DNSSEC Complete Howto – Name Server Setup

Since we are moving to new name servers this will walk through setting up a master (ns1.1metric.com) and slave (ns2.1metric.com), if you are looking at implementing it on already existing name servers most of these steps can be skipped. Just do a skim below to make sure your new name servers are setup to support DNSSEC.

We are setting up our domain 1metric.com as a test, it is only used to redirect to our main website onemetric.com.au. I strongly recommend you use a test domain or a domain not used for testing before you go live. We are also implementing this on Centos 6 servers if you are using something different then you may need to use apt-get instead of yum and some of the config files may be in different places.

Install Bind

  1. On both servers install bind and other required packages
    [root@ns1 ~]# yum install bind bind-utils
    
  2. Next start Bind.
    [root@web1 ~]# /etc/init.d/named start
    Generating /etc/rndc.key:                                  [  OK  ]
    Starting named:                                            [  OK  ]
    
  3. Finally enable start on boot
    [root@web1 ~]# chkconfig named on
    

Setting up the master

Now we need to setup the master name server (ns1.1metric.com 119.63.201.6)

  1. Create a zone file for 1metric.com
    [root@ns1 ~]# vim /var/named/1metric.com
    
  2. Our zone file is pretty simply just a couple of NS records, A records for the web server and A records for the nameserves
    $TTL 86400
    @ IN SOA @ peter.onemetric.com.au. (
            2013050801
            21600
            3600
            604800
            86400
    )
    
            IN     NS     ns1.1metric.com.
            IN     NS     ns2.1metric.com.
    
            IN      A       119.63.201.6
    *       IN      A       119.63.201.6
    
    ns1     IN      A       119.63.201.6
    ns2     IN      A       119.63.201.2
    
  3. Next we need to edit our named.conf file
    [root@ns1 ~]# vim /etc/named.conf
    
  4. Next we add the configuration for our zone (Note update 119.63.201.2 with your secondary name server)
    zone "1metric.com" {
            type master;
            allow-transfer { 119.63.201.2; };
            also-notify { 119.63.201.2;};
            file "/var/named/1metric.com";
    };
    
  5. Next enable bind to answer queries from everyone and disable recursive lookups.
    Remove the following lines

    listen-on port 53 { 127.0.0.1; };
    listen-on-v6 port 53 { ::1; };
    

    Ensure the the following is set in the options section

    allow-query     { any; };
    recursion no;
    
    dnssec-enable yes;
    dnssec-lookaside auto;
    

    listen-on port 53 – This specifies what IPv4 addresses bind is listening to. In most cases you want to remove the line so it listens on all interfaces
    listen-on-v6 port 53 – This is the same as listen-on port 53 however it is the IPv6 addresses to listen on
    allow-query – This specifies the IP address/Networks that the server will respond to. As these servers are authoritative we want to allow DNS lookup from everywhere.
    recursion no – These servers are authoritative only so we turn off recusion to prevent them used in an amplification attack. If you mixing recursive and authoritative on the same servers then look at using views to separate the two roles.
    dnssec-enable yes – This enables DNSSEC
    dnssec-lookaside auto – This manages how the root keys are found and trusted. Read more at http://www.isc.org/bind-keys

  6. Once done reload named for it to take effect
    [root@ns1 ~]# /etc/init.d/named reload
    Reloading named:                                           [  OK  ]
    
  7. Now test that the master responds to requests for 1metric from another server (Note: Change 119.63.201.6 with the IP address of your master. We setup glue records in the next section so we must query the IP directly
    [root@fs1 ~]# dig +short @119.63.201.6 1metric.com
    119.63.201.6
    

Setting up the secondary

Now the master name server is setup we need to setup the secondary server.

  1. Create a zone file for 1metric.com
    [root@ns2 ~]# touch /var/named/1metric.com
    
  2. Change the owner of the 1metric.com.zone file so that bind can edit it
    [root@ns2 ~]# chown named:named /var/named/1metric.com
    
  3. Next we need to edit our named.conf file
    [root@ns2 ~]# vim /etc/named.conf
    
  4. Next we add the configuration for our zone (Note update 119.63.201.6 with your master name server)
    zone "1metric.com" {
            type slave;
            allow-transfer { 119.63.201.6; };
            masters { 119.63.201.6; };
            file "/var/named/1metric.com";
    };
    
  5. Now you need to modify the options the same as the master to enable lookups on all IP’s and enable DNSSEC
    Remove the following lines

    listen-on port 53 { 127.0.0.1; };
    listen-on-v6 port 53 { ::1; };
    

    Ensure the the following is set in the options section

    allow-query     { any; };
    recursion no;
    
    dnssec-enable yes;
    dnssec-lookaside auto;
    
  6. Once done reload named for it to take effect
    [root@ns2 ~]# /etc/init.d/named reload
    Reloading named:                                           [  OK  ]
    
  7. Now test that the master responds to requests for 1metric from another server (Note: Change 119.63.201.2 with the IP address of your secondary. We setup glue records in the next section so we must query the IP directly
    [root@fs1 ~]# dig +short @119.63.201.2 1metric.com
    119.63.201.6
    

Steps

Introduction
How DNSSEC Works
Name Server Setup
Registrar Setup
Sign the Zone