DNSSEC:OpenNIC Wiki

Revision [2475]

This is an old revision of DnsSec made by BryonEldridge on 2011-03-07 23:29:32.

DNSSEC

This is a workspace set up to discuss DNSSEC as it relates to OpenNIC.

Resources

http://www.dnssec.net/
DNSSEC in 6 Minutes - Set of PDF slides
DNSSEC Howto
Validating DNSSEC
What problem does DNSSEC solve?
DNSSEC flow - Warning, might make your head explode

Test DNSSEC implementation on gopher zone

Used resources listed above
Using BIND 9.3.4-P1, single instance, two "views" (one is authoritative for gopher, the other is a recursive server)
Followed steps in the "DNSSEC in 6 Minutes" like above, except omitted dnssec-validation yes; (not supported in BIND 9.3)
/dev/random for some reason would not provide enough random bits to generate keys, so I exported two 1M files of random data from another machine:

cat /dev/random > /tmp/random
...let run for a few seconds...
dd if=/tmp/random of=/tmp/random_1.1M count=2048
dd if=/tmp/random of=/tmp/random_2.1M count=2048 skip=2048

Works best if each zone file is in its own directory
BIND 9.3 doesn't support the -N INCREMENT option, so don't forget to increment your zone serial number before signing it
Quick synopsis:

mkdir zones/gopher.zone
mv gopher.zone zones/gopher.zone
cd zones/gopher.zone
/usr/sbin/dnssec-keygen -a RSASHA1 -b 1024 -n ZONE -r ~/random_1.1M gopher
/usr/sbin/dnssec-keygen -a RSASHA1 -b 4096 -n ZONE -f KSK -r ~/random_2.1M gopher
cat Kgopher.+005+*.key >> gopher.zone
/usr/sbin/dnssec-signzone -o gopher gopher.zone

Add the following to named.conf (see note below about trusted-keys entry):

options {
	dnssec-enable yes; // use for both authoritative and recursive servers
	dnssec-validation yes; // omit for BIND 9.3 (not needed)
};

// Only needed for Tier2 servers at this time, but once ns0 has a valid key, another ##trusted-keys## section 
// in the T1 servers will be 
// needed to complete the "chain of trust"
trusted-keys {
	"geek." 257 3 5 "AwEAA...Nij";
};

I used the technique in the "Validating DNSSEC" link above to create the trusted-keys section. Basically:

dig geek. dnskey // Considered insecure, as this key might be spoofed in compromised servers

Copy and paste key starting with "257" into the trusted-keys section above
To verify DNSSEC is working correctly, query your recursive (T2) server:

brian@alabaster <03:23 AM>$ dig geek. +dnssec

; <<>> DiG 9.3.4-P1 <<>> geek. +dnssec
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 15189
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
...

The ad flag indicates "authenticated data". This flag will only appear on the T2 server, not the T0/T1.

DNSSEC periodic maintenance

To do!

There are no comments on this page.

Valid XHTML :: Valid CSS: :: Powered by WikkaWiki