Mettre en place du DNSSEC avec NIC/CH (SWITCH)


Ce document est un résumé d'un document interne que je ne peux pas publier in-extenso pour des raisons de licences. Il est partiellement en anglais.

Informations techniques

La plupart de Samuel Benz <> sur

How to sign your zone

First step: creating DNSKEY(s)

For this simple example we will only use two keys and we will never change them in the future. This is possible because only the signatures have an expire date, not the keys itself.

KSK: $ dnssec-keygen -f KSK -n ZONE -a RSASHA1 -b 1024
ZSK: $ dnssec-keygen -n ZONE -a RSASHA1 -b 1024

The KSK is the key signing key. The ZSK is the zone signing key. If the commands appear to hang, this means that /dev/random doesn't have enough entropy (cat /proc/sys/kernel/random/entropy_avail) and thus you need to create some, e.g. by starting programs, compiling, exchanging network packets etc. Or just generate the key on a busy workstation, not a somewhat idle DNS server.

Of course, it would be a good policy to not create and store the private keys (.private) on a publically accessible server!

These two commands will create 4 files. You only require the .key files on your DNS server (e.g. in /etc/bind/DNSSEC-PUBKEYS).

You can now include the public keys in your zone file:

for i in /etc/bind/DNSSEC-PUBKEYS/*.key; do echo >> \$INCLUDE $i; done

Second step: Sign the zone

Sign your zone with this command:

$ dnssec-signzone -o

Verifying the zone using the following algorithms: RSASHA1.
Zone signing complete:
Algorithm: RSASHA1: ZSKs: 1, KSKs: 1 active, 0 revoked, 0 stand-by

This will create a new file called teleinf.signed. All keys have to be online on the file system for this step. Obviously you sould do this on a trusted system. The DNSKEY records are now signed with both keys the rest of the zone only with the ZSK.

Finally, change your BIND configuration to start with the teleinf.signed and you are done.

IMPORTANT: Re-sign your zone at least every week to renew the signatures!

NOTE: you can specify a signature expire date with -e !

Third step: Enable the secure delegation

Generate the DS records from the KSK: (the KSK signs the ZSK which signs the domain)

$ dnssec-dsfromkey

This will show you something like: IN DS 589 5 1 D8BE42B35372A8515396D343081CF37505E15FAB IN DS 589 5 2 4879EF66A5A101E3CEEF47DB17F10F240AC4F4981CE891C98163CE95 B2E7BE2B

Upload this information to your parent server (at NIC/CH, use the Web GUI for the domain: it will also allow you to pre-test your DNS, and show you the above information you should double-check before activating).

Testing manually

The ad flag in the answers tells you you have correct validation (if you do this through a non DNSSEC-enabled DNS server, it won't show up).

schaefer@reliant:~$ dig +dnssec

; <<>> DiG 9.4.2-P2.1 <<>> +dnssec
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 25125
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 1

; EDNS: version: 0, flags: do; udp: 4096
;                    IN      A

;; AUTHORITY SECTION:             10800   IN      SOA     localhost. root.localhost. 2011011202 14400 14400 86400 86400             10800   IN      RRSIG   SOA 5 2 14400 20110213090358 20110114090358 38883 PpY+M/vDYDd6Dr7alTEp22yHNIqdtC4oZ5Wlme8dRfRLMit+cj2XGsyc uZRPczE5t163Vyu1XuUEE4coapN3ID4P8HNTY/MtX5bZkyuQwvHWoW5a 5C9UPTSAjcXZwOX3VuyLRckemf7Zs4xmFxNeMolbeFSDJnWXj1Ap85MU 18I=             10800   IN      RRSIG   NSEC 5 2 86400 20110213090358 20110114090358 38883 MdeWUz4rmJGHuZ8eEPl9xohlyiLMWGgUVE5jGL8bO7YIsNl40Y2D2DCD aC19NpUoEcgFhZIzMWHDAaz4F7QTG731z4wyQqQZ0NdSTOFUweDa1ogu u2cLsbaUo4ekodzfy7r1UVbsTpMtRz5Bre8r8PY1wCuBIZC+DB7fwvax qgQ=             10800   IN      NSEC NS SOA RRSIG NSEC DNSKEY

;; Query time: 398 msec
;; WHEN: Thu Jan 20 10:30:08 2011
;; MSG SIZE  rcvd: 465

Conclusion (and work to do!)

This setup should fit your needs for the first steps with DNSSEC. The complicated stuff while running DNSSEC in a production environment are the periodically change of your keys (key rollovers). A good overview of what rollover scheme exists is the RFC-4641.

How to use DNSSEC

Creating your domain signed and publish the public key through NIC/CH is not enough, you also need to enforce that security on your company nameserver cache. This may create some problems for badly maintained servers. Therefore it is not currently recommended in production!

If you don't, you could use third-party DNS servers, with some security risks.

To test, you can use that server:
  • (recursive) (e.g. dig +dnssec you should see the "ad" bit)

To configure BIND9, enable:

options {
     dnssec-enable yes;
     dnssec-validation yes;

and provide the DNS root (".") public key (you can verify it's GPG, SSL or other signatures at:

// BIND 9.7 allows automatic updating (RFC-5011)
//managed-keys {
//  "." initial-key 257 3 8
//    "AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF
//     FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX
//     bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD
//     X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz
//     W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS
//     Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq
//     QxA+Uk1ihz0=";

// BIND 9.6.2
// manual update required
trusted-keys {
  "." 257 3 8

and possibly more "trusted keys" (from a DNSSEC lookaside Validation Registry), will be soon obsolete

trusted-keys {
    // something in the form:
    // 257 3 5 "BEA[...]uDB";
    // get it from dig +dnssec dnskey
    // could be a good idea to verify those, and maybe to add your own keys even if signed already.
options {
     dnssec-lookaside . trust-anchor;


Standard software

BIND 9.3 (DNSSEC) and BIND 9.6 (NSEC3).

Non standard software

Product Organisation DNSSEC NSEC3
Unbound NLnetLabs yes yes
NSD NLnetLabs yes yes
MS DNS Microsoft Server 2008 R2 ?
PowerDNS Bert Hubert 2.9.21 no
Djbdns Daniel J. Bernstein no no
ANS nominum yes 2010
CNS nominum yes ?

Other tools

Most of the name server ship with their one tools to sign zones. If you look for more general ways have a look at:

Negative testing

The zone contains handy test records.

schaefer@reliant:~$ host has address

schaefer@reliant:~$ host
Using domain server:

Host not found: 2(SERVFAIL)

And don't forget to do Positive testing too:

schaefer@reliant:~$ host

In the above, once you have setup your own validating DNS server, you need obviously to replace by localhost or the name / IP address of your validating DNS server.

Firefox plugins

And last but not least, a simple way to show your (hidden) work on DNSSSEC to your colleges:


-- MarcSCHAEFER - 20 Jan 2011
Topic revision: r2 - 24 Jun 2011, MarcSCHAEFER

Copyright © by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding Foswiki? Send feedback