Network Startup Resource Center http://www.nsrc.org/ Automated zone INLINE signing with BIND --------------------------------------- Remember that if you see '#' before a command, it means you need to run this command as root, either via: a) sudo -s b) sudo command We'll build on the previous labs and enable inline signing on BIND (9.9+) When doing inline signing, the original zone is never modified: this allows the operator to make, for example, a dump of a DB containing the zone, and BIND will just sign it. When the unsigned zone is updated, named detects the changes, and re-signs. *** ON YOUR MASTER SERVER auth1.grpX.ws.nsrc.org *** 1. We're going to add a couple of statements to the BIND named.conf configuration file to enable inline dnssec signing. First, edit named.conf under /etc/namedb/, and make the following changes: zone MYNAME { file "/etc/namedb/master/MYNAME"; type master; key-directory "/etc/namedb/keys"; auto-dnssec maintain; inline-signing yes; dnssec-dnskey-kskonly yes; }; Save and exit. 2. Preparing the keys If you've done the manual signing lab from before, you have already generated keys, and we can reuse those. Otherwise, we'll generate a new set of keys. a) If you already have keys (otherwise go to step b) We need to make sure the directory has the right permissions - since BIND will be managing this, it needs access to the files and the directory: # chown -R bind /etc/namedb/keys Let's look at the keys: # cd /etc/namedb/keys/ # ls -l KMYNAME* -rw-r--r-- 1 bind wheel 591 Feb 18 15:52 KMYNAME.+008+bbbbb.key -rw------- 1 bind wheel 1774 Feb 18 15:52 KMYNAME.+008+bbbbb.private -rw-r--r-- 1 bind wheel 417 Feb 18 15:52 KMYNAME.+008+nnnnn.key -rw------- 1 bind wheel 1010 Feb 18 15:52 KMYNAME.+008+nnnnn.private -rw-r--r-- 1 bind wheel 591 Feb 18 15:52 KMYNAME.+008+ccccc.key -rw------- 1 bind wheel 1774 Feb 18 15:52 KMYNAME.+008+ccccc.private If this is a follow on exercise from the manual ZSK rollover, delete any keys you generated then, e.g., # rm KMYNAME.+008+ccccc.* b) If you don't have keys yet: # mkdir -p /etc/namedb/keys # cd /etc/namedb/keys - Generate first key pair (Zone Signing Key) # dnssec-keygen -a RSASHA256 -b 1024 MYNAME ( will output something like: Generating key pair......................+++++ + .... KMYNAME.+008+nnnnn ) - Generate second key pair (Key Signing Key) # dnssec-keygen -a RSASHA256 -b 2048 -f KSK MYNAME (once again, some output will show resulting in KMYNAME.+008+bbbbb) Make sure bind can read them: # chown bind * Check that the keys are there: # ls -l KMYNAME* 3. Now let's take care of the zone file If you have made a backup of your zone file, let's copy it back over our zone, to start fresh: # cd /etc/namedb/master # cp MYNAME.backup MYNAME If you did the ZSK manual rollover exercise, make sure /etc/namedb/master/MYNAME does not have any of the "$include ..." statements that referenced particular keys. Remove the old .signed zone - BIND will create that automatically! # rm MYNAME.signed Again, remember to check in named.conf, that you are loading MYNAME, and *NOT* "MYNAME.signed". We also need to make sure BIND can write in the master directory: # chown bind /etc/namedb/master 4. Now start the nameserver # service named stop # /usr/local/sbin/named -g (this runs the named server in foreground mode sending all logging to stdout. yes this is a newer than /usr/sbin/named ) If you the log output looks ok, ctrl-c and start it in the background # /usr/local/sbin/named At this point you should see some new files appear in the master/ dir: # cd /etc/namedb/master # ls -l ... -rw-r--r-- 1 root wheel 497 Sep 13 14:56 MYNAME -rw-r--r-- 1 root wheel 497 Sep 12 09:49 MYNAME.backup -rw-r--r-- 1 bind wheel 512 Sep 13 15:04 MYNAME.jbk -rw-r--r-- 1 bind wheel 1331 Sep 13 15:04 MYNAME.signed -rw-r--r-- 1 bind wheel 3581 Sep 13 15:04 MYNAME.signed.jnl ... Check that signing did work: # dig +dnssec @10.10.X.1 MYNAME NS Note that the signed zone is NOT stored in a human readable format. To see the contents of the signed zone, one can either do a zone transfer (axfr) # dig @10.10.X.1 axfr MYNAME | less or: # named-checkzone -D -f raw -o - MYNAME MYNAME.signed | less In particular look at the DNSKEY RRset and enure the inception and expiration times make sense. # dig +multi +dnssec @10.10.X.1 MYNAME dnskey 5. Changes to the zone So how do we update the zone and resign it? Simple! Let's modify the zone and add a "mail" record with the IP address of the auth1 server: mail IN A 10.10.X.1 ; X is your group by editing "/etc/namedb/master/MYNAME" and adding the line above. **** Remember to change the serial. Now, reload the zone. named will be automatically resign the zone: # rndc reload MYNAME Wait a few seconds, then: # tail /etc/namedb/log/general What do you observe ? # dig @10.10.X.1 mail.MYNAME a # dig @10.10.X.1 MYNAME soa Notice the serial 6. If you haven't already uploaded the DS record in a previous lab, it's time to communicate it to your parent (the root). Otherwise, you can skip the rest of this lab! (DS = digest fingerprint of the Key Signing Key). Generate a "DS" from your key: Find which key is the key signing key: # cd /etc/namedb/keys # more KMYNAME*key Look at which one has "IN DNSKEY 257". Find the "keyid" and replace the string "+008+bbbbb" below with "+008+keyid" where "keyid" is the number displayed. # dnssec-dsfromkey KMYNAME.+008+bbbbb 7. Submit the dsset for your zone (containing the hash of your KSK) to the parent as you did with the name server record by going to https://rzm.dnssek.org. 8. After a few minutes you should be able to verify that the changes were made and propagated through the resolver: # dig +dnssec DS MYNAME. # dig +dnssec A www.MYNAME. Notice the "AD" bit in the "flags" section.