DNSSEC in a few easy steps

I meant to write a quick note about this quite some time ago but only got around it today. You will be needing Bind 9.7+ for this as it includes all the cool DNSSEC tools you need. If you are still wondering what DNSSEC is, i suggest your start with this site.

So DNSSEC in short is an effort to develop a safer internet by protecting/validating DNS records and zones. I have chosen to start with a small zone I have which doesn’t actually have high traffic yet, the plan is to move ALL my zones after a while. You also need to know that NOT ALL ROOT ZONES are signed yet. For more information, see this site. As for what we are going to use now, it is all part of RFC 4641.

Let’s get started. Imagine you have your zone frlinux.eu, you first need to create a ZSK pair. This one is responsible for signing records within a zone. This will need to be changed frequently (typical recommendation is every month), this is what i used (this will take a while, make sure you have enough entropy on the server):

dnssec-keygen -a RSASHA1 -b 1024 -n ZONE frlinux.eu

Once you have this, we need to move on to the KSK (Key Signing Key) which can be stronger since you will need to change it less (typically every year). This is the command I used (and again, will take longer to generate):

dnssec-keygen -f KSK -a RSASHA1 -b 2048 -n ZONE frlinux.eu

After these steps, the hardest has been done, you can now include the public keys onto your zone (don’t forget to update the serial):

cat Kfrlinux.eu.+005+*key >> frlinux.eu
rndc reload

It is now time to sign your zone. Remember: every time you update a record or make a change to this zone, you will need to sign it again. This can be done by doing:

dnssec-signzone frlinux.eu

Then replace frlinux.eu for frlinux.eu.signed then reload the zone again.

You are now done. You can confirm the zone is signed and working by doing:

dig +dnssec frlinux.eu a
dig +cd +multi frlinux.eu dnskey

All going well, you should obtain something like this:

; <
> DiG 9.7.1-P2 <
> +dnssec frlinux.eu
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 30315
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 5, ADDITIONAL: 9

; EDNS: version: 0, flags: do; udp: 4096
;frlinux.eu. IN A

frlinux.eu. 86400 IN A
frlinux.eu. 86400 IN RRSIG A 5 2 86400 20101216183236 20101116183236 21720 frlinux.eu. aGmQsAjLY1uRRCWlGSun0OuOkAkKV3tQoBKZ8wQOX9KzaUyFLA9LcCuH yfX5oKMta1NKXmJ5yqT6u3AgSwCSXaRaESIELhHRFXSPhKSJXfVugOUI 2MdDwm2zltBq7BlpQv9KM23O9Lp3GPJC9RfdCRs4MPSjoDpc5fI21iIg 3S4=