Configuring DNSSEC On BIND9 (9.7.3) On Debian Squeeze/Ubuntu 11.10

This guide explains how you can configure DNSSEC on BIND9 (version 9.7.3 that comes with Debian Squeeze/Ubuntu 11.10) on Debian Squeeze and Ubuntu 11.10. It covers how to enable DNSSEC on authoritative nameservers (master and slave) and on resolving nameservers, creation of keys (KSKs and ZSKs), signing of zones, key rolling with rollerd, zone file checking with donuts, creation of trust anchors, using DLV (DNSSEC look-aside validation), and getting your DS records into the parent's zone.
I do not issue any guarantee that this will work for you!

1 Preliminary Note

I'm using three Debian Squeeze servers here:

• server1.example.com (Master DNS server, authoritative): IP address 192.168.0.100
• server2.example.com (Slave DNS server, authoritative): IP address 192.168.0.101
• server3.example.com (resolving DNS server, not authoritative): IP address 192.168.0.102

I'm assuming that BIND is already installed and working on all three servers.
I'm using the zone example.org throughout this tutorial to demonstrate the DNSSEC setup. That zone is already set up and working (through "normal" DNS) on the master (server1) and slave (server2).

server1 (master):

The BIND configuration directory is /etc/bind on Debian Squeeze/Ubuntu 11.10. That directory looks as follows:

cd /etc/bind/
ls -l

root@server1:/etc/bind# ls -l
total 60
-rw-r--r-- 1 root root  665 Jan 15  2011 bind.keys
-rw-r--r-- 1 root root  237 Jan 15  2011 db.0
-rw-r--r-- 1 root root  271 Jan 15  2011 db.127
-rw-r--r-- 1 root root  237 Jan 15  2011 db.255
-rw-r--r-- 1 root root  353 Jan 15  2011 db.empty
-rw-r--r-- 1 root root  270 Jan 15  2011 db.local
-rw-r--r-- 1 root root 2994 Jan 15  2011 db.root
-rw-r--r-- 1 root bind  463 Jan 15  2011 named.conf
-rw-r--r-- 1 root bind  490 Jan 15  2011 named.conf.default-zones
-rw-r--r-- 1 root bind  167 Apr 13 10:06 named.conf.local
-rw-r--r-- 1 root bind  572 Jan 15  2011 named.conf.options
-rw-r--r-- 1 root bind  722 Apr 13 10:06 pri.example.org
-rw-r----- 1 bind bind   77 Feb  7  2011 rndc.key
drwxr-s--- 2 root bind 4096 Feb  7  2011 slave
-rw-r--r-- 1 root root 1317 Jan 15  2011 zones.rfc1918
root@server1:/etc/bind#

As you see, my example.org zone file is named pri.example.org. Yours might be named differently, so you have to adjust the zone name in the commands from this tutorial.
My example.org zone looks as follows (nothing special, a normal BIND zone):

cat pri.example.org

$TTL 3600 @ IN SOA server1.example.com. zonemaster.example.com. ( 2012041305 ; serial, todays date + todays serial # 7200 ; refresh, seconds 540 ; retry, seconds 604800 ; expire, seconds 86400 ) ; minimum, seconds ; example.org. 3600 A 1.2.3.4 example.org. 3600 MX 10 mail.example.org. example.org. 86400 NS server1.example.com. example.org. 86400 NS server2.example.com. example.org. 3600 TXT "v=spf1 a mx ptr -all" mail 3600 A 1.2.3.4 www 3600 A 1.2.3.4

My named.conf.local looks as follows:

cat named.conf.local

zone "example.org" { type master; allow-transfer {192.168.0.101;}; also-notify {192.168.0.101;}; file "/etc/bind/pri.example.org"; };

server2 (slave):

I've configured the slave to store its slave zone file (called sec.example.org) in the /etc/bind/slave directory, as you can see in the /etc/bind/named.conf.local file:

cat /etc/bind/named.conf.local

zone "example.org" { type slave; masters {192.168.0.100;}; allow-notify {192.168.0.100;}; allow-transfer {none;}; file "/etc/bind/slave/sec.example.org"; };

The slave is notified of zone file changes on the master so that it can retrieve a new zone file.
As you see, nothing special here - a normal BIND setup.

2 Enabling DNSSEC On The Master (server1)

server1 (master):

I will use the dnssec-tools package in this tutorial as it comes with some handy tools such as zonesigner and rollerd that make DNSSEC management a lot easier.
We can install it (and some other recommended packages) as follows:

apt-get install dnssec-tools libnet-dns-sec-perl libmailtools-perl libcrypt-openssl-random-perl

Now go to the /etc/bind directory:

cd /etc/bind

Open named.conf.options...

vi named.conf.options

... and add dnssec-enable yes;, dnssec-validation yes;, and dnssec-lookaside auto; to the options section:

options { directory "/var/cache/bind"; // If there is a firewall between you and nameservers you want // to talk to, you may need to fix the firewall to allow multiple // ports to talk. See http://www.kb.cert.org/vuls/id/800113 // If your ISP provided one or more IP addresses for stable // nameservers, you probably want to use them as forwarders. // Uncomment the following block, and insert the addresses replacing // the all-0's placeholder. // forwarders { // 0.0.0.0; // }; auth-nxdomain no; # conform to RFC1035 listen-on-v6 { any; }; dnssec-enable yes; dnssec-validation yes; dnssec-lookaside auto; //bindkeys-file "/etc/bind/bind.keys"; };

The bindkeys-file line is needed only if your bind.keys file is in a location other than /etc/bind/bind.keys - if it's /etc/bind/bind.keys, it's loaded by default.
dnssec-lookaside auto; makes that named reads the DLV key from bind.keys the first time it executes. This is the dlv.isc.org key.
Normally, there should be a fully signed path from the root zone (.) down to your own zone, which means that your parent zones (e.g. .org for example.org) must be signed as well. Unfortunately, not all TLDs have been signed yet. If any of your parents aren't signed, the chain is broken, and you cannot use the root zone's key as a trusted anchor in your BIND configuration.
That's why DNSSEC look-aside validation (DLV) was invented. In short, DLV serves as an alternative repository for trusted keys where you can submit your zone keys if there's no fully signed path to your zone. The most prominent DLV repository is dlv.isc.org (ISC is the company that makes BIND). Both the root zone key and the dlv.isc.org key are included in /etc/bind/bind.keys (if not, please update BIND...

apt-get install bind9

... and check again).
You can find out more about DNSSEC look-aside validation (DLV) on https://www.isc.org/solutions/dlv and https://dlv.isc.org/about/background. If you want to submit your keys to the dlv.isc.org repository, you can register on https://dlv.isc.org/.
You can find a list of signed TLDs on http://stats.research.icann.org/dns/tld_report/ and http://www.tldwithdnssec.se/. If your TLD is signed, the preferred method is to submit your keys to your registry so that they can create a DS record for your zone. You don't need a DLV record then.
In BIND 9.8 and 9.9, the root zone key from bind.keys can be loaded with dnssec-validation auto; - unfortunately, in BIND 9.7 (which we use) there's no auto option for dnssec-validation (that's why we use dnssec-validation yes;) which means the root zone key isn't loaded (see https://www.isc.org/bind-keys). To overcome this issue, we can either add the root zone key from bind.keys...

cat bind.keys

[...] managed-keys { # ISC DLV: See https://www.isc.org/solutions/dlv for details. # NOTE: This key is activated by setting "dnssec-lookaside auto;" # in named.conf. dlv.isc.org. initial-key 257 3 5 "BEAAAAPHMu/5onzrEE7z1egmhg/WPO0+juoZrW3euWEn4MxDCE1+lLy2 brhQv5rN32RKtMzX6Mj70jdzeND4XknW58dnJNPCxn8+jAGl2FZLK8t+ 1uq4W+nnA3qO2+DL+k6BD4mewMLbIYFwe0PG73Te9fZ2kJb56dhgMde5 ymX4BI/oQ+cAK50/xvJv00Frf8kw6ucMTwFlgPe+jnGxPPEmHAte/URk Y62ZfkLoBAADLHQ9IrS2tryAe7mbBZVcOwIeU/Rw/mRx/vwwMCTgNboM QKtUdvNXDrYJDSHZws3xiRXF1Rf+al9UmZfSav/4NWLKjHzpT59k/VSt TDN0YUuWrBNh"; # ROOT KEY: See https://data.iana.org/root-anchors/root-anchors.xml # for current trust anchor information. # NOTE: This key is activated by setting "dnssec-validation auto;" # in named.conf. . initial-key 257 3 8 "AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq QxA+Uk1ihz0="; };

to named.conf.options, or we simply include bind.keys in named.conf.options (I prefer the latter method):

vi named.conf.options

options { directory "/var/cache/bind"; // If there is a firewall between you and nameservers you want // to talk to, you may need to fix the firewall to allow multiple // ports to talk. See http://www.kb.cert.org/vuls/id/800113 // If your ISP provided one or more IP addresses for stable // nameservers, you probably want to use them as forwarders. // Uncomment the following block, and insert the addresses replacing // the all-0's placeholder. // forwarders { // 0.0.0.0; // }; auth-nxdomain no; # conform to RFC1035 listen-on-v6 { any; }; dnssec-enable yes; dnssec-validation yes; dnssec-lookaside auto; //bindkeys-file "/etc/bind/bind.keys"; }; //managed-keys { // # ROOT KEY: See https://data.iana.org/root-anchors/root-anchors.xml // # for current trust anchor information. // . initial-key 257 3 8 "AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF // FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX // bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD // X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz // W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS // Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq // QxA+Uk1ihz0="; //}; include "/etc/bind/bind.keys";

Restart BIND afterwards:

/etc/init.d/bind9 restart

Now let's sign our example.org zone. We do this with the handy zonesigner tool which is a wrapper around dnssec-keygen and dnssec-signzone. Take a look at

man zonesigner

to learn more about its options. (You can specify default values for zonesigner and rollerd in /etc/dnssec-tools/dnssec-tools.conf so that you don't have to specify so many options on the command line - normally the default values in /etc/dnssec-tools/dnssec-tools.conf should be ok.)
We can sign our zone as follows:

zonesigner -genkeys -usensec3 -zone example.org pri.example.org

We use NSEC3 here to avoid zone walking.

root@server1:/etc/bind# zonesigner -genkeys -usensec3 -zone example.org pri.example.org

        if zonesigner appears hung, strike keys until the program completes
        (see the "Entropy" section in the man page for details)

Generating key pair...++++++ .................................................++++++
Generating key pair..............++++++ .........++++++
Generating key pair............................................
.........................................................................
..........................................+++ ......................
.........................................................................
.................................+++
Verifying the zone using the following algorithms: RSASHA256.
Zone signing complete:
Algorithm: RSASHA256: KSKs: 1 active, 0 stand-by, 0 revoked
                      ZSKs: 1 active, 1 stand-by, 0 revoked

zone signed successfully

example.org:
        KSK (cur) 27916  -b 2048  04/13/12      (example.org-signset-00003)
        ZSK (cur) 31560  -b 1024  04/13/12      (example.org-signset-00001)
        ZSK (pub) 29958  -b 1024  04/13/12      (example.org-signset-00002)

zone will expire in 4 weeks, 3 days, 0 seconds
DO NOT delete the keys until this time has passed.
root@server1:/etc/bind#

As you see, zonesigner has created three key pairs (private/public key pair), a key-signing key (KSK) with the ID 27916 and two zone-signing keys (ZSKs) with the IDs 31560 (active) and 29958 (passive), one active and one passive. We need two ZSKs for key rollovers later on. You can learn more about KSKs and ZSKs on https://dlv.isc.org/about/background; http://www.nlnetlabs.nl/publications/dnssec_howto/#x1-400005 has some good infos about key rollovers and why two ZSKs are needed.
Let's take a look at the /etc/bind directory now:

ls -l

root@server1:/etc/bind# ls -l
total 100
-rw-r--r-- 1 root root  665 Jan 15  2011 bind.keys
-rw-r--r-- 1 root root  237 Jan 15  2011 db.0
-rw-r--r-- 1 root root  271 Jan 15  2011 db.127
-rw-r--r-- 1 root root  237 Jan 15  2011 db.255
-rw-r--r-- 1 root root  353 Jan 15  2011 db.empty
-rw-r--r-- 1 root root  270 Jan 15  2011 db.local
-rw-r--r-- 1 root root 2994 Jan 15  2011 db.root
-rw-r--r-- 1 root bind  167 Apr 13 10:19 dsset-example.org.
-rw-r--r-- 1 root bind 1910 Apr 13 10:19 example.org.krf
-rw-r--r-- 1 root bind  605 Apr 13 10:19 Kexample.org.+008+27916.key
-rw------- 1 root bind 1776 Apr 13 10:19 Kexample.org.+008+27916.private
-rw-r--r-- 1 root bind  431 Apr 13 10:19 Kexample.org.+008+29958.key
-rw------- 1 root bind 1012 Apr 13 10:19 Kexample.org.+008+29958.private
-rw-r--r-- 1 root bind  431 Apr 13 10:19 Kexample.org.+008+31560.key
-rw------- 1 root bind 1012 Apr 13 10:19 Kexample.org.+008+31560.private
-rw-r--r-- 1 root bind  463 Jan 15  2011 named.conf
-rw-r--r-- 1 root bind  490 Jan 15  2011 named.conf.default-zones
-rw-r--r-- 1 root bind  167 Apr 13 10:18 named.conf.local
-rw-r--r-- 1 root bind 1389 Apr 13 10:17 named.conf.options
-rw-r--r-- 1 root bind  723 Apr 13 10:19 pri.example.org
-rw-r--r-- 1 root bind 5912 Apr 13 10:19 pri.example.org.signed
-rw-r----- 1 bind bind   77 Feb  7  2011 rndc.key
drwxr-s--- 2 root bind 4096 Feb  7  2011 slave
-rw-r--r-- 1 root root 1317 Jan 15  2011 zones.rfc1918
root@server1:/etc/bind#

You should see your three key pairs Kexample.org.+008+.(key|private) where Kexample.org.+008+27916.key is the public KSK and Kexample.org.+008+31560.key the active public ZSK and Kexample.org.+008+29958.key the passive public ZSK.
There's also the file dsset-example.org. which contains the DS records that have to be set up at your registry for your zone:

cat dsset-example.org.

example.org. IN DS 27916 8 1 20390B300F17E32838B309254E572FCC7CB139B3 example.org. IN DS 27916 8 2 45A003E0A9FB0EE773F487A7C8FE81A8219EB14741485A925C0D418E 3E45A209

The example.org.krf file contains key management details (like zone name, zone file name, key IDs, expiry, etc.) that are used by zonesigner and rollerd for key management.

cat example.org.krf

zone "example.org" serial "2012041306" kskcur "example.org-signset-00003" zskpub "example.org-signset-00002" zskcur "example.org-signset-00001" zskcount "1" signedzone "pri.example.org.signed" kskcount "1" archivedir "/var/lib/dnssec-tools/archive" kskdirectory "/etc/bind" zskdirectory "/etc/bind" endtime "+2678400" lastset "example.org-signset-00003" zonefile "pri.example.org" keyrec_type "zone" keyrec_signsecs "1334305175" keyrec_signdate "Fri Apr 13 08:19:35 2012" set "example.org-signset-00001" keys "Kexample.org.+008+31560" set_type "zskcur" zonename "example.org" keyrec_setsecs "1334305173" keyrec_setdate "Fri Apr 13 08:19:33 2012" set "example.org-signset-00002" keys "Kexample.org.+008+29958" set_type "zskpub" zonename "example.org" keyrec_setsecs "1334305173" keyrec_setdate "Fri Apr 13 08:19:33 2012" key "Kexample.org.+008+31560" zonename "example.org" keyrec_type "zskcur" algorithm "rsasha256" random "/dev/urandom" keypath "/etc/bind/Kexample.org.+008+31560.key" zsklength "1024" zsklife "604800" keyrec_gensecs "1334305173" keyrec_gendate "Fri Apr 13 08:19:33 2012" key "Kexample.org.+008+29958" zonename "example.org" keyrec_type "zskpub" algorithm "rsasha256" random "/dev/urandom" keypath "/etc/bind/Kexample.org.+008+29958.key" zsklength "1024" zsklife "604800" keyrec_gensecs "1334305173" keyrec_gendate "Fri Apr 13 08:19:33 2012" set "example.org-signset-00003" keys "Kexample.org.+008+27916" set_type "kskcur" zonename "example.org" keyrec_setsecs "1334305173" keyrec_setdate "Fri Apr 13 08:19:33 2012" key "Kexample.org.+008+27916" zonename "example.org" keyrec_type "kskcur" algorithm "rsasha256" random "/dev/urandom" keypath "/etc/bind/Kexample.org.+008+27916.key" ksklength "2048" ksklife "15552000" revperiod "3888000" keyrec_gensecs "1334305174" keyrec_gendate "Fri Apr 13 08:19:34 2012"

The most important thing is, there's now a new zone file, pri.example.org.signed - it's the signed version of pri.example.org. This is how it looks:

cat pri.example.org.signed

; File written on Fri Apr 13 10:19:34 2012 ; dnssec_signzone version 9.7.2-P3 example.org. 3600 IN SOA server1.example.com. zonemaster.example.com. ( 2012041306 ; serial 7200 ; refresh (2 hours) 540 ; retry (9 minutes) 604800 ; expire (1 week) 86400 ; minimum (1 day) ) 3600 RRSIG SOA 8 2 3600 20120514071934 ( 20120413071934 31560 example.org. PBITMuBEZzMHSw53keFzfAxWzhj/iqgUZsA+ XSD5eahnXSla+J6nSzeU0j0Zw+6z4TBkQeBm OzKMNjO6Zq1vK18nQH8Gg7uJgROjYU7XtPAw laCsFWcOhna9RCUayZf8Ft3Emu7BG1Bp16rz SdQhte0UPk/1k0nO1d6JpyXmCUY= ) 86400 NS server1.example.com. 86400 NS server2.example.com. 86400 RRSIG NS 8 2 86400 20120514071934 ( 20120413071934 31560 example.org. OYzDYsxaKvzEmI+DCtgbjycy1I1l+O+42Uwy R/YAKzEEwRTswIbj/cjbmBb7HmWJVHkqLHw/ xWPt9MwjSPyJZyGQtVgrHhmxZSf1vNByqHFU evUhg1qsRBwFQfoayDKQWC77MkCn6qzYa5W4 VxChDYP2rCkgaCuYnWLPm3o82RY= ) 3600 A 1.2.3.4 3600 RRSIG A 8 2 3600 20120514071934 ( 20120413071934 31560 example.org. oGCbVz6tro67wrwDKeG5UOugTjGxXaC1BODd LZtNHo4NAk9iuTQIOdWbITsNotXqx8qpwhVp xSXEqcjqdyAKH3530A/lxntEDJzAfzLP7sFI QfpYn2WedeFox6J9U1uNmkg45ddIsWE67AGC 8emmsxj2+WieGJ4BpiIvaZguOuI= ) 3600 MX 10 mail.example.org. 3600 RRSIG MX 8 2 3600 20120514071934 ( 20120413071934 31560 example.org. DUAKpO9aRDfHKSxeqIkNT6NwmZNY22U3i9M2 0y13FQ+fexUp+VAeAuOr2Yzl/jipTKFYkFbL vh5pcOGb3nW/uPnFsGWUKX8g9E8sW22uPPO4 Xa7riEXylHAPqL7BU+/6AxAZqsAS4/ZE2MUL qY/kq5ZiY1+GptMnINjh7THNfDs= ) 3600 TXT "v=spf1 a mx ptr -all" 3600 RRSIG TXT 8 2 3600 20120514071934 ( 20120413071934 31560 example.org. cWzBNj/79/HRXyHFY2Qrtwygw8lviiSS90Na qEbFIbpnMIjkjQHW1xL8CjJTg3xawWrdCi1T dyAZu4PGLZiEfRRjyWzKyvjjdOaaUBlaPkVY VWGuYAUX4e6IqRe7CRNDIdELMPxRk+AqVn36 T6HPOaOnd5tXM1APW2f8OOI4hmA= ) 3600 DNSKEY 256 3 8 ( AwEAAbiLwZNsdmDJDqpRppqAxMkKMZF6F4wi /QulmN1LUi2uA9zzz8O6V+NAhYDh8GBP3dNm Zl+2DAJRm9ckL1PLc7ndTbvZYU4fIHYaCwJ+ 5pDztrWA4mz960RQKCVaV6g25Gr1dWF2vQtt QlXGTlnWijbPkjtBxVuTgN2HUzC1+RLj ) ; key id = 31560 3600 DNSKEY 256 3 8 ( AwEAAcoCzDx4onsEaFuMYN7GbID8jcM7Ct5F dBKcU8FCx7wIDpsfDi0OTDsoZk9TaWBdCOh4 KbL7TbI7aue30irpCb/XLTG3B1JQEWRSWoGS ZxnAA3FzI9QvpJJhNBrr1nwbNq8QDmZnA7dF 00LxLtQy/G7cJew4yNxb/hM1imhHk8bx ) ; key id = 29958 3600 DNSKEY 257 3 8 ( AwEAAbjthg82WErIMm+gcsOeNlI6j7/9Vuih QtYVnt9dOFWeddfZxlbvVIFKklxBLMmBt4Z5 GULTDKg+2BA6hGq3UGTHJMg1cpYTZtUBF4R1 LnxL2KB15rBFtU8b3C8OtrpGsEI/VUWeii5I PopFU04QMDCQkXBiulwHbG6ZcynlvYeaUC94 CVabjTPpO95BysAZqBrxQsWyokMWwMtX6V0+ uYlzGIU2OJazpYkWsIrAfpY2dRL15pugx4gC WMZwdsrfiHZSS7nlDCaDbAgsTS5tQiU4zy2Y Q7vst7U4Zmh0+WbfHefeyVByCdiQaF2UmVsm nTxuEtu1Y3SSClmDzq2/wW8= ) ; key id = 27916 3600 RRSIG DNSKEY 8 2 3600 20120514071934 ( 20120413071934 27916 example.org. hi4iklMgcGJPeBa+vOHfXdKzC0/UcizxPO7x QCWohh9/5TMABgWyhtjjxPFeMpayqTLdS2QP LARIIMrCNERHweZ9ucq3iwUXUCywzX/opxuu UpHKiPy0+efWIOEa+oje20bnDHOApqf/iwjs 5N5GKY5KYdDb7ESy/TVthc7hiWJHcEwjkp9u w98CQ6AubygmuHweR0ZGhtDRSBjssllgf7+w v7vIPfcR0M/iQVdWlZif5kfSeJwc0XwycyPr vRljcNW5rXxi76663WrFg3CgtuwF5KpNzK6+ u4ai8J5nmIy9HCFDhVb2heyLqIdGXfr4A3PY whwQbSISeLukYzPcJg== ) 3600 RRSIG DNSKEY 8 2 3600 20120514071934 ( 20120413071934 31560 example.org. kvzkVv3+mf+hTQOaDnV0Da6wQp7f8j7STRnP QfbOX7L4BSgCZAC1nX3gvwUJ4++bn0qZufZk buqL+x2FP/DynKpgZBXXu72zRx9yrScHZXHT HxicYCEoFfuz0SS+OAeVFs96NpTCg1Qe7xQl +dg0nnmmq3BBSkggxble2Drz9hQ= ) 0 NSEC3PARAM 1 0 100 BAC4DE566D0E4403 0 RRSIG NSEC3PARAM 8 2 0 20120514071934 ( 20120413071934 31560 example.org. JgpKxiJmynRC6sI2dqSweHSCk6LYdARhP67M 7N/tlBKn3LmwWUAzxFy+TUxlmz1TKYJra9AT zskc/QP0fdKubFZPgXY0AGAKWLjBUftE71jY R5+uYgUOHCrlFaSK4i7iPbeEkHRYkj2MVWkj oPQlDCZEFe0b6XtOB+c3VAkmibk= ) www.example.org. 3600 IN A 1.2.3.4 3600 RRSIG A 8 3 3600 20120514071934 ( 20120413071934 31560 example.org. lm64+7cGoS1DmHqm73aIAB3HGh74Asih9HB/ D6YUpONoVKax78aDnHCrypbTs33GKgUp2sW/ ZI1AVrDAclCIO8zs6Cr3Efl6OjU2NlaMnNKk xFZk+UgD7Qna/0qfcBdpZzdfXcez3m+/ItOE mSAknyO2K+h7jqNZBsJAgUgVtmo= ) 06C7U6DINN1SA2C7HK9GFBTSOU0KADR8.example.org. 86400 IN NSEC3 1 0 100 BAC4DE566D0E4403 HBSF972BMNBCF9J9LCP9453EAM3A5J96 A NS SOA MX TXT RRSIG DNSKEY NSEC3PARAM 86400 RRSIG NSEC3 8 3 86400 20120514071934 ( 20120413071934 31560 example.org. Sj0BJA2jWC+Lcifn6F2Iavelv81hdW/UxnN9 8MYikEjCAw80NJBRq7N6YMEkw0Qoh0zT06Qe zGysgca8b6+njkc3YGl5NhtwV0cnL0EC9xUj MdyoaRbgKlNIiWzwABd0YbFBSThVtBgeAqan TqZXwRMQR+BZ4IVIpEWZ891ijYI= ) HBSF972BMNBCF9J9LCP9453EAM3A5J96.example.org. 86400 IN NSEC3 1 0 100 BAC4DE566D0E4403 TNBUBU0J4E7QEMO9NNCGMJ7BK5A03GLN A RRSIG 86400 RRSIG NSEC3 8 3 86400 20120514071934 ( 20120413071934 31560 example.org. WhobKFIWJd5g3TNckzp9ilORttoBLpXa/Ng3 8RI1Hb367i7+S8gZDQD81Jm6RA0PYxDR7MgA UShRIb3UK8EjSFj+B+Dnbrs/UiwYQ/PjOYRM TzXuK8uYJ1Q8UTMdyDC9uFQ7Ju8+G0vQQBMC lkTo9MWR4a8bDsDqRytg+0WeBCs= ) TNBUBU0J4E7QEMO9NNCGMJ7BK5A03GLN.example.org. 86400 IN NSEC3 1 0 100 BAC4DE566D0E4403 06C7U6DINN1SA2C7HK9GFBTSOU0KADR8 A RRSIG 86400 RRSIG NSEC3 8 3 86400 20120514071934 ( 20120413071934 31560 example.org. SueRnWwggy3PCVk3Z3emXVMoMIDwVi8XhDf/ o0gpmnqm/1ZKXsHRKI3KvfUa3EUAqGH27ZyP GNsSbmgabAwpw8bXbc2y5hQLK9BVFTczolgh 5tws4Ok/rhec5CmoPzACt/lKkP4s9b8VmltY bh7FPA9mYarlNF4OGRNDCCp97r8= ) mail.example.org. 3600 IN A 1.2.3.4 3600 RRSIG A 8 3 3600 20120514071934 ( 20120413071934 31560 example.org. totQYEtfcNAjyUuvgaJcXeY0Bc5a5DYnmFDG 1u+7wyUrpMkSGRNlcZAuqrdy8ZNx1roacrAa iaHVz3ZsuTdYS7jyLmEZe1WdQZy7DN4POoBe YWH4AXu8ixH2PIheOC+7b6v/T+1FTi92NeXY FSNSqyvKSV6zzROM/qEcUwh1Sr8=

You see, it's much larger than the intial zone file.
We can use donuts to check if there are any problems with the signed zone file:

donuts --level 8 -v pri.example.org.signed example.org

If everything is ok, you shouldn't see any warnings or errors:

root@server1:/etc/bind# donuts --level 8 -v pri.example.org.signed example.org
--- loading rule file /usr/share/dnssec-tools/donuts/rules/check_nameservers.txt
    rules: MEMORIZE_NS_ADDRS DNS_SERVERS_MATCH_DATA
--- loading rule file /usr/share/dnssec-tools/donuts/rules/dns.errors.txt
    rules: DNS_SOA_REQUIRED MEMORIZE_NS_CNAME_RECORDS DNS_NS_NO_CNAME
--- loading rule file /usr/share/dnssec-tools/donuts/rules/dnssec.rules.txt
    rules: DNSSEC_RRSIG_TTL_MATCH_ORGTTL DNSSEC_MEMORIZE_NS_RECORDS DNSSEC_CHECK_IF_NSEC3
 DNSSEC_MISSING_NSEC_RECORD DNSSEC_MISSING_RRSIG_RECORD DNSSEC_RRSIG_NOT_SIGNING_RRSIG DNSSEC_RRSIG_FOR_NS_GLUE_RECORD
 DNSSEC_NSEC_FOR_NS_GLUE_RECORD DNSSEC_RRSIG_SIGEXP DNSSEC_NSEC_TTL DNSSEC_NSEC3_TTL DNSSEC_DNSKEY_MUST_HAVE_SAME_NAME
 DNSSEC_DNSKEY_PROTOCOL_MUST_BE_3 DNSSEC_BOGUS_NS_MEMORIZE DNSSEC_MISSING_RRSIG_RECORD DNSSEC_RRSIG_TTL_MUST_MATCH_RECORD
 DNSSEC_MISSING_NSEC_RECORD DNSSEC_RRSIG_SIGNER_NAME_MATCHES DNSSEC_NSEC_RRSEC_MUST_NOT_BE_ALONE DNSSEC_MEMORIZE_KEYS
 DNSSEC_RRSIGS_VERIFY DNSSEC_TWO_ZSKS DNSSEC_OPENSSL_KEY_ISSUES
--- loading rule file /usr/share/dnssec-tools/donuts/rules/nsec_check.rules.txt
    rules: DNSSEC_NSEC_MEMORIZE DNSSEC_NSEC3_MEMORIZE DNSSEC_NSEC3_CHECK DNSSEC_NSEC_CHECK
--- loading rule file /usr/share/dnssec-tools/donuts/rules/parent_child.rules.txt
    rules: DNS_MULTIPLE_NS DNSSEC_SUB_NOT_SECURE DNSSEC_DNSKEY_PARENT_HAS_VALID_DS DNSSEC_DS_CHILD_HAS_MATCHING_DNSKEY
--- loading rule file /usr/share/dnssec-tools/donuts/rules/recommendations.rules.txt
    rules: DNS_REASONABLE_TTLS DNS_NO_DOMAIN_MX_RECORDS
--- Analyzing individual records in pri.example.org.signed
--- Analyzing records for each name in pri.example.org.signed
results on testing example.org:
  rules considered:     38
  rules tested:         30
  records analyzed:     28
  names analyzed:       6
  errors found:         0
root@server1:/etc/bind#

Let's check the contents of our KSK (we will need this later on to create a trust anchor on our resolver server3 to do some testing before we submit the DS records to the registry):

cat Kexample.org.+008+27916.key

; This is a key-signing key, keyid 27916, for example.org. ; Created: 20120413081933 (Fri Apr 13 10:19:33 2012) ; Publish: 20120413081933 (Fri Apr 13 10:19:33 2012) ; Activate: 20120413081933 (Fri Apr 13 10:19:33 2012) example.org. IN DNSKEY 257 3 8 AwEAAbjthg82WErIMm+gcsOeNlI6j7/9VuihQtYVnt9dOFWeddfZxlbv VIFKklxBLMmBt4Z5GULTDKg+2BA6hGq3UGTHJMg1cpYTZtUBF4R1LnxL 2KB15rBFtU8b3C8OtrpGsEI/VUWeii5IPopFU04QMDCQkXBiulwHbG6Z cynlvYeaUC94CVabjTPpO95BysAZqBrxQsWyokMWwMtX6V0+uYlzGIU2 OJazpYkWsIrAfpY2dRL15pugx4gCWMZwdsrfiHZSS7nlDCaDbAgsTS5t QiU4zy2YQ7vst7U4Zmh0+WbfHefeyVByCdiQaF2UmVsmnTxuEtu1Y3SS ClmDzq2/wW8=

Now we must update named.conf.local...

vi named.conf.local

... and replace pri.example.org with pri.example.org.signed:

zone "example.org" { type master; allow-transfer {192.168.0.101;}; also-notify {192.168.0.101;}; file "/etc/bind/pri.example.org.signed"; };

Restart BIND afterwards:

/etc/init.d/bind9 restart

3 Modifying A Signed Zone (server1)

 

server1 (master):

If you want to modify the example.org zone (e.g. add/update/delete records), you don't modify pri.example.org.signed, but the unsigned version pri.example.org. After you are finished with your modifications, run

zonesigner -zone example.org pri.example.org

This will increase the serial number of the zone file (so you don't have to increase it manually) and create a new pri.example.org.signed file.

4 Enabling DNSSEC On The Slave (server2)

server2 (slave):

Go to the /etc/bind directory:

cd /etc/bind

Do the same changes to named.conf.options that you did on the master (set dnssec-enable yes;, dnssec-validation yes; and dnssec-lookaside auto; in the options area and include /etc/bind/bind.keys):

vi named.conf.options

options { directory "/var/cache/bind"; // If there is a firewall between you and nameservers you want // to talk to, you may need to fix the firewall to allow multiple // ports to talk. See http://www.kb.cert.org/vuls/id/800113 // If your ISP provided one or more IP addresses for stable // nameservers, you probably want to use them as forwarders. // Uncomment the following block, and insert the addresses replacing // the all-0's placeholder. // forwarders { // 0.0.0.0; // }; auth-nxdomain no; # conform to RFC1035 listen-on-v6 { any; }; dnssec-enable yes; dnssec-validation yes; dnssec-lookaside auto; //bindkeys-file "/etc/bind/bind.keys"; }; include "/etc/bind/bind.keys";

That would be sufficient to configure DNSSEC on the slave, but I want the signed zone file to be named sec.example.org.signed instead of sec.example.org (this is just a personal preference and therefore optional), therefore I edit named.conf.local...

vi named.conf.local

... and change sec.example.org to sec.example.org.signed:

zone "example.org" { type slave; masters {192.168.0.100;}; allow-notify {192.168.0.100;}; allow-transfer {none;}; file "/etc/bind/slave/sec.example.org.signed"; };

Restart BIND:

/etc/init.d/bind9 restart

If you have modified the zone file name in named.conf.local, there should now be two zone files for example.org in the slave/ directory, one with the old name and one with the new name:

ls -l slave/

root@server2:/etc/bind# ls -l slave/
total 16
-rw-r--r-- 1 bind bind 5578 Apr 13 10:24 sec.example.org
-rw-r--r-- 1 bind bind 5578 Apr 13 10:30 sec.example.org.signed
root@server2:/etc/bind#

Delete the one with the old name (it's unused now):

rm -f slave/sec.example.org

That's all for the slave - as you see, no keys have to be created or transferred (well, they are transferred as part of the signed zone).

5 Enabling DNSSEC On The Resolving DNS (server3)

server3 (resolver):

To make resolving, non-authoritative name servers speak and understand DNSSEC, you essentially just have to do the same changes to named.conf.options as on the master and slave, i.e. set dnssec-enable yes;, dnssec-validation yes; and dnssec-lookaside auto; in the options area and include /etc/bind/bind.keys:

cd /etc/bind
vi named.conf.options

options { directory "/var/cache/bind"; // If there is a firewall between you and nameservers you want // to talk to, you may need to fix the firewall to allow multiple // ports to talk. See http://www.kb.cert.org/vuls/id/800113 // If your ISP provided one or more IP addresses for stable // nameservers, you probably want to use them as forwarders. // Uncomment the following block, and insert the addresses replacing // the all-0's placeholder. // forwarders { // 0.0.0.0; // }; auth-nxdomain no; # conform to RFC1035 listen-on-v6 { any; }; dnssec-enable yes; dnssec-validation yes; dnssec-lookaside auto; //bindkeys-file "/etc/bind/bind.keys"; }; include "/etc/bind/bind.keys";

Restart BIND:

/etc/init.d/bind9 restart

That would normally be sufficient for a resolver.
Now I want to test DNSSEC on the master and slave (test means I haven't submitted the DS records to the registry yet) with the dig command from this resolver, therefore I have to change the configuration a bit.
First I modify /etc/resolv.conf so that this box is the resolver's own client:

vi /etc/resolv.conf

Remove or comment out all other nameservers so that the only nameserver is 127.0.0.1:

nameserver 127.0.0.1

Next open named.conf.options again...

vi named.conf.options

... and add the IP addresses of the master and the slave DNS server to the forwarders section AND add a managed-keys section that includes the KSK from the example.org zone (see chapter 2) (this is our trust anchor right now so that we can test; after the DS records have been set up at your registry, this trust anchor isn't needed anymore because we have the root zone key in our configuration - in the bind.keys file):

options { directory "/var/cache/bind"; // If there is a firewall between you and nameservers you want // to talk to, you may need to fix the firewall to allow multiple // ports to talk. See http://www.kb.cert.org/vuls/id/800113 // If your ISP provided one or more IP addresses for stable // nameservers, you probably want to use them as forwarders. // Uncomment the following block, and insert the addresses replacing // the all-0's placeholder. forwarders { 192.168.0.100; 192.168.0.101; }; auth-nxdomain no; # conform to RFC1035 listen-on-v6 { any; }; dnssec-enable yes; dnssec-validation yes; dnssec-lookaside auto; }; include "/etc/bind/bind.keys"; managed-keys { example.org. initial-key 257 3 8 "AwEAAbjthg82WErIMm+gcsOeNlI6j7/9VuihQtYVnt9dOFWeddfZxlbv VIFKklxBLMmBt4Z5GULTDKg+2BA6hGq3UGTHJMg1cpYTZtUBF4R1LnxL 2KB15rBFtU8b3C8OtrpGsEI/VUWeii5IPopFU04QMDCQkXBiulwHbG6Z cynlvYeaUC94CVabjTPpO95BysAZqBrxQsWyokMWwMtX6V0+uYlzGIU2 OJazpYkWsIrAfpY2dRL15pugx4gCWMZwdsrfiHZSS7nlDCaDbAgsTS5t QiU4zy2YQ7vst7U4Zmh0+WbfHefeyVByCdiQaF2UmVsmnTxuEtu1Y3SS ClmDzq2/wW8="; };

Restart BIND:

/etc/init.d/bind9 restart

Now we can test the example.org zone with DNSSEC:

dig +dnssec example.org

If everything goes well, you should get an answer to the ad flag set (ad = authenticated data):

root@server3:/etc/bind# dig +dnssec example.org

; <<>> DiG 9.7.3 <<>> +dnssec example.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 756
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 3, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;example.org.                   IN      A

;; ANSWER SECTION:
example.org.            3600    IN      A       1.2.3.4
example.org.            3600    IN      RRSIG   A 8 2 3600 20120514071934 20120413071934 31560 example.org.
oGCbVz6tro67wrwDKeG5UOugTjGxXaC1BODdLZtNHo4NAk9iuTQIOdWb ITsNotXqx8qpwhVpxSXEqcjqdyAKH3530A/lxntEDJzAfzLP7s
FIQfpY n2WedeFox6J9U1uNmkg45ddIsWE67AGC8emmsxj2+WieGJ4BpiIvaZgu OuI=

;; AUTHORITY SECTION:
example.org.            86400   IN      NS      server1.example.com.
example.org.            86400   IN      NS      server2.example.com.
example.org.            86400   IN      RRSIG   NS 8 2 86400 20120514071934 20120413071934 31560 example.org.
OYzDYsxaKvzEmI+DCtgbjycy1I1l+O+42UwyR/YAKzEEwRTswIbj/cjb mBb7HmWJVHkqLHw/xWPt9MwjSPyJZyGQtVgrHhmxZSf1vNByqHFU
evUh g1qsRBwFQfoayDKQWC77MkCn6qzYa5W4VxChDYP2rCkgaCuYnWLPm3o8 2RY=

;; Query time: 4 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Fri Apr 13 10:37:42 2012
;; MSG SIZE  rcvd: 453

root@server3:/etc/bind#

Congratulations! Everything is fine with your DNSSEC setup. Now you can make your registrar create DS records in the parent zone or - if your parent zone isn't signed yet - upload your keys to a DLV repository such as https://dlv.isc.org/. After you have done that, you can remove the managed-keys section for example.org from the named.conf.options file and restart BIND.

6 Setting The DS Record At The Registry / Setting A DLV Record

 

If your parent zone is signed, you should set the DS record at the registry - this is preferred over using DLV records at a DLV provider such as https://dlv.isc.org/.
(You can find a list of signed TLDs on http://stats.research.icann.org/dns/tld_report/ and http://www.tldwithdnssec.se/.)
Unfortunately this task cannot be automated. Some registrar's allow you to upload your DS records (the contents of the /etc/bind/dsset-example.org. file) through their web interface, while you can email it to others. Contact your registrar and ask if they support DNSSEC and what the preferred way is to submit your DS records.
If your parent zone isn't signed or your registrar has no way of submitting your DS records to the registry, you can use DLV. For example, you can go to https://dlv.isc.org/, register and follow their instructions.

7 Key Rolling

server1 (master):

By default, keys (KSKs and ZSKs) expire after some time to make it harder for hackers to compromise them. You can set the expiry date with the -endtime switch when you run zonesigner together with the -genkeys switch. If you don't specify the -endtime switch, the value is taken from /etc/dnssec-tools/dnssec-tools.conf.
Because keys expire, we have to change them - this is called "key rolling". Fortunately, this task can be automated by a daemon called rollerd which takes care of creating new keys, signing zones, etc.
Go to /etc/bind:

cd /etc/bind

Create a file called all.rollrec that contains details about your signed zones, their keys, the contact person for the zone, etc.:

rollinit -zonefile /etc/bind/pri.example.org.signed -keyrec /etc/bind/example.org.krf -admin zonemaster@example.com example.org >> all.rollrec

Repeat this for every signed zone you have.
Then start the rollerd daemon as follows:

rollerd -rrfile /etc/bind/all.rollrec -directory /etc/bind

The service automatically goes to the background. Unfortunately it has no init script, so we have to add the command to /etc/rc.local (before the exit 0 line) to make it start automatically when the system boots:

vi /etc/rc.local

[...] /usr/sbin/rollerd -rrfile /etc/bind/all.rollrec -directory /etc/bind [...]

 

8 Automatic Zone File Checks With donutsd

server1 (master):
Finally we can set up automated zone file checks with donutsd (this is optional, but nice to have). donutsd is the damon belonging to the donuts command we used earlier. It runs in the background, checks your signed zones from time to time and sends an email if there's anything wrong.
First, we create the file /etc/bind/checkzones.txt - it has the format :

vi /etc/bind/checkzones.txt

Add your zones, one zone per line:

/etc/bind/pri.example.org.signed example.org zonemaster@example.com

Start the donutsd service afterwards:

donutsd -i /etc/bind/checkzones.txt &

Like rollerd, donutsd has no init script. Therefore we add the following command to /etc/rc.local (before the exit 0 line) to make it start automatically when the system boots:

vi /etc/rc.local

[...] /usr/sbin/donutsd -i /etc/bind/checkzones.txt & [...]

That's it! Have fun with your DNSSEC setup!

9 Links

• DNSSEC HOWTO, a tutorial in disguise: http://www.nlnetlabs.nl/publications/dnssec_howto/
• DNSSEC in 6 minutes: http://www.isc.org/files/DNSSEC_in_6_minutes.pdf
• DNSSEC background: https://dlv.isc.org/about/background
• ISC DLV Registry: https://dlv.isc.org/
• Root and DLV Trust Anchors (bind.keys): https://www.isc.org/bind-keys
• List of signed TLDs: http://stats.research.icann.org/dns/tld_report/ and http://www.tldwithdnssec.se/
• Debian: http://www.debian.org/
• Ubuntu: http://www.ubuntu.com/