Friday, September 30, 2016

how to setup dnssec with local root domain

1- follow the link below to setup a working root dns that host tld .test and a domain server that host domain1.test
http://www.atechnote.com/2016/09/how-to-setup-root-dns-server-for.html


*** on server that host domain1.test
2- install haveged to speedup the generate key process
$ sudo apt-get install haveged

3- generate Zone Signing Key(ZSK) using the following command
$ cd /etc/bind
$ dnssec-keygen -a NSEC3RSASHA1 -b 2048 -n ZONE domain1.test

4- generate Key Signing Key(KSK) using the following command
$ dnssec-keygen -f KSK -a NSEC3RSASHA1 -b 4096 -n ZONE domain1.test 

5- run the command below to auto include the two keys that we generate on step 3,4 to zone file name, do.domain1.test
$ for key in `ls Kdomain1.test*.key`
do
echo "\$INCLUDE $key">> db.domain1.test
done


6- Sign  zone with the dnssec-signzone
$ dnssec-signzone -A -3 $(head -c 1000 /dev/random | sha1sum | cut -b 1-16) -N INCREMENT -o domain1.test -t db.domain1.test

7- after step 6, many new files will be created, and i look into two file dsset-domain1.test. and db.domain1.test.signed
- so update zone in /etc/bind/named.conf.default-zones to signed file as below
zone "domain1.test" {
    type master;
    file "/etc/bind/db.domain1.test.signed";
};


8- update file /etc/bind/named.conf.options to include the following lines
dnssec-enable yes;
dnssec-validation yes;
dnssec-lookaside auto;



9- restart bind service and it is finished on this part
$ sudo /etc/init.d/bind9 restart

10- testing the dnssec using the following command
$ dig +dnssec domain1.test. dnskey @localhost
if it supports dnssec it will produce result,

11- read the file /etc/bind/dsset-domain1.test.
$ cat /etc/bind/dsset-domain1.test.
domain1.test.        IN DS 24765 7 1 4E14B601CADEBA2BDD330A37DC5737A53A73DD16
domain1.test.        IN DS 24765 7 2 EF75ED0109F7614341ED1943B028F80B8B68DD2632CF06521CA3B465 E04D3FCE



*** on root dns, the step 2-7 is similar, change only the zone name
2- install haveged to speedup the generate key process
$ sudo apt-get install haveged

3- generate Zone Signing Key(ZSK) using the following command
$ cd /etc/bind
$ dnssec-keygen -a NSEC3RSASHA1 -b 2048 -n ZONE test


4- generate Key Signing Key(KSK) using the following command
$ dnssec-keygen -f KSK -a NSEC3RSASHA1 -b 4096 -n ZONE test

5- run the command below to auto include the two keys that we generate on step 3,4 to zone file name, do.domain1.test
$ for key in `ls Ktest*.key`
do
echo "\$INCLUDE $key">> db.test
done


6- Sign  zone with the dnssec-signzone
$ dnssec-signzone -A -3 $(head -c 1000 /dev/random | sha1sum | cut -b 1-16) -N INCREMENT -o test -t db.test

7- after step 6, many new files will be created, and i look into two file dsset-domain1.test. and db.domain1.test.signed
- so update zone in /etc/bind/named.conf.default-zones to signed file as below
zone "test" {
    type master;
    file "/etc/bind/db.test.signed";
};





8- looking /etc/bind/db.test.signed for a line start with "604800    DNSKEY    256 3 7" like below,
             604800    DNSKEY    256 3 7 (
                    AwEAAbhq6tTI1RRai/VFx37imcw4uQ1FovqO
                    IclBSd8kQDySQle0YWSI803jVdkhV4eRg/3c
                    d4rcSO47V02YTSNFV8121LGLskL1KoRJUrO2
                    m5wgmf9Wfm61Wtxe5JR/05puVOw16pj/VpAh
                    DQYEBH7Rr1D39bsuYX8yQmxijwoZr40u2UmJ
                    7FLiH5PqA0BXqmaBvSdifp2Mb8+O0whtwVBG
                    VgXY9WlF3VTLh9KM+8Rf9WVNGx9Lb+kslMBw
                    H7bvfqiFKjE1sRO1zeXGkOc5d//hMWbosuxj
                    jT4CRNdaVtAO3hbO7LSIa4dPz4EhB86HeG/9
                    uM1KHXICEfEM314de8z5MHc=
                    ) ; ZSK; alg = NSEC3RSASHA1; key id = 21050


- then  update file /etc/bind/named.conf with the key above and it will look like below
include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local";
include "/etc/bind/named.conf.default-zones";

trusted-keys {
. 256 3 7 "AwEAAbhq6tTI1RRai/VFx37imcw4uQ1FovqO
                    IclBSd8kQDySQle0YWSI803jVdkhV4eRg/3c
                    d4rcSO47V02YTSNFV8121LGLskL1KoRJUrO2
                    m5wgmf9Wfm61Wtxe5JR/05puVOw16pj/VpAh
                    DQYEBH7Rr1D39bsuYX8yQmxijwoZr40u2UmJ
                    7FLiH5PqA0BXqmaBvSdifp2Mb8+O0whtwVBG
                    VgXY9WlF3VTLh9KM+8Rf9WVNGx9Lb+kslMBw
                    H7bvfqiFKjE1sRO1zeXGkOc5d//hMWbosuxj
                    jT4CRNdaVtAO3hbO7LSIa4dPz4EhB86HeG/9
                    uM1KHXICEfEM314de8z5MHc=";
};


9- update file /etc/bind/named.conf.options to include the following lines
dnssec-enable yes;
dnssec-validation yes;
dnssec-lookaside auto;

10- update the /etc/bind/db.test zone file to include DS step 11 on "server domain1.test" section, and the content of the file will be like below
$TTL    604800
$ORIGIN test.
@    IN    SOA    ns1.test. root.test. (
                  2        ; Serial
             604800        ; Refresh
              86400        ; Retry
            2419200        ; Expire
             604800 )    ; Negative Cache TTL
;
@    IN    NS    ns1.test.
@    IN    A    192.168.202.242
ns1    IN    A    192.168.202.242

$ORIGIN domain1.test.
@             IN      NS     ns1.domain1.test.
ns1          IN      A      192.168.202.241 ; 'glue' record
@        IN DS 24765 7 1 4E14B601CADEBA2BDD330A37DC5737A53A73DD16
@        IN DS 24765 7 2 EF75ED0109F7614341ED1943B028F80B8B68DD2632CF06521CA3B465 E04D3FCE


11- Sign  zone with the dnssec-signzone
$ dnssec-signzone -A -3 $(head -c 1000 /dev/random | sha1sum | cut -b 1-16) -N INCREMENT -o test -t db.test

12- restart bind service and it is finished on this part, how everything is completed
$ sudo /etc/init.d/bind9 restart


***client that wish to use dnssec to verify domain
1- update file /etc/bind/named.conf.options to include the following lines
dnssec-enable yes;
dnssec-validation yes;
dnssec-lookaside auto;


2-  update file /etc/bind/named.conf with the key above and it will look like below. the trusted-key below is retrieve  from
include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local";
include "/etc/bind/named.conf.default-zones";

trusted-keys {
test. 256 3 7 "AwEAAbhq6tTI1RRai/VFx37imcw4uQ1FovqO
                    IclBSd8kQDySQle0YWSI803jVdkhV4eRg/3c
                    d4rcSO47V02YTSNFV8121LGLskL1KoRJUrO2
                    m5wgmf9Wfm61Wtxe5JR/05puVOw16pj/VpAh
                    DQYEBH7Rr1D39bsuYX8yQmxijwoZr40u2UmJ
                    7FLiH5PqA0BXqmaBvSdifp2Mb8+O0whtwVBG
                    VgXY9WlF3VTLh9KM+8Rf9WVNGx9Lb+kslMBw
                    H7bvfqiFKjE1sRO1zeXGkOc5d//hMWbosuxj
                    jT4CRNdaVtAO3hbO7LSIa4dPz4EhB86HeG/9
                    uM1KHXICEfEM314de8z5MHc=";
};

3- restart the dns service
$ sudo /etc/init.d/bind9 restart

4- how we use dnssec to validate whether the record is tempered or not,
if the result flag has ad flag, the domain and recored is good, validated.
$ dig +adflag +dnssec domain1.test. dnskey @localhost

below
- snapshot the domain is validate with root dns (good), there's a ad flag


- snapshot the domain is validate with root dns (bad), there's no a ad flag

No comments:

Post a Comment