Date: Mon, 23 Sep 2019 23:01:04 -0700
From: "Michael Paoli" <Michael.Paoli@cal.berkeley.edu>
To: Al <aw009@sunnyside.com>
Cc: "Rick Moen" <rick@linuxmafia.com>
Subject: Re: DNSSEC
I use BIND 9's (currently running 1:9.10.3.dfsg.P4-12.3+deb9u5) inline signing for DNSSEC. Here's my "cheat sheet" of notes for so setting up and checking DNSSEC with BIND 9, etc. I'm also chrooted, so ...
$ readlink /etc/bind
../var/lib/named/etc/bind
$ mount | fgrep /var/lib
udev on /var/lib/named/dev/null type devtmpfs
(rw,nosuid,relatime,size=8173820k,nr_inodes=2043455,mode=755)
udev on /var/lib/named/dev/random type devtmpfs
(rw,nosuid,relatime,size=8173820k,nr_inodes=2043455,mode=755)
$ (tab=$(echo -en '\011'); sed -ne '\/var\/lib\/named/!d;s/['"$tab"']\{1,\}/ /gp' /etc/fstab)
fgrep /var/lib /etc/fstab | sed -e 's/[ ][ ]*/ /g'
/dev/null /var/lib/named/dev/null none bind 0 0
/dev/random /var/lib/named/dev/random none bind 0 0
$ grep '^O' /etc/default/bind9
OPTIONS="-u bind -t /var/lib/named"
$ expand < notes/DNSSEC
DNSSEC with BIND >9.9 and inline-signing
guide:
https://ftp.isc.org/isc/dnssec-guide/dnssec-guide.pdf
key directory, e.g.:
named.conf:include "/etc/bind/named.conf.options";
named.conf.options: key-directory "/var/cache/bind/keys";
# cd /var/cache/bind/keys && pwd -P && ls -ld .
/var/lib/named/var/cache/bind/keys
drwxrwx--- 2 root bind 4096 Sep 23 05:55 .
#
generate keys
# (d=balug.org; umask 037 && dnssec-keygen -a RSASHA256 -b 1024 "$d" && dnssec-keygen -a RSASHA256 -b 2048 -f KSK "$d")
SAVE COPIES!!! (if DS is set up in parent and private keys lost, one is screwed)
At least as of 2017-09-24:
Algorithm:
.(root),com,net is using 8 (RSASHA256)
org is using 7 (NSEC3RSASHA1)
bits:
.(root) is using 2048
com,net,org is using 2048 (KSK) / 1024 (ZSK)
enable inline signing for zone:
inline-signing yes;
auto-dnssec maintain;
serial-update-method unixtime;
(or default of: serial-update-method increment;)
Verify before activating:
# (
d=balug.org
k=$(
dig @127.0.0.1 "$d". DNSKEY |
dnssec-dsfromkey -f - "$d" |
awk '{print $4;}' |
sort -u
)
delv @127.0.0.1 -a <(
s=' '
s4="$s$s$s$s"
sed -e '
/^;/d
s/ IN DNSKEY / /
s/^[^ ]* [^ ]* [^ ]* [^ ]* /&"/
:s
/"[^ ]*$/b t
s/\("[^ ]*\) /\1/
b s
:t
s/.*/trusted-keys {\n'"$s4"'&";\n};/
' /var/cache/bind/keys/K"$d".+008+"$k".key
) +root="$d" "$d". SOA +multiline
)
Above expression includes some bashishs, notably "<()".
From the KSK:
(d=balug.org; dig @127.0.0.1 "$d". DNSKEY | dnssec-dsfromkey -f -
"$d")
Or:
(cd /var/cache/bind/keys && dnssec-dsfromkey
Kbalug.org.+008+17095)
resources:
guide: https://ftp.isc.org/isc/dnssec-guide/dnssec-guide.pdf
excellent troubleshooting: http://dnsviz.net/
Debian wiki bits (rather out-of-date at last check):
https://wiki.debian.org/DNSSEC
https://wiki.debian.org/DNSSEC%20Howto%20for%20BIND%209.9+
BIND documentation
more lists of resources: https://www.isc.org/downloads/bind/dnssec/
resolver validation checks:
http://dnssec.vs.uni-due.de/
https://rootcanary.org/test.html
https://en.internet.nl/connection/