Quick and dirty DNSSEC recipe:
1) named.conf global options
options {
dnssec-enable yes;
dnssec-validation yes;
};
1.5) "root" zone trusted key
get root key:
dig +multi +noall +answer DNSKEY . >root.dnskey
convert to DS RR set:
dnssec-dsfromkey -f root.dnskey . >root.ds
include in named.conf:
managed-keys {
"." initial-key 257 3 8 "
blah blah blah ";
};
2) Generating key signing key (KSK) and zone signing key (ZSK)
ZSK: dnssec-keygen -r /dev/random -a RSASHA1 -b 1024 -n ZONE myzone.name
KSK: dnssec-keygen -r /dev/random -f KSK -a RSASHA1 -b 1280 -n ZONE myzone.name
3) Inside your zone file, include the public keys
$include Kmyzone.name.+005+1234.key ;ZSK
$include Kmyzone.name.+005+4567.key ;KSK
4) Sign the DNS zone
dnssec-signzone -r /dev/random -o myzone.name -k Kmyzone.name.+005+1234 myzone.name Kmyzone.name.+005.4567.key
5) Verify the signed zone records:
cat myzone.name.signed
6) Check a query...
dig +dnssec www.myzone.name A
Note: data for which a local name server is authoritative for, and comes from disk will not result in the trust chain traversal. ie: It is assumed that if a server can read the zone off disk, then it is secure anyway.
