How to upgrade DNSSEC for bind9?

How to upgrade DNSSEC for bind9?

 

In this post, I wrote how to configure DNS servers (Bind9). In this post, I will setup the DNSSEC to enforce DNS secrutiy from the attacker. In fact, I am not friendly with DNS element. So I will follow this instruction.

 

1. Pre-requisite 

 

I need DNS servers (master, slave and caching). I can build from this instruction simply.

 

2. Edit Master DNS server configuration

 

At first, I need to update master DNS server configuration to enable DNSSEC function. Open "/etc/bind/named.conf.option" and update like below (red text)

# cat /etc/bind/named.conf.options options {         directory "/var/cache/bind";         recursion no;         listen-on port 53 { 10.10.0.124; };         allow-transfer { none; };         dnssec-enable yes;         dnssec-validation yes;         dnssec-lookaside auto;         auth-nxdomain no;    # conform to RFC1035         listen-on-v6 { any; }; };

DNSSEC required the ZSK KEY (Zone Signing Key) and KSK KEY (Key Signing Key). Both key are called as DNSKEY. I have to generated these. To generate encryption key, I need entropy algorithm. "havedged" is good solution for this.

# apt-get install haveged

Now, I can generate. Please note that Key files should be located on the same directory of zone files.

# cd /var/cache/bind/zones

After run command to geneate, I can see the 2 files like below. These file are Zone Signing Key.

# dnssec-keygen -a NSEC3RSASHA1 -b 2048 -n ZONE db.g.crenet.com             Generating key pair......+++ ...............+++ K%2Fvar%2Fcache%2Fbind%2Fzones%2Fdb.g.crenet.com.+007+49394   root@master:/var/cache/bind/zones# ls Kg.crenet.com.+007+01898.key Kg.crenet.com.+007+01898.private

Now I will create Key Signing Key like below. After running, I can another 2 files.

# dnssec-keygen -f KSK -a NSEC3RSASHA1 -b 4096 -n ZONE g.crenet.com Generating key pair............................++ .........................................................................++ K%2Fvar%2Fcache%2Fbind%2Fzones%2Fdb.g.crenet.com.+007+56676   root@master:/var/cache/bind/zones# ls Kg.crenet.com.+007+01898.key  Kg.crenet.com.+007+01898.private  Kg.crenet.com.+007+33324.key  Kg.crenet.com.+007+33324.private

All of these step are for creating signed zone file. Therefore, I will update zone file from now. Open zone file what I make secure and Include the key files above.

root@master:/var/cache/bind/keys# cat ../zones/db.g.crenet.com $TTL    30 @       IN      SOA     g.crenet.com. admin.g.crenet.com. (                               3         ; Serial                          604800         ; Refresh                           86400         ; Retry                         2419200         ; Expire                          604800 )       ; Negative Cache TTL ;         IN      NS      ns1.g.crenet.com.         IN      NS      ns2.g.crenet.com. ns1.g.crenet.com. IN A 10.10.0.124 ns2.g.crenet.com. IN A 10.10.0.225 ; www.g.crenet.com. IN A 10.10.0.10 $INCLUDE /var/cache/bind/keys/Kg.crenet.com.+007+01898.key $INCLUDE /var/cache/bind/keys/Kg.crenet.com.+007+33324.key

Now, I am ready to sign the zone file. I will run "dnssec-signzone -3 <salt> -A -N INCREMENT -o <zonename> -t <zonefilename>". "<Salt>" value is the random number. I can generate like below

# head -c 1000 /dev/random | sha1sum | cut -b 1-16 643f8a18458c3fbd

With this value, I can complete the command above

# cd ../zones # dnssec-signzone -3  643f8a18458c3fbd -A -N INCREMENT -o g.crenet.com -t db.g.crenet.com Verifying the zone using the following algorithms: NSEC3RSASHA1. Zone fully signed: Algorithm: NSEC3RSASHA1: KSKs: 1 active, 0 stand-by, 0 revoked                          ZSKs: 1 active, 0 stand-by, 0 revoked db.g.crenet.com.signed Signatures generated:                       12 Signatures retained:                         0 Signatures dropped:                          0 Signatures successfully verified:            0 Signatures unsuccessfully verified:          0 Signing time in seconds:                 0.017 Signatures per second:                 685.910 Runtime in seconds:                      0.023   # ls db.g.crenet.com         dsset-g.crenet.com.           Kg.crenet.com.+007+01898.private  Kg.crenet.com.+007+33324.private db.g.crenet.com.signed  Kg.crenet.com.+007+01898.key  Kg.crenet.com.+007+33324.key

"db.g.crenet.com.signed" and "dsset-g.crenet.com." files are created. I will update to target this signed zone file in "named.conf.local"

# cat /etc/bind/named.conf.local zone g.crenet.com {    type master;    file "/var/cache/bind/zones/db.g.crenet.com.signed";    allow-transfer { 10.10.0.225; }; };

Service restart and dig the DNS query with this Master DNS server.

# service bind9 restart # dig DNSKEY g.crenet.com @10.10.0.124 +multiline ; <<>> DiG 9.10.3-P4-Ubuntu <<>> DNSKEY g.crenet.com @10.10.0.124 +multiline ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 31480 ;; flags: qr aa rd; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1 ;; WARNING: recursion requested but not available ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;g.crenet.com.          IN DNSKEY ;; ANSWER SECTION: g.crenet.com.           30 IN DNSKEY 257 3 7 (                                 AwEAAZxSkIvePjPUR+SDp7Dyf9NUVdVN2x250Ipqf/Oj                                 JFbq3Wl6b+97lZtSCkQIwa4llL6BHtXMfWWY70qx8hn6                                 q3lBVXR4XQcsloe16YHDucO8x5MW+o+l61yspKeEj4ZH                                 rb9msIW0AY4vGKj6xofTza/RFI2iiBiLzrCelgYWP2IG                                 hemeYMfUP3y0RNnsNB9ozh8O1uA2PocTwDaKWqkI0a41                                 Up/Ea41VKy97ZZgz2duafCkWrrFOAGMbR6M1+P3Glay5                                 Sj1vLHt1jUcCKk7RnjvlMTuZ74jGu/8IcotMZsna8nwe                                 jZB4Scm4Y/gr1xo+5CkJ9lzsdz8oMHAdwNE+CqDag24C                                 7gisB81zl1qtNOuSlVGO1TPdriH+Y3da+kCfNj6Q+vLi                                 rtoNlY6/WfmYtr9KzhnthDkoz3HVCJguv2ThUL62La2Z                                 GHyFtYeiyQ0Oa7y6z0VtrQZ/qn/BwmnWqDOCdQLqu7m4                                 k4zqoknGZ1BbUK77DQ1R08yfOYTbIOJlHHHgGuVWHAIo                                 XrhjbwQYvNXtFgCn+w60zB8uxQcctIX2PiOj0WRtOJkN                                 5mcrL5sYGNVETQ3k73MzE0WAOUTpQQoT+uD8OnTSaw3p                                 dHB12PL+swVQKn/LzBxhXCn9/A39vOUkJ7PyYkfn2Ej/                                 aLNb5+F5LIDB57UqPv5I2T4p0rYr                                 ) ; KSK; alg = NSEC3RSASHA1; key id = 33324 g.crenet.com.           30 IN DNSKEY 256 3 7 (                                 AwEAAcDZ5SCeLN0IhLoRKm/BKVPRJuc/ufMXOJivmXHH                                 O4oRLXFwTq1Xe+TLN+cRmOQiBCO3FTN1rMgNxgts7u6u                                 /RVTZnBNvKdcLVbayzE3fsMQrXxFho3fg5zEsF2xORve                                 K+f5fUWxfNl/cduzz6PplU82xznhMyYvrirGV2SN6v7w                                 IP+eZNqUyrcaUdBWCv3t+jZnTWdd4zOPkkv1EGSG0mMR                                 memYJIL66M2eFl4uQyShAqjzVWOpTyDWeKaaB4R2GB0g                                 LiKNZuiIUr+5V+Lmk/a3qsd26DGu3wU2z/MApwPucrLF                                 0vDdGocpS1Vk6Da7QgcI7ZNQnJWmMa/z7FeBbb8=                                 ) ; ZSK; alg = NSEC3RSASHA1; key id = 1898

Now, The DNSSEC in master DNS server is worked.

 

3. Edit Slave DNS server configuration

 

There is not complicated. Just enable "named.conf.option" in Slave DNS server.

# cat /etc/bind/named.conf.options options {         directory "/var/cache/bind";         recursion no;         listen-on port 53 { 10.10.0.225; };         dnssec-enable yes;         dnssec-validation yes;         dnssec-lookaside auto;         auth-nxdomain no;    # conform to RFC1035         listen-on-v6 { any; }; };

Also, change file value in "named.conf.local" of Slave DNS server.

# cat /etc/bind/named.conf.local zone g.crenet.com {    type slave;    file "db.g.crenet.com.signed";    masters { 10.10.0.124; }; };

Now, I have restart bind9 and reload zone file. I can see downloaded file which is signed.

# service bind9 restart # rndc reload server reload successful   # ls db.g.crenet.com  db.g.crenet.com.signed  managed-keys.bind  managed-keys.bind.jnl

4. Edit Caching DNS server configuration

 

I have alread update this file to work DNSSEC function. Please check "/etc/bind/named.conf.option" file.

# cat /etc/bind/named.conf.options acl trusted {    178.128.21.101;    10.10.0.204;    10.10.0.124;    10.10.0.225; }; options {         directory "/var/cache/bind";         recursion yes;                 # enables resursive queries         allow-recursion { trusted; };  # allows recursive queries from "trusted" clients         listen-on port 53 { 10.10.0.204; };   # ns1 private IP address - listen on private network only         allow-transfer { none; };      # disable zone transfers by default         dnssec-enable yes;         dnssec-validation yes;         dnssec-lookaside auto;         dump-file "/var/cache/bind/dumps/named_dump.db";         auth-nxdomain no;    # conform to RFC1035         listen-on-v6 { any; }; };

 

5. Configure DS records with the registrar.

 

When I create Signed zone file, "dsset-g.crenet.com" file is also generated which include "DS" record. 

# cat dsset-g.crenet.com. g.crenet.com.           IN DS 33324 7 1 CFE9B08DB55C9EF23AAE19979FB2A48467C1061E g.crenet.com.           IN DS 33324 7 2 1245F5EB80E7A2F6CE9A64A9C69A94EFBC800D60EA4065B96B7FF501 AB6816D2

To publish this DNS server with DNSSEC, I have to offer these DS record to my DNS registrar. (DNS registrar mean the represtative compay which has the role to register DNS, such as GoDaddy or Gabia.

 

Reference 

[ 1 ] https://createnetech.tistory.com/46

[ 2 ] https://www.digitalocean.com/community/tutorials/how-to-setup-dnssec-on-an-authoritative-bind-dns-server--2