2009年1月30日

DNSSEC Howto

Just a memo, already modified.


DNSSEC
https://www.isc.org/solutions/dlv
http://alan.clegg.com/files/DNSSEC_in_6_minutes.pdf
http://www.nlnetlabs.nl/dnssec_howto/#part.dnssec
帶有數字簽名驗證的域名系統安全協議(Domain Name System SECurity,DNSSEC)
http://www.ietf.org/rfc/rfc4431.txt?number=4431
http://blog.chinaunix.net/u2/70435/showart_716278.html


# backup all config


cd /etc/namedb/DNSSEC
# ZSK (Zone Signing Key) should be rolled every 3 months
dnssec-keygen -r/dev/random -a RSASHA1 -b 1024 -n ZONE _domain_to_config_.com.tw
# KSK (Key Signing Key) should be rolled once a year
dnssec-keygen -r/dev/random -a RSASHA1 -b 4096 -n ZONE -f KSK _domain_to_config_.com.tw

# add key
vi ../master/_domain_to_config_.com.tw.hosts
#$include ../DNSSEC/K_domain_to_config_.com.tw.+005+32880.key
#$include ../DNSSEC/K_domain_to_config_.com.tw.+005+28678.key
# change zone serial

dnssec-signzone -N INCREMENT -o _domain_to_config_.com.tw -k K_domain_to_config_.com.tw.+005+28678.key ../master/_domain_to_config_.com.tw.hosts K_domain_to_config_.com.tw.+005+32880.key


#sh
{ echo 'trusted-keys {'; cat "K_domain_to_config_.com.tw.+005+28678.key"; echo '};'; } > trusted-keys
#vi trusted-keys
#_domain_to_config_.com.tw. 257 3 5 "~";

wget http://ftp.isc.org/www/dlv/dlv.isc.org.key http://ftp.isc.org/www/dlv/dlv.isc.org.named.conf


vi ../named.conf
# modify file at zone section
# file "master/_domain_to_config_.com.tw.hosts.signed";

# dnssec-enable yes; dnssec-validation yes; dnssec-lookaside "." trust-anchor "dlv.isc.org.";
# channel dnssec_log
#include "DNSSEC/dlv.isc.org.named.conf";
#include "DNSSEC/trusted-keys";

# restart bind


# test
dig _domain_to_config_.com.tw DNSKEY
dig _domain_to_config_.com.tw A +dnssec +multiline +retry=1



dnssec-signzone -N INCREMENT -l dlv.isc.org. -o _domain_to_config_.com.tw -k K_domain_to_config_.com.tw.+005+28678.key ../master/_domain_to_config_.com.tw.hosts K_domain_to_config_.com.tw.+005+32880.key
# restart bind

# send "dlvset-_domain_to_config_.com.tw." to dlv-registry@isc.org

# add "dlv IN A" which list in mail

# test & see log
# http://www.networksorcery.com/enp/protocol/dns.htm
# https://lists.isc.org/pipermail/bind-users/2009-January/074760.html
# https://www.dns-oarc.net/oarc/services/odvr
dig +dnssec @149.20.64.20 _domain_to_config_.com.tw
# OK. We get the AD bit set.



# after: Rolling keys, http://www.nlnetlabs.nl/dnssec_howto/#x1-340004
張貼者: k 12:22 0 意見
訂閱: 文章 (Atom)