I had posted about dnssec a few months ago but that was using some quite cumbersome method to deploy DNS Security to your DNS. I have since looked at OpenDNSSEC which is a more suitable and easier solution. Here are my steps to make it work on Debian.
Big Fat Warning: Test this at your own risk, do not deploy in live setups unless you know what you are doing, this will eat kittens and increase your carbon tax. Still reading? Carry on then.
I am using Debian Wheezy (testing) for this DNS setup because the OpenDNSSEC packages are more up to date. Start off by installing the required packages: apt-get install opendnssec libhsm-bin softhsm libsofthsm libhsm-bin. Then you can start on configuring it. All files are under /etc/opendnssec.
Edit the following file: conf.xml (change your PIN with your own):
<?xml version="1.0" encoding="UTF-8"?>
<!-- $Id: conf.xml.in 3192 2010-04-14 20:51:42Z rb $ -->
<Configuration>
<RepositoryList>
<Repository name="SoftHSM">
<Module>/usr/lib/libsofthsm.so</Module>
<TokenLabel>OpenDNSSEC</TokenLabel>
<PIN>6666</PIN>
</Repository>
</RepositoryList>
<Common>
<Logging>
<Syslog><Facility>local0</Facility></Syslog>
</Logging>
<PolicyFile>/etc/opendnssec/kasp.xml</PolicyFile>
<ZoneListFile>/etc/opendnssec/zonelist.xml</ZoneListFile>
</Common>
<Enforcer>
<Privileges>
<User>opendnssec</User>
<Group>opendnssec</Group>
</Privileges>
<Datastore><SQLite>/var/lib/opendnssec/db/kasp.db</SQLite></Datastore>
<Interval>PT3600S</Interval>
</Enforcer>
<Signer>
<Privileges>
<User>opendnssec</User>
<Group>opendnssec</Group>
</Privileges>
<WorkingDirectory>/var/lib/opendnssec/tmp</WorkingDirectory>
<WorkerThreads>2</WorkerThreads>
<NotifyCommand>/usr/sbin/rndc reload %zone</NotifyCommand>
</Signer>
<Auditor>
<Privileges>
<User>opendnssec</User>
<Group>opendnssec</Group>
</Privileges>
<WorkingDirectory>/var/lib/opendnssec/tmp</WorkingDirectory>
</Auditor>
</Configuration>
Then edit kasp.xml as follows:
<?xml version="1.0" encoding="UTF-8"?>
<!-- $Id: kasp.xml.in 3564 2010-07-06 13:39:29Z rb $ -->
<KASP>
<Policy name="default">
<Description>A default policy that will amaze you and your friends</Description>
<Signatures>
<Resign>PT2H</Resign>
<Refresh>P3D</Refresh>
<Validity>
<Default>P7D</Default>
<Denial>P7D</Denial>
</Validity>
<Jitter>PT12H</Jitter>
<InceptionOffset>PT3600S</InceptionOffset>
</Signatures>
<Denial>
<NSEC3>
<!-- <OptOut/> -->
<Resalt>P100D</Resalt>
<Hash>
<Algorithm>1</Algorithm>
<Iterations>5</Iterations>
<Salt length="8"/>
</Hash>
</NSEC3>
</Denial>
<Keys>
<!-- Parameters for both KSK and ZSK -->
<TTL>PT3600S</TTL>
<RetireSafety>PT3600S</RetireSafety>
<PublishSafety>PT3600S</PublishSafety>
<!-- <ShareKeys/> -->
<Purge>P14D</Purge>
<!-- Parameters for KSK only -->
<KSK>
<Algorithm length="2048">7</Algorithm>
<Lifetime>P1Y</Lifetime>
<Repository>SoftHSM</Repository>
<Standby>0</Standby>
</KSK>
<!-- Parameters for ZSK only -->
<ZSK>
<Algorithm length="1024">7</Algorithm>
<Lifetime>P150D</Lifetime>
<Repository>SoftHSM</Repository>
<Standby>0</Standby>
<!-- <ManualRollover/> -->
</ZSK>
</Keys>
<Zone>
<PropagationDelay>PT43200S</PropagationDelay>
<SOA>
<TTL>PT86400S</TTL>
<Minimum>PT1H</Minimum>
<Serial>unixtime</Serial>
</SOA>
</Zone>
<Parent>
<PropagationDelay>PT9999S</PropagationDelay>
<DS>
<TTL>PT3600S</TTL>
</DS>
<SOA>
<TTL>PT172800S</TTL>
<Minimum>PT10800S</Minimum>
</SOA>
</Parent>
<Audit>
<!-- <Partial /> -->
</Audit>
</Policy>
</KASP>
Edit the following file /etc/softhsm/softhsm.conf then add:
1:/var/lib/opendnssec/db/kasp.db
We can now create the database, it will ask for you PIN, this is the one declared in your first configuration file. Execute the following: softhsm –init-token –slot 1 –label “OpenDNSSEC”
Edit your groups file to match the following:
bind:x:107:opendnssec opendnssec:x:114:bind softhsm:x:999:opendnssec
You can now setup the database by doing the following: ods-ksmutil setup
I recommend doing the following to set permissions right and linking the new signed/unsigned directories for OpenDNSSEC.
chown -R opendnssec:opendnssec /var/lib/opendnssec/ chgrp opendnssec /etc/opendnssec/* ln -s /var/lib/opendnssec/signed /etc/bind/master/ ln -s /var/lib/opendnssec/unsigned /etc/bind/master/
This is now the exciting bit, we are adding our first zone, copy it under /var/lib/opendnssec/unsigned then do:
ods-ksmutil zone add -z myzone.net service opendnssec-enforcer restart service opendnssec-signer restart
If you have done it right, it will tell you that it found your zone. If this is the case, it is now time to declare it in order to generate keys: ods-ksmutil key generate –policy default –interval 30. At this stage, you have to wait for the zone to become valid, this takes around 12h depending on what you setup. Time to make yourself a few coffees and listen to a few metal albums.
You now need to ready your zones. Rather than doing it manually, here is a script you can use (make sure you put it in the right folder):
ods-ksmutil key list |grep ready|awk '{ print $1 }' > list
for i in `cat list`;
do
SERIAL=`ods-ksmutil key export --zone $i --keystate ready |awk '{ print $11 }'`
ods-ksmutil key ds-seen -z $i -x $SERIAL
done
Now that the zone is ready, you need to get ods to sign it, this is just done by service opendnssec-signer restart. If it worked, you should see your new signed zone in /etc/bind/master/signed. All you got to do now is to change your bind config to point to the newly signed file.
We are now at the end of this article, it should be pointed out that keys expire, your Zone Signing Key (ZSK) expires after 6 months and the KSK after a year, you should plan for regenerating keys before the expiry if possible, since you are supposed to propagate these to the internet to establish the chain of trust from the root servers.
When you are modifying a zone, just trigger ods-signer sign myzone.net to re-sign it. If you need to delete a zone within ods, you can use the following: ods-ksmutil zone delete –zone myzone.net
At this time of writing please note that only a FEW root zones are signed, so this is more research than production (although all my zones are currently signed).
Recent versions of BIND will also do inline zone signing via dynamic updates. You need to handle key rollovers separately though.
Nice, must read about that, although in my case, I am using a stealth master then pushing the signed zones to the official external master.