
};
|
The bindkeys-file line is needed only if your bind.keys file is in a location other than /etc/bind/bind.keys - if it's /etc/bind/bind.keys, it's loaded by default.
dnssec-lookaside auto; makes that named reads the DLV key from bind.keys the first time it executes. This is the dlv.isc.org key.
Normally, there should be a fully signed path from the root zone (.) down to your own zone, which means that your parent zones (e.g. .org for example.org) must be signed as well. Unfortunately, not all TLDs have been signed yet. If any of your parents aren't signed, the chain is broken, and you cannot use the root zone's key as a trusted anchor in your BIND configuration.
That's why DNSSEC look-aside validation (DLV) was invented. In short, DLV serves as an alternative repository for trusted keys where you can submit your zone keys if there's no fully signed path to your zone. The most prominent DLV repository is dlv.isc.org (ISC is the company that makes BIND). Both the root zone key and the dlv.isc.org key are included in /etc/bind/bind.keys (if not, please update BIND...
apt-get install bind9
... and check again).
You can find out more about DNSSEC look-aside validation (DLV) on https://www.isc.org/solutions/dlv and https://dlv.isc.org/about/background. If you want to submit your keys to the dlv.isc.org repository, you can register on https://dlv.isc.org/.
You can find a list of signed TLDs on http://stats.research.icann.org/dns/tld_report/ and http://www.tldwithdnssec.se/. If your TLD is signed, the preferred method is to submit your keys to your registry so that they can create a DS record for your zone. You don't need a DLV record then.
In BIND 9.8 and 9.9, the root zone key from bind.keys can be loaded with dnssec-validation auto; - unfortunately, in BIND 9.7 (which we use) there's no auto option for dnssec-validation (that's why we use dnssec-validation yes;) which means the root zone key isn't loaded (see https://www.isc.org/bind-keys). To overcome this issue, we can either add the root zone key from bind.keys...
cat bind.keys
[...]
managed-keys {
# ISC DLV: See https://www.isc.org/solutions/dlv for details.
# NOTE: This key is activated by setting "dnssec-lookaside auto;"
# in named.conf.
dlv.isc.org. initial-key 257 3 5 "BEAAAAPHMu/5onzrEE7z1egmhg/WPO0+juoZrW3euWEn4MxDCE1+lLy2
brhQv5rN32RKtMzX6Mj70jdzeND4XknW58dnJNPCxn8+jAGl2FZLK8t+
1uq4W+nnA3qO2+DL+k6BD4mewMLbIYFwe0PG73Te9fZ2kJb56dhgMde5
ymX4BI/oQ+cAK50/xvJv00Frf8kw6ucMTwFlgPe+jnGxPPEmHAte/URk
Y62ZfkLoBAADLHQ9IrS2tryAe7mbBZVcOwIeU/Rw/mRx/vwwMCTgNboM
QKtUdvNXDrYJDSHZws3xiRXF1Rf+al9UmZfSav/4NWLKjHzpT59k/VSt
TDN0YUuWrBNh";
# ROOT KEY: See https://data.iana.org/root-anchors/root-anchors.xml
# for current trust anchor information.
# NOTE: This key is activated by setting "dnssec-validation auto;"
# in named.conf.
. initial-key 257 3 8 "AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF
FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX
bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD
X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz
W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS
Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq
QxA+Uk1ihz0=";
};
|
to named.conf.options, or we simply include bind.keys in named.conf.options (I prefer the latter method):
vi named.conf.options
options {
directory "/var/cache/bind";
// If there is a firewall between you and nameservers you want
// to talk to, you may need to fix the firewall to allow multiple
// ports to talk. See http://www.kb.cert.org/vuls/id/800113
// If your ISP provided one or more IP addresses for stable
// nameservers, you probably want to use them as forwarders.
// Uncomment the following block, and insert the addresses replacing
// the all-0's placeholder.
// forwarders {
// 0.0.0.0;
// };
auth-nxdomain no; # conform to RFC1035
listen-on-v6 { any; };
dnssec-enable yes;
dnssec-validation yes;
dnssec-lookaside auto;
//bindkeys-file "/etc/bind/bind.keys";
};
//managed-keys {
// # ROOT KEY: See https://data.iana.org/root-anchors/root-anchors.xml
// # for current trust anchor information.
// . initial-key 257 3 8 "AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF
// FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX
// bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD
// X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz
// W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS
// Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq
// QxA+Uk1ihz0=";
//};
include "/etc/bind/bind.keys";
|
Restart BIND afterwards:
/etc/init.d/bind9 restart
