How to upgrade DNSSEC for bind9?
In this post, I wrote how to configure DNS servers (Bind9). In this post, I will setup the DNSSEC to enforce DNS secrutiy from the attacker. In fact, I am not friendly with DNS element. So I will follow this instruction.
1. Pre-requisite
I need DNS servers (master, slave and caching). I can build from this instruction simply.
2. Edit Master DNS server configuration
At first, I need to update master DNS server configuration to enable DNSSEC function. Open "/etc/bind/named.conf.option" and update like below (red text)
# cat /etc/bind/named.conf.options options { directory "/var/cache/bind"; recursion no; listen-on port 53 { 10.10.0.124; }; allow-transfer { none; }; dnssec-enable yes; dnssec-validation yes; dnssec-lookaside auto; auth-nxdomain no; # conform to RFC1035 listen-on-v6 { any; }; }; |
DNSSEC required the ZSK KEY (Zone Signing Key) and KSK KEY (Key Signing Key). Both key are called as DNSKEY. I have to generated these. To generate encryption key, I need entropy algorithm. "havedged" is good solution for this.
# apt-get install haveged |
Now, I can generate. Please note that Key files should be located on the same directory of zone files.
# cd /var/cache/bind/zones |
After run command to geneate, I can see the 2 files like below. These file are Zone Signing Key.
# dnssec-keygen -a NSEC3RSASHA1 -b 2048 -n ZONE db.g.crenet.com Generating key pair......+++ ...............+++ K%2Fvar%2Fcache%2Fbind%2Fzones%2Fdb.g.crenet.com.+007+49394
root@master:/var/cache/bind/zones# ls Kg.crenet.com.+007+01898.key Kg.crenet.com.+007+01898.private |
Now I will create Key Signing Key like below. After running, I can another 2 files.
# dnssec-keygen -f KSK -a NSEC3RSASHA1 -b 4096 -n ZONE g.crenet.com Generating key pair............................++ .........................................................................++ K%2Fvar%2Fcache%2Fbind%2Fzones%2Fdb.g.crenet.com.+007+56676
root@master:/var/cache/bind/zones# ls Kg.crenet.com.+007+01898.key Kg.crenet.com.+007+01898.private Kg.crenet.com.+007+33324.key Kg.crenet.com.+007+33324.private |
All of these step are for creating signed zone file. Therefore, I will update zone file from now. Open zone file what I make secure and Include the key files above.
root@master:/var/cache/bind/keys# cat ../zones/db.g.crenet.com $TTL 30 @ IN SOA g.crenet.com. admin.g.crenet.com. ( 3 ; Serial 604800 ; Refresh 86400 ; Retry 2419200 ; Expire 604800 ) ; Negative Cache TTL ; IN NS ns1.g.crenet.com. IN NS ns2.g.crenet.com. ns1.g.crenet.com. IN A 10.10.0.124 ns2.g.crenet.com. IN A 10.10.0.225 ; www.g.crenet.com. IN A 10.10.0.10 $INCLUDE /var/cache/bind/keys/Kg.crenet.com.+007+01898.key $INCLUDE /var/cache/bind/keys/Kg.crenet.com.+007+33324.key |
Now, I am ready to sign the zone file. I will run "dnssec-signzone -3 <salt> -A -N INCREMENT -o <zonename> -t <zonefilename>". "<Salt>" value is the random number. I can generate like below
# head -c 1000 /dev/random | sha1sum | cut -b 1-16 643f8a18458c3fbd |
With this value, I can complete the command above
# cd ../zones # dnssec-signzone -3 643f8a18458c3fbd -A -N INCREMENT -o g.crenet.com -t db.g.crenet.com
# ls |
"db.g.crenet.com.signed" and "dsset-g.crenet.com." files are created. I will update to target this signed zone file in "named.conf.local"
# cat /etc/bind/named.conf.local zone g.crenet.com { type master; file "/var/cache/bind/zones/db.g.crenet.com.signed"; allow-transfer { 10.10.0.225; }; }; |
Service restart and dig the DNS query with this Master DNS server.
# service bind9 restart # dig DNSKEY g.crenet.com @10.10.0.124 +multiline |
Now, The DNSSEC in master DNS server is worked.
3. Edit Slave DNS server configuration
There is not complicated. Just enable "named.conf.option" in Slave DNS server.
# cat /etc/bind/named.conf.options options { directory "/var/cache/bind"; recursion no; listen-on port 53 { 10.10.0.225; }; dnssec-enable yes; dnssec-validation yes; dnssec-lookaside auto; auth-nxdomain no; # conform to RFC1035 listen-on-v6 { any; }; }; |
Also, change file value in "named.conf.local" of Slave DNS server.
# cat /etc/bind/named.conf.local zone g.crenet.com { type slave; file "db.g.crenet.com.signed"; masters { 10.10.0.124; }; }; |
Now, I have restart bind9 and reload zone file. I can see downloaded file which is signed.
# service bind9 restart # rndc reload server reload successful
# ls db.g.crenet.com db.g.crenet.com.signed managed-keys.bind managed-keys.bind.jnl |
4. Edit Caching DNS server configuration
I have alread update this file to work DNSSEC function. Please check "/etc/bind/named.conf.option" file.
# cat /etc/bind/named.conf.options acl trusted { 178.128.21.101; 10.10.0.204; 10.10.0.124; 10.10.0.225; }; options { directory "/var/cache/bind"; recursion yes; # enables resursive queries allow-recursion { trusted; }; # allows recursive queries from "trusted" clients listen-on port 53 { 10.10.0.204; }; # ns1 private IP address - listen on private network only allow-transfer { none; }; # disable zone transfers by default dnssec-enable yes; dnssec-validation yes; dnssec-lookaside auto; dump-file "/var/cache/bind/dumps/named_dump.db"; auth-nxdomain no; # conform to RFC1035 listen-on-v6 { any; }; }; |
5. Configure DS records with the registrar.
When I create Signed zone file, "dsset-g.crenet.com" file is also generated which include "DS" record.
# cat dsset-g.crenet.com. g.crenet.com. IN DS 33324 7 1 CFE9B08DB55C9EF23AAE19979FB2A48467C1061E g.crenet.com. IN DS 33324 7 2 1245F5EB80E7A2F6CE9A64A9C69A94EFBC800D60EA4065B96B7FF501 AB6816D2 |
To publish this DNS server with DNSSEC, I have to offer these DS record to my DNS registrar. (DNS registrar mean the represtative compay which has the role to register DNS, such as GoDaddy or Gabia.
Reference
[ 1 ] https://createnetech.tistory.com/46
'System Basic Engineering > OpenSource' 카테고리의 다른 글
Simple Packet analysis about "DIG trace"command. (0) | 2020.09.23 |
---|---|
What is difference recursion and iterative request in DNS packet? (1) | 2020.09.23 |
How to configure DNS bind9 configuration in Ubuntu (0) | 2019.09.12 |
How to install self-signed certification on Windows 2012 R2 for RDP? (0) | 2018.12.14 |
How to use etcd (multi-machine cluster TLS/SSL security mode) in Ubuntu? (0) | 2018.10.19 |