Mar 16, 2012

Setting up BIND to secure DNS with DNSSEC (II)

Let's continue with the second part of the article titled Setting up BIND to secure DNS with DNSSEC. First up, we have to know that the default configuration of BIND on CentOS 6 allows to use directly DNSSEC.

[root@dns ~]# cat /etc/named.conf
...
    dnssec-enable yes;
    dnssec-validation yes;
    dnssec-lookaside auto;

To begin with, we are going to generate the ZSK (it takes care of signing the records of the zone file) and KSK (it takes care of signing the ZSK) keys. Each command turns out two key pair files, public (.key) and private (.private). Pay attention to the permissions of the private keys. As you can guess, only root has access to the files.

[root@dns ~]# cd /var/named/test.local/

[root@dns test.local]# dnssec-keygen test.local

[root@dns test.local]# dnssec-keygen -f KSK test.local

[root@dns test.local]# ls -l
total 20
-rw-r--r--. 1 root root  428 Mar 11 20:33 Ktest.local.+005+05775.key
-rw-------. 1 root root 1010 Mar 11 20:33 Ktest.local.+005+05775.private
-rw-r--r--. 1 root root  602 Mar 11 20:36 Ktest.local.+005+06859.key
-rw-------. 1 root root 1774 Mar 11 20:36 Ktest.local.+005+06859.private
-rw-r--r--. 1 root root  163 Mar 11 19:15 test.local.zone

Next step is to add the public key files to the zone file. We will have a couple of extra DNSKEY records included inside the file.

[root@dns test.local]# cat *.key >> test.local.zone

[root@dns test.local]# cat test.local.zone
...
test.local. IN DNSKEY 256 3 5 AwEAAc1...
test.local. IN DNSKEY 257 3 5 AwEAAda...

At this moment, we are able to sign the zone. The last argument of the command is the zone file and through the "-o" option, we can indicate the zone origin. This order creates a new version of the zone file by adding NSEC and RRSIG records.

[root@dns test.local]# dnssec-signzone -o test.local test.local.zone

[root@dns test.local]# ls -l *.signed
-rw-r--r--. 1 root root 3429 Mar 11 20:50 test.local.zone.signed

Now we only need to update the named.conf file in order to point at the new signed file. Remember to reload the service for the changes to take effect.

[root@dns test.local]# cat /etc/named.conf
...
zone "test.local" IN {
    type master;
    file "test.local/test.local.zone.signed";
};

[root@dns ~]# /etc/init.d/named restart

I will finally write a third article so as to carry out some test about this.


No comments:

Post a Comment