2086
Comment:
|
2125
Title should reflect the version the HOWTO applies to
|
Deletions are marked like this. | Additions are marked like this. |
Line 1: | Line 1: |
## page was renamed from DNSSEC Howto |
This is a minimal howto to get DNSSEC running with bind 9 on jessie. We assume an "clean", freshly installed bind9 here. I wrote this HOWTO to document how I got my first signed zone.
Initial setup
Make separate directory for keys and zones, let group bind write in zones:
cd /etc/bind mkdir zones keys chmod g+w zones cd zones
Now create file example.mytld.zone
$TTL 6400 @ IN SOA ns1.example.mytld. dnsmaster.example.mytld. ( 2016080201 ;Serial 8H ; refresh 2H ; retry 1W ; expire 2H ; TTL ) IN NS ns1.example.mytld. ns1 IN A 127.0.0.1 www IN A 192.168.0.1
Add the following section to named.conf.local
zone "example.mytld" { type master; file "/etc/bind/zones/example.mytld.zone"; allow-query {any; }; allow-transfer { 127.0.0.1; }; };
Reload bind and check whether querying the zone works:
dig @127.0.0.1 example.mytld NS
The signing part
Execute
cd keys dnssec-keygen -a RSASHA256 -b 2048 -3 example.mytld dnssec-keygen -a RSASHA256 -b 2048 -3 -fk example.mytld chmod g+r * cd ..
to generate the keys and let BIND read the keys.
Add
auto-dnssec maintain; inline-signing yes;
to the zone "example.mytld" section in named.conf.local.
Add
key-directory "/etc/bind/keys/";
to the options section in named.conf.options
Execute
rndc loadkeys example.mytld NSECSEED=$(printf "%04x%04x" $RANDOM $RANDOM) rndc signing -nsec3param 1 0 10 $NSECSEED example.mytld.
to let bind sign the zone.
Verify that the zone works by executing
dig @127.0.0.1 +dnssec example.mytld AXFR
You should see lines containing "RRSIG" and "NSEC3", and long hex-strings.
Main author: Willi Mann <willi@debian.org>