DNSSEC is basically a way to verify the authenticity of DNS information. You can read more about it in the DNSSEC wikipedia page.
I’m simply going to address how to properly configure it. We start from a working Bind installation and some zone files. The process that we are going to use is:
- create a set of cryptographic keys used to validate the zone
- “sign” the zone file with these keys
- provide a signature of these keys to domain name registrar (that confirms the authenticity of the signed zones)
The way i like to do this is to create a directory corresponding to every specific domain under the “dynamic” directory found on “/usr/local/etc/namedb/” (I use FreeBSD, in other *nix flavors this might be somewhere else in the system, like “/etc/namedb/”).
So if i want to sign a zone for marcobat.com i will have “/usr/local/etc/namedb/dynamic/marcobat.com/”. And under this directory i will store keys (yet under their own sub directory keys), the unsigned zone file and the signed zone file. But right now I only have the unsigned zone file and a empty directory named keys:
host:/usr/local/etc/namedb/dynamic/marcobat.com $ ls -la
total 2
drwxr-xr-x 3 root bind 4 Nov 11 13:05 .
drwxr-xr-x 3 bind bind 3 Nov 12 22:28 ..
-rw-r--r-- 1 root bind 514 Nov 11 13:05 db.marcobat.com
drwxr-xr-x 2 root bind 2 Nov 11 13:05 keysLet’s say that the zone looks like this, just to have something to work on:
$TTL 86400
@ IN SOA ns1.nameserver.ext. dontemailme.marcobat.com. (
2021111101; Serial
3H; Refresh
15M; Retry
2W; Expiry
1D ); Minimum
86400 NS ns1.nameserver.ext.
86400 NS ns2.nameserver.ext.
3600 A 1.2.3.4
www 3600 CNAME @Ok i will move into the keys directory to generate the keys (i will generate 2 key pairs for a total of 4 files):
$ cd keys
$ dnssec-keygen -f KSK -a ECDSAP256SHA256 -n ZONE marcobat.com
$ dnssec-keygen -a ECDSAP256SHA256 -n ZONE marcobat.comAs a result we get 4 weirdly named files:
$ ls -l
total 8
-rw-r--r-- 1 root bind 343 Nov 12 23:31 Kmarcobat.com.+013+09904.key
-rw------- 1 root bind 187 Nov 12 23:31 Kmarcobat.com.+013+09904.private
-rw-r--r-- 1 root bind 343 Nov 12 23:31 Kmarcobat.com.+013+63946.key
-rw------- 1 root bind 187 Nov 12 23:31 Kmarcobat.com.+013+63946.privateThe private and key files shown here are not real, BTW.
Next we are going to edit the unsigned zone file and include the keys adding these two lines under the name servers info.
[..]
86400 NS ns1.nameserver.ext.
86400 NS ns2.nameserver.ext.
$INCLUDE /usr/local/etc/namedb/dynamic/marcobat.com/keys/Kmarcobat.com.+013+09904.key
$INCLUDE /usr/local/etc/namedb/dynamic/marcobat.com/keys/Kmarcobat.com.+013+63946.key
[..]Finally we are going to “sign” the zone.
dnssec-signzone -o marcobat.com ../db.marcobat.comThis will generate a db.marcobat.com.signed file at “/usr/local/etc/namedb/dynamic/marcobat.com/”. While before the mani named.conf file was including the unsigned zone file, we will now include the new one.
zone "marcobat.com" {
type master;
file "/usr/local/etc/namedb/dynamic/marcobat.com/db.marcobat.com.signed";
};By reloading the zone our DNS server will now be proving the “signed” zone file. However we still have one more step, we need to provide some information to our domain name register so that the validation in complete. In order to do this we need one more command:
dnssec-dsfromkey -1 -f /usr/local/etc/namedb/dynamic/marcobat.com/db.marcobat.com.signed marcobat.comWhich will return something like this:
marcobat.com. IN DS 63946 13 1 0FE90E49C7CD3E044CF9CDBCFA12F7467075B5DCWe now have the information we need to update our DNSSEC record at our registrar. Every registrar has a different interface or method to insert this info, anyway they will all want a KeyTag, that here would be 63946, a Algorithm: 13 (which corresponds to the “ECDSAP256SHA256” option we used earlier, the currently recommended one according to Bind documentation), A DigestType: 1 and a Digest: 0FE90E49C7CD3E044CF9CDBCFA12F7467075B5DC.
Once you have provided these info to your registrar the process is completed.