This archive is retained to ensure existing URLs remain functional. It will not contain any emails sent to this mailing list after July 1, 2024. For all messages, including those sent before and after this date, please visit the new location of the archive at https://mailman.ripe.net/archives/list/[email protected]/
[dns-wg] New on RIPE Labs: Securing DNS Across all of my Devices
- Previous message (by thread): [dns-wg] Revised Draft agenda DNS WG @ RIPE 76
- Next message (by thread): [dns-wg] New on RIPE Labs: Securing DNS Across all of my Devices
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Masud Akhtar Ahmed
m.ahmed at londontelecom.net
Thu May 17 17:09:06 CEST 2018
Configuring DNSSEC on Linux /Unix box devices. Here we go the securing the most of the common Linux devices, I mean it will suit most of the Unix/ Linux flavor . I’m posting some example base on my system’s DNSSEC configuration R & D result. a) Need to enable dnssec in /etc/named.conf configuration file. This will enable the DNSSEC feature set in bind named demon. Need to check you have the following, or add it if it doesn’t exist: options { dnssec-enable yes; dnssec-validation yes; dnssec-lookaside auto; } You have to restart bind after this via service named restart or /etc/init.d/named restart which one do match with your system. b) Next, we have to find out where your DNS zone files are. I’ve used our domain in this example. We now want to create the Zone Key (ZSK). The directories below will probably be different for your system. It will also take quite a while. # cd /var/named/chroot/var/named/master # dnssec-keygen -a RSASHA1 -b 1024 -n ZONE londontelecom.net This will create two files: • Londontelecom.net.*.key (public key) • Londontelecom.net.*.private (private key) c) Now we need to create the Secure Entry Key (KSK) for the domain. It also takes quite a while. # dnssec-keygen -a RSASHA1 -b 4096 -n ZONE -f KSK londontelecom.net d) To make the zones use DNSSEC, we need to now add ONLY the public portions of the generated keys to the zone file. # cat Londontelecom.net*.key >> londontelecom.net Note: For the love of IDEITY, make sure you use >> here so you don’t wipe out your zone file! e) Next step, signing the zone files and adding the fields required: # dnssec-signzone -e +3024000 -¬N INCREMENT londontelecom.net This signs to zone file with an end time 35 days after the start time. This allows automations of resign the domain using a script in /etc/cron.monthly without the domain expiring after 30 days (the default). This will also increment the serial no on the zone files automatically. The result will be the output file londontelecom.net.signed. f) We now have to tell bind demon to use the new signed zone file in /etc/named.conf. We want to replace the entry that currently refers to the non-signed zone file (londontelecom.net) for the signed zone file (londontelecom.net.signed). zone " londontelecom.net " { file "/var/named/master/ londontelecom.net.signed"; }; g) We are now ready to restart bind to activate the new signed config. # service named reload or /etc/init.d/named restart Things to be care of: 1) By default, zone signatures (dnssec-signzone) expire 30 days after the last time they are generated. This example extends this to 35 days to allow you to use a cron to resign the zonefile in the monthly cron. I use a script as follows: #!/bin/bash SIGNZONE="/usr/sbin/dnssec-signzone" cd /var/named/chroot/var/named/master $SIGNZONE -n INCREMENT londontelecom.net service named reload If we put this script in /etc/cron.monthly/, zones will be automatically resigned every month. 2) Every time we change a zone file, we have to re-sign it. 3) The current best practice is to generate a new KSK every year, and a new ZSK every 3 months. This is pretty much repeating this example from step 1. It can probably be scripted – as long as you don’t double up on the public keys being placed in the zone file (step d). Thanks Sent via RIPE Forum -- https://www.ripe.net/participate/mail/forum
- Previous message (by thread): [dns-wg] Revised Draft agenda DNS WG @ RIPE 76
- Next message (by thread): [dns-wg] New on RIPE Labs: Securing DNS Across all of my Devices
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
[ dns-wg Archives ]