Wednesday, November 10, 2010

DNSSEC Notes

Quick and dirty DNSSEC recipe:

1) named.conf global options

options {
dnssec-enable yes;
dnssec-validation yes;
};

1.5) "root" zone trusted key

get root key:
dig +multi +noall +answer DNSKEY . >root.dnskey

convert to DS RR set:
dnssec-dsfromkey -f root.dnskey . >root.ds

include in named.conf:

managed-keys {
"." initial-key 257 3 8 "
blah blah blah ";
};

2) Generating key signing key (KSK) and zone signing key (ZSK)

ZSK: dnssec-keygen -r /dev/random -a RSASHA1 -b 1024 -n ZONE myzone.name
KSK: dnssec-keygen -r /dev/random -f KSK -a RSASHA1 -b 1280 -n ZONE myzone.name

3) Inside your zone file, include the public keys

$include Kmyzone.name.+005+1234.key ;ZSK
$include Kmyzone.name.+005+4567.key ;KSK

4) Sign the DNS zone

dnssec-signzone -r /dev/random -o myzone.name -k Kmyzone.name.+005+1234 myzone.name Kmyzone.name.+005.4567.key

5) Verify the signed zone records:

cat myzone.name.signed

6) Check a query...

dig +dnssec www.myzone.name A

Note: data for which a local name server is authoritative for, and comes from disk will not result in the trust chain traversal. ie: It is assumed that if a server can read the zone off disk, then it is secure anyway.