Post

Bind With DNSsec Installation

DNSsec Installation on Linux

What’s needed?

  1. Fully qualified domain name
  2. Atleast 1 machine but this guide will give instrucktion on Primary and secondary

Configuration information

  1. Machine 1 will have ip of A.A.A.A
  2. Machine 2 will have ip of B.B.B.B
  3. Guides domainname would be for machine 1 ns1.example.com machine 2 will have ns2.example.com
  4. and the FQDN would be example.com

NS1

First lets update the system on the machine

1
zypper update -y

After the update lets do a reboot

1
reboot

Time to get the bind packages

1
zypper in bind bind-utils -y

We need to open some ports

1
2
firewall-cmd -add-service=dns --premanent
firewall-cmd --reload

Configuration of NS1

Open /etc/named.conf

1
vi /etc/named.conf

in the named.conf we need to put a # in front of

1
#listen-on port 53 {127.0.0.1;};

We should make sure there is no # on listen-on-v6 and we should make sure it listen to any

1
listen-on-v6 port 53{any;};

And then we need to find allow-transfer{} and it should look like this

1
allow-transfer {localhost; B.B.B.B};

Make sure this 3 lines exist in named.conf

1
2
3
dnssec-enable yes;
dnssec-validation yes;
dnssec-lookaside auto;

Last thing to do in the configuration file is adding our zone

1
2
3
4
5
6
zone "example.com" IN {
    type master;
    file "example.com.zone.signed";
    allow-transfer {B.B.B.B;};
    allow-update {none;};
}

Now we are done with configuration of bind services. Now we need to create our zone file

1
vi /var/named/example.com.zone

In the file example.com.zone we need to put this

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
$TTL 1800
@   IN  SOA     ns1.example.com. admin.example.com. (
        2017060501  ;Serial
        3600        ;Refresh
        1800        ;Retry
        604800      ;Expire
        3600	   ;Minimum TTL
)
; Ange våra två namnservrar
                IN	NS              ns1.example.com.
                IN	NS              ns2.example.com.
; Slå upp värdnamn för namnservrar till IP, ersätt med dina två servrar IP-adresser.
ns1             IN	A               A.A.A.A
ns2             IN	A               B.B.B.B

; Definiera värdnamn -> IP-par som du vill kunna slå upp
@               IN	A               C.C.C.C
www             IN	A               C.C.C.C

In this case the admin.example.com is your email-adress admin.example.com is equal to admin@example.com

Generating keys

Now when we have configure the zone file we need to generate keys that we need to sign the zone file

lets do some commands

1
2
3
4
5
6
7
8
9
10
cd /var/named
dnssec-keygen -r /dev/urandom -a ED25519 -b 4096 -n ZONE example.com
dnssec-keygen -r /dev/urandom -f KSK -a ED25519 -b 4096 -n ZONE example.com

for key in `ls Kexample.com*.key`
do
echo "\$INCLUDE $key">> example.com.zone
done

dnssec-signzone -A -3 $(head -c 1000 /dev/urandom | sha1sum | cut -b 1-16) -N INCREMENT -o example.com -t example.com.zone

Last we just need to restart named

1
systemctl restart named

NS2

First lets update the system on the machine

1
zypper update -y

After the update lets do a reboot

1
reboot

Time to get the bind packages

1
zypper in bind bind-utils -y

We need to open some ports

1
2
firewall-cmd -add-service=dns --premanent
firewall-cmd --reload

Configuration of NS2

Open /etc/named.conf

1
vi /etc/named.conf

On NS2 we need to put a # in front of listen-on port 53

1
#listen-on port 53 {127.0.0.1;};

We should make sure there is no # on listen-on-v6 and we should make sure it listen to any

1
listen-on-v6 port 53{any;};

Last thing we need to do is to do the zone configuration

1
2
3
4
5
6
zone "example.com" IN {
        type slave;
        masters { A.A.A.A; };
        file "example.com.zone.signed";
        allow-notify { A.A.A.A; };
};

That what we need to do on NS2. Last thing is to restart named

1
systemctl restart named

Both server is done

But last thing we need to do is to publish the keys at the domain provider. Need to check with your domain provider how you do it in there system.

Good to know

Everytime you update your zone-file you need to resign the zone-file with the

1
dnssec-signzone -A -3 $(head -c 1000 /dev/urandom | sha1sum | cut -b 1-16) -N INCREMENT -o example.com -t example.com.zone

Config files

NS2s /etc/named.conf

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
// See the BIND Administrator's Reference Manual (ARM) for details about the
// configuration located in /usr/share/doc/bind-{version}/Bv9ARM.html

options {
	#listen-on port 53 { 127.0.0.1; };
	listen-on-v6 port 53 { any; };
	directory 	"/var/named";
	dump-file 	"/var/named/data/cache_dump.db";
	statistics-file "/var/named/data/named_stats.txt";
	memstatistics-file "/var/named/data/named_mem_stats.txt";
	allow-query     { any; };

	/* 
	 - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
	 - If you are building a RECURSIVE (caching) DNS server, you need to enable 
	   recursion. 
	 - If your recursive DNS server has a public IP address, you MUST enable access 
	   control to limit queries to your legitimate users. Failing to do so will
	   cause your server to become part of large scale DNS amplification 
	   attacks. Implementing BCP38 within your network would greatly
	   reduce such attack surface 
	*/
	allow-transfer	{localhost; 37.139.28.133; };
	recursion no;

	dnssec-enable yes;
	dnssec-validation yes;
	dnssec-lookaside auto;

	/* Path to ISC DLV key */
	bindkeys-file "/etc/named.iscdlv.key";

	managed-keys-directory "/var/named/dynamic";

	pid-file "/run/named/named.pid";
	session-keyfile "/run/named/session.key";
};

logging {
        channel default_debug {
                file "data/named.run";
                severity dynamic;
        };
};

zone "." IN {
	type hint;
	file "named.ca";
};
zone "example.com" IN {
	type master;
	file "example.com.zone.signed";
	allow-transfer     { B.B.B.B; };
	allow-update { none; };
};


include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";

NS1s /var/named/example.com.zone

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
$TTL 1800
@   IN  SOA     ns1.example.com. admin.example.com. (
        2017060501  ;Serial
        3600        ;Refresh
        1800        ;Retry
        604800      ;Expire
        3600       ;Minimum TTL
)
; Ange våra två namnservrar
		IN	NS		ns1.example.com.
		IN	NS		ns2.example.com.
; Slå upp värdnamn för namnservrar till IP, ersätt med dina två servrar IP-adresser.
ns1		IN	A		A.A.A.A
ns2		IN	A		B.B.B.B

; Definiera värdnamn -> IP-par som du vill kunna slå upp
@		IN	A		C.C.C.C
www		IN	A		C.C.C.C
$INCLUDE Kexample.com.+007+27722.key
$INCLUDE Kexample.com.+007+43020.key

NS2s /etc/named.conf

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
// See the BIND Administrator's Reference Manual (ARM) for details about the
// configuration located in /usr/share/doc/bind-{version}/Bv9ARM.html

options {
	#listen-on port 53 { 127.0.0.1; };
	listen-on-v6 port 53 { any; };
	directory 	"/var/named";
	dump-file 	"/var/named/data/cache_dump.db";
	statistics-file "/var/named/data/named_stats.txt";
	memstatistics-file "/var/named/data/named_mem_stats.txt";
	allow-query     { any; };

	/* 
	 - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
	 - If you are building a RECURSIVE (caching) DNS server, you need to enable 
	   recursion. 
	 - If your recursive DNS server has a public IP address, you MUST enable access 
	   control to limit queries to your legitimate users. Failing to do so will
	   cause your server to become part of large scale DNS amplification 
	   attacks. Implementing BCP38 within your network would greatly
	   reduce such attack surface 
	*/
	recursion no;

	dnssec-enable yes;
	dnssec-validation yes;
	dnssec-lookaside auto;

	/* Path to ISC DLV key */
	bindkeys-file "/etc/named.iscdlv.key";

	managed-keys-directory "/var/named/dynamic";

	pid-file "/run/named/named.pid";
	session-keyfile "/run/named/session.key";
};

logging {
        channel default_debug {
                file "data/named.run";
                severity dynamic;
        };
};

zone "." IN {
	type hint;
	file "named.ca";
};

zone "example.com" IN {
	type slave;
	masters { A.A.A.A; };
	file "example.com.zone.signed";
    	allow-notify { A.A.A.A; };
};


include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
This post is licensed under CC BY 4.0 by the author.