DNSsec Installation on Linux
What’s needed?
- Fully qualified domain name
- Atleast 1 machine but this guide will give instrucktion on Primary and secondary
Configuration information
- Machine 1 will have ip of A.A.A.A
- Machine 2 will have ip of B.B.B.B
- Guides domainname would be for machine 1 ns1.example.com machine 2 will have ns2.example.com
- and the FQDN would be example.com
NS1
First lets update the system on the machine
1
zypper update -y
After the update lets do a reboot
1
reboot
Time to get the bind packages
1
zypper in bind bind-utils -y
We need to open some ports
1
2
firewall-cmd -add-service=dns --premanent
firewall-cmd --reload
Configuration of NS1
Open /etc/named.conf
1
vi /etc/named.conf
in the named.conf we need to put a # in front of
1
#listen-on port 53 {127.0.0.1;};
We should make sure there is no # on listen-on-v6 and we should make sure it listen to any
1
listen-on-v6 port 53{any;};
And then we need to find allow-transfer{} and it should look like this
1
allow-transfer {localhost; B.B.B.B};
Make sure this 3 lines exist in named.conf
1
2
3
dnssec-enable yes;
dnssec-validation yes;
dnssec-lookaside auto;
Last thing to do in the configuration file is adding our zone
1
2
3
4
5
6
zone "example.com" IN {
type master;
file "example.com.zone.signed";
allow-transfer {B.B.B.B;};
allow-update {none;};
}
Now we are done with configuration of bind services. Now we need to create our zone file
1
vi /var/named/example.com.zone
In the file example.com.zone we need to put this
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
$TTL 1800
@ IN SOA ns1.example.com. admin.example.com. (
2017060501 ;Serial
3600 ;Refresh
1800 ;Retry
604800 ;Expire
3600 ;Minimum TTL
)
; Ange våra två namnservrar
IN NS ns1.example.com.
IN NS ns2.example.com.
; Slå upp värdnamn för namnservrar till IP, ersätt med dina två servrar IP-adresser.
ns1 IN A A.A.A.A
ns2 IN A B.B.B.B
; Definiera värdnamn -> IP-par som du vill kunna slå upp
@ IN A C.C.C.C
www IN A C.C.C.C
In this case the admin.example.com is your email-adress admin.example.com is equal to admin@example.com
Generating keys
Now when we have configure the zone file we need to generate keys that we need to sign the zone file
lets do some commands
1
2
3
4
5
6
7
8
9
10
cd /var/named
dnssec-keygen -r /dev/urandom -a ED25519 -b 4096 -n ZONE example.com
dnssec-keygen -r /dev/urandom -f KSK -a ED25519 -b 4096 -n ZONE example.com
for key in `ls Kexample.com*.key`
do
echo "\$INCLUDE $key">> example.com.zone
done
dnssec-signzone -A -3 $(head -c 1000 /dev/urandom | sha1sum | cut -b 1-16) -N INCREMENT -o example.com -t example.com.zone
Last we just need to restart named
1
systemctl restart named
NS2
First lets update the system on the machine
1
zypper update -y
After the update lets do a reboot
1
reboot
Time to get the bind packages
1
zypper in bind bind-utils -y
We need to open some ports
1
2
firewall-cmd -add-service=dns --premanent
firewall-cmd --reload
Configuration of NS2
Open /etc/named.conf
1
vi /etc/named.conf
On NS2 we need to put a # in front of listen-on port 53
1
#listen-on port 53 {127.0.0.1;};
We should make sure there is no # on listen-on-v6 and we should make sure it listen to any
1
listen-on-v6 port 53{any;};
Last thing we need to do is to do the zone configuration
1
2
3
4
5
6
zone "example.com" IN {
type slave;
masters { A.A.A.A; };
file "example.com.zone.signed";
allow-notify { A.A.A.A; };
};
That what we need to do on NS2. Last thing is to restart named
1
systemctl restart named
Both server is done
But last thing we need to do is to publish the keys at the domain provider. Need to check with your domain provider how you do it in there system.
Good to know
Everytime you update your zone-file you need to resign the zone-file with the
1
dnssec-signzone -A -3 $(head -c 1000 /dev/urandom | sha1sum | cut -b 1-16) -N INCREMENT -o example.com -t example.com.zone
Config files
NS2s /etc/named.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
// See the BIND Administrator's Reference Manual (ARM) for details about the
// configuration located in /usr/share/doc/bind-{version}/Bv9ARM.html
options {
#listen-on port 53 { 127.0.0.1; };
listen-on-v6 port 53 { any; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { any; };
/*
- If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
- If you are building a RECURSIVE (caching) DNS server, you need to enable
recursion.
- If your recursive DNS server has a public IP address, you MUST enable access
control to limit queries to your legitimate users. Failing to do so will
cause your server to become part of large scale DNS amplification
attacks. Implementing BCP38 within your network would greatly
reduce such attack surface
*/
allow-transfer {localhost; 37.139.28.133; };
recursion no;
dnssec-enable yes;
dnssec-validation yes;
dnssec-lookaside auto;
/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";
managed-keys-directory "/var/named/dynamic";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "." IN {
type hint;
file "named.ca";
};
zone "example.com" IN {
type master;
file "example.com.zone.signed";
allow-transfer { B.B.B.B; };
allow-update { none; };
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
NS1s /var/named/example.com.zone
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
$TTL 1800
@ IN SOA ns1.example.com. admin.example.com. (
2017060501 ;Serial
3600 ;Refresh
1800 ;Retry
604800 ;Expire
3600 ;Minimum TTL
)
; Ange våra två namnservrar
IN NS ns1.example.com.
IN NS ns2.example.com.
; Slå upp värdnamn för namnservrar till IP, ersätt med dina två servrar IP-adresser.
ns1 IN A A.A.A.A
ns2 IN A B.B.B.B
; Definiera värdnamn -> IP-par som du vill kunna slå upp
@ IN A C.C.C.C
www IN A C.C.C.C
$INCLUDE Kexample.com.+007+27722.key
$INCLUDE Kexample.com.+007+43020.key
NS2s /etc/named.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
// See the BIND Administrator's Reference Manual (ARM) for details about the
// configuration located in /usr/share/doc/bind-{version}/Bv9ARM.html
options {
#listen-on port 53 { 127.0.0.1; };
listen-on-v6 port 53 { any; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { any; };
/*
- If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
- If you are building a RECURSIVE (caching) DNS server, you need to enable
recursion.
- If your recursive DNS server has a public IP address, you MUST enable access
control to limit queries to your legitimate users. Failing to do so will
cause your server to become part of large scale DNS amplification
attacks. Implementing BCP38 within your network would greatly
reduce such attack surface
*/
recursion no;
dnssec-enable yes;
dnssec-validation yes;
dnssec-lookaside auto;
/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";
managed-keys-directory "/var/named/dynamic";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "." IN {
type hint;
file "named.ca";
};
zone "example.com" IN {
type slave;
masters { A.A.A.A; };
file "example.com.zone.signed";
allow-notify { A.A.A.A; };
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";