Differences between revisions 2 and 3
Revision 2 as of 2016-08-02 17:39:20
Size: 1369
Editor: WilliMann
Comment: Complete steps
Revision 3 as of 2016-08-02 17:50:31
Size: 2066
Editor: WilliMann
Comment: Some more wording
Deletions are marked like this. Additions are marked like this.
Line 3: Line 3:
This is a minimal howto to get DNSSEC running with bind 9 on jessie. We assume an "clean", freshly installed bind9 here. I wrote this HOWTO to document how I got my first signed zone.

== Initial setup ==

Make separate directory for keys and zones, let group bind write in zones:
Line 4: Line 10:
cd /etc/bind
Line 9: Line 16:
create file example.mytld.zone Now create file example.mytld.zone
Line 25: Line 32:
add the following section to named.conf.local Add the following section to named.conf.local
Line 35: Line 43:
Reload bind and check whether querying the zone works:

{{{
dig @127.0.0.1 example.mytld NS
}}}
Line 36: Line 50:

Execute
Line 44: Line 60:
add to generate the keys.
Line 46: Line 62:
Add
Line 51: Line 68:
to the zone "example.mytld" section to the zone "example.mytld" section in named.conf.local.
Line 53: Line 70:
add Add
Line 61: Line 78:
execute Execute
Line 69: Line 87:

Verify that the zone works by executing
{{{
dig @127.0.0.1 +dnssec example.mytld AXFR
}}}

You should see lines containing "RRSIG" and "NSEC3", and long hex-strings.

Main author: Willi Mann <<MailTo(willi@debian.org)>>

DNSSEC Howto

This is a minimal howto to get DNSSEC running with bind 9 on jessie. We assume an "clean", freshly installed bind9 here. I wrote this HOWTO to document how I got my first signed zone.

Initial setup

Make separate directory for keys and zones, let group bind write in zones:

cd /etc/bind
mkdir zones keys
chmod g+w zones
cd zones

Now create file example.mytld.zone

$TTL    6400
@       IN      SOA     ns1.example.mytld. dnsmaster.example.mytld. (
                        2016080201 ;Serial
                        8H      ; refresh
                        2H      ; retry
                        1W      ; expire
                        2H      ; TTL
                        )
        IN      NS      ns1.example.mytld.
ns1     IN      A       127.0.0.1
www     IN      A       192.168.0.1

Add the following section to named.conf.local

zone "example.mytld" {
        type master;
        file "/etc/bind/zones/example.mytld.zone";
        allow-query {any; };
        allow-transfer { 127.0.0.1; };
};

Reload bind and check whether querying the zone works:

dig @127.0.0.1 example.mytld NS

The signing part

Execute

cd keys
dnssec-keygen -a RSASHA256 -b 2048 -3 example.mytld
dnssec-keygen -a RSASHA256 -b 2048 -3 -fk example.mytld
cd ..

to generate the keys.

Add

        auto-dnssec maintain;
        inline-signing yes;

to the zone "example.mytld" section in named.conf.local.

Add

         key-directory "/etc/bind/keys/";

to the options section in named.conf.options

Execute

rndc loadkeys example.mytld 
NSECSEED=$(printf "%04x%04x" $RANDOM $RANDOM)
rndc signing -nsec3param 1 0 10 $NSECSEED example.mytld.

to let bind sign the zone.

Verify that the zone works by executing

dig @127.0.0.1 +dnssec example.mytld AXFR

You should see lines containing "RRSIG" and "NSEC3", and long hex-strings.

Main author: Willi Mann <willi@debian.org>