This document is an update of "Deploying DNSSEC
on Linux.
solve only" dated November 25, 2009.
History:
After the signing of the root servers in mid 2010 (see
http://www.root-dnssec.org/ ) enable DNSSEC in the address is much easier because only be validated. " in our configuration file. Previously we needed to trust anchors for each domain (TLD, ccTLD, areas) that we wanted to validate. This work was unbearable to handle and was not scalable. Now with the signing of the root-servers everything is easier. Software:
Bind 9.7.2-P3 Mandriva Linux 2010.2
Procedure:
1) First you must place the trust-anchor for the root zone. To obtain:
# dig. dnssec
previous output will give you several results:
root @ localhost ~] # dig. DNSKEY
;, Truncated, retrying in TCP mode.
, \u0026lt;\u0026lt;>> DiG 9.7.2-P3 <<>> . dnskey
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 60029
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;. IN DNSKEY
;; ANSWER SECTION:
. 136089 IN DNSKEY 257 3 8 AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq QxA Qageu + + Uk1ihz0 =
. IN DNSKEY 256 3 8 136 089 AwEAAb5gVAzK59YHDxf/DnswfO1RmbRZ6W16JfhFecfI + + kwHdVRS rQdl81fUnEspt67IIgaj3SrGyZqgzyixNk/8oT3yEfKDycTeJy4chKPt EUHRXPWlXDi 47t2FHaKyMMEROapL5SZ8HiCzl05lORZGGdN37WY7fkv55rs 0JegWrjL
. IN DNSKEY 256 3 8 136 089 AwEAAcaGQEA OJmOzfzVfoYN249JId7gx + + + He TOpBxxBCkNOL OZMbxy69HfUyuGBbRN0 FEY6ZUVjEg58sRr4ZQ6Iu6b1xTBKgc193 zUARk4mmQ/PPGxn7Cn5VEGJ/1h6dNaiXuRHwR +7 +0 + EJB9qJxt oWh7DnzkIJChcTqlF rXDW3tjt
;; Query time: 0 msec
;; SERVER: 127.0.0.1 # 53 (127.0.0.1)
;; WHEN: Sat April 2 2011 10:00:49
;; MSG SIZE rcvd: 586
We are interested in the section on the 257, this value corresponds to SEP or Secure Entry Point, also known as the Key Signing Key or KSK. As additional data value 256 corresponds to the Zone Signing Key (ZSK)
2) From the above result, we will copy the key (after the "257 3 8") and we'll create the next section within the managed-keys named . conf. Being well:
managed-keys {
"." initial-key 257 3 8 "
AwEAAagAIKlVZrp ...";};
3) Under the options section of named.conf will place the following:
dnssec-enable yes;
dnssec-validation yes;
Restart BIND and should be working.
Check that DNSSEC is operating well:
The best option is to use the famous command dig and check the flag
AD in the response. For example:
NO RESPONSE
DNSSEC [root @ localhost etc] # dig + dnssec registro.br
;; Got answer:
;, ->> HEADER \u0026lt;\u0026lt;- opcode: QUERY, status: NOERROR, id: 43771 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 5, ADDITIONAL: 5
RESPUESTA CON
DNSSEC
[root@localhost etc]# dig +dnssec registro.br
;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1063
;; flags: qr rd ra
ad
; QUERY: 1, ANSWER: 2, AUTHORITY: 6, ADDITIONAL: 1
Nótese que que el flag
ad no esta encendido en la respuesta sin DNSSEC
Otra forma más sencilla de revisar si esta funcionando DNSSEC is to enter the page: "DNSSEC
test tool" of SIDN and run the test.
More information: - The concept of managed-keys was introduced in BIND 9.7 onwards. View
- excellent article telling you how to do that Bind to become a DNSSEC validator
0 comments:
Post a Comment