DNSSEC keys tester & roller
DNSSEC keys 更替工具
location:
http://lyrics.meicho.com.tw/program/DNSSEC/rolling_keys.zip
HISTORY:
2009/10/24 11:3:18-28 0:0:26 main program by kanashimi
2010/2/24 11:00:29 公開
說明:
近來 DNSSEC 越來越受到注目,意外發現自己之前列出實作方法的文章排在 Google 搜尋中文網頁 "DNSSEC Howto" 的前三名,為了讓大家更方便的使用,寫了這個小工具。
本工具的用途為自動探測並更替 (rolling) ZSK key,限制條件為已經自己操作過 DNSSEC 的設置,熟知其機制,使用 bind9,並且僅有單一組 ZSK key 的情況。
** 請千萬注意:
1. 因為只適用在小弟的機器上,因此使用時非常需要注意!這支程式說是工具,其實比較合適的用法是請大家研究程式碼的設定方式之後自己手動操作。當然,您若是 願意測試後提一點建議,相信能夠幫助更多人…
2. 使用前請初始化 user config 部分的設定。
有任何建議請到 下列討論區發表:
https://meicho.com.tw/phpBB3/viewforum.php?f=9
main siite:
http://lyrics.meicho.com.tw/
TODO:
initial DNSSEC
roll KSK
get zone file from named config file
old DNSSEC note:
https://www.isc.org/solutions/dlv
http://alan.clegg.com/files/DNSSEC_in_6_minutes.pdf
http://www.nlnetlabs.nl/dnssec_howto/#part.dnssec
帶 有數字簽名驗證的域名系統安全協議(Domain Name System SECurity,DNSSEC)
http://www.ietf.org/rfc/rfc4431.txt?number=4431
http://blog.chinaunix.net/u2/70435/showart_716278.html
# backup all config
cd /etc/namedb/DNSSEC
# KSK (Key Signing Key) should be rolled once a year
dnssec-keygen -r/dev/random -a RSASHA1 -b 4096 -n ZONE -f KSK _domain_name_
K_domain_name_.+005+22222
# ZSK (Zone Signing Key) should be rolled every 3 months
dnssec-keygen -r/dev/random -a RSASHA1 -b 1024 -n ZONE _domain_name_
K_domain_name_.+005+11111
# add key
vi ../master/_domain_name_.hosts
#$include ../DNSSEC/K_domain_name_.+005+11111.key
#$include ../DNSSEC/K_domain_name_.+005+22222.key
#.. and others
# change zone serial
dnssec-signzone -N INCREMENT -o _domain_name_ -k K_domain_name_.+005+22222.key ../master/_domain_name_.hosts K_domain_name_.+005+11111.key
wget --no-check-certificate https://www.dns-oarc.net/files/odvr/configs/bind/trusted-keys.conf
mv -f trusted-keys.conf trusted-keys
## another way:
#sh
{ echo 'trusted-keys {'; cat "K_domain_name_.+005+22222.key"; echo '};'; } > trusted-keys
#vi trusted-keys
#_domain_name_. 257 3 5 "~";
wget http://ftp.isc.org/www/dlv/dlv.isc.org.key http://ftp.isc.org/www/dlv/dlv.isc.org.named.conf
vi ../named.conf
# modify file at zone section
# file "master/_domain_name_.hosts.signed";
# dnssec-enable yes; dnssec-validation yes; dnssec-lookaside "." trust-anchor "dlv.isc.org.";
# channel dnssec_log
#include "DNSSEC/dlv.isc.org.named.conf";
#include "DNSSEC/trusted-keys";
# restart bind
# /usr/sbin/named -u bind -t /var/named -c /etc/namedb/named.conf
# copy config files
#/bin/cp -prif /var/named/var/log/named/* /var/log/named/bak/
/bin/cp -prif /etc/namedb /var/named/etc/ && /usr/sbin/named-checkconf && /usr/sbin/rndc reload
#tail /var/named/var/log/named/bind.log
# test
dig _domain_name_ DNSKEY
dig _domain_name_ A +dnssec +multiline +retry=1
# for error: the working directory is not writable
#chmod g+w /var/named/etc/namedb
#..useless
dnssec-signzone -N INCREMENT -l dlv.isc.org. -o _domain_name_ -k K_domain_name_.+005+22222.key ../master/_domain_name_.hosts K_domain_name_.+005+11111.key
# restart bind
# send "dlvset-_domain_name_." to dlv-registry@isc.org
# add "dlv IN A" which list in mail
# test & see log
# http://www.networksorcery.com/enp/protocol/dns.htm
tail -f /var/named/var/log/named/bind_dnssec.log
# https://lists.isc.org/pipermail/bind-users/2009-January/074760.html
# Authoritative servers will never set the AD bit for their own zones.
# https://www.dns-oarc.net/oarc/services/odvr
dig +dnssec @149.20.64.20 _domain_name_
# OK. We get the AD bit set.
dig +dnssec @149.20.64.20 www._domain_name_
# wait 3 min.
dig +dnssec @149.20.64.20 www._domain_name_
# OK. We get the AD bit set.
# after: Rolling keys
# http://www.nlnetlabs.nl/publications/dnssec_howto/index.html#x1-490005.5
# backup all config
# ZSK (Zone Signing Key) should be rolled every 3 months
dnssec-keygen -a RSASHA1 -b 1024 -n ZONE _domain_name_
K_domain_name_.+005+33333
# add key
vi ../master/_domain_name_.hosts
#$include ../DNSSEC/K_domain_name_.+005+44444.key
#.. and others
# comment old ZSK
# change zone serial
# -N INCREMENT automatically increments the serial number during signing. Removes “human error factor”
dnssec-signzone -N INCREMENT -o _domain_name_ -k K_domain_name_.+005+22222.key ../master/_domain_name_.hosts K_domain_name_.+005+33333.key
# copy config files
/bin/cp -prif /etc/namedb /var/named/etc/ && /usr/sbin/named-checkconf && /usr/sbin/rndc reload
# login https://dlv.isc.org/ and check it
