DNSSEC Complete Howto – Sign the Zone

The domain is now completely functionally it is time to sign the zone so we can start using DNSSEC.

  1. First thing to do is install the dnssec-tools package. This provides a number of required commands to generate the keys
    [root@ns1 ~]# yum install dnssec-tools -y
    
  2. Create a directory to store the keys, change the permissions and change to the directory
    [root@web1 ~]# mkdir /etc/pki/dnssec-keys
    [root@web1 ~]# chown named:named /etc/pki/dnssec-keys/
    [root@web1 ~]# cd /etc/pki/dnssec-keys/
    
  3. Next you need to create the zone key (ZSK) This may take a while
    [root@ns1 dnssec-keys]# dnssec-keygen -a RSASHA1 -b 1024 -n ZONE 1metric.com
    Generating key pair....++++++ ..............................................++++++
    K1metric.com.+005+45888
    

    this will create a private and public key

    [root@ns1 dnssec-keys]# ls
    K1metric.com.+005+45888.key  K1metric.com.+005+45888.private
    
  4. Next we need to create the KSK (Key Sharing Key) This will defiantly take a while!
    [root@ns1 dnssec-keys]# dnssec-keygen -r /dev/urandom -a RSASHA1 -b 4096 -n ZONE -f KSK 1metric.com
    Generating key pair.........................................................................++ .........................................................................................................................................................................................................................................................................................................................................................................++
    K1metric.com.+005+02836
    

    this will also create a private and public key

    [root@ns1 dnssec-keys]# ls
    K1metric.com.+005+02836.key      K1metric.com.+005+45888.key
    K1metric.com.+005+02836.private  K1metric.com.+005+45888.private
    
  5. Now we need to include the public keys to the zone file, first open the zone file in a text editor
    [root@ns1 dnssec-keys]# vim /var/named/1metric.com
    

    Using the $INCLUDE statement to include the public keys into the zone file. Append the following and change the path to point to your .key files generated in the previous steps.

    $INCLUDE /etc/pki/dnssec-keys/K1metric.com.+005+02836.key
    $INCLUDE /etc/pki/dnssec-keys/K1metric.com.+005+45888.key
    
  6. Now we sign the zone. The -e value set how far into the future from now the zone is valid for. In this case we set it to to 35 days so we can use cron.monthly to resign the zone.
    [root@ns1 dnssec-keys]# cd /var/named/
    [root@ns1 named]# dnssec-signzone -S -K /etc/pki/dnssec-keys -e +3024000 -N INCREMENT 1metric.com
    Verifying the zone using the following algorithms: RSASHA1.
    Zone signing complete:
    Algorithm: RSASHA1: KSKs: 1 active, 0 stand-by, 0 revoked
    ZSKs: 1 active, 0 stand-by, 0 revoked
    1metric.com.signed
    
  7. The dnssec-signzone will create a new zone file that is the name of the old zone file with signed appended to the name. If you have a look at the new zone file you will see all the existing records have a RRSIG record to go along with them. Part of our zone file now looks like the following
    [root@ns1 named]# tail -n 8 1metric.com.signed
    86400   NSEC    1metric.com. A RRSIG NSEC
    86400   RRSIG   NSEC 5 3 86400 20130620011431 (
    20130516011431 45888 1metric.com.
    cDTrfQLtQ9qyXW+w/lCzDlwgZ1SNSHJnxuvE
    PYozahQI3q3fqwcIj9oE+X0Yf3iTYBj2y1zS
    z468nwXCkNg2sytPo/KbBiXnbCTqg04+pf9Y
    x00/M7DLeMvrNyqt5X7Kb+PcGREqD9FFrkhQ
    QgC4YveMDxvxJ5MNA9LRK/KSbcg= )
    
  8. Next we need to update our named.conf to start using the .signed zone
    [root@ns1 named]# vim /etc/named.conf
    
  9. Modify your zone record so it uses the zone file that ends in .signed.
    zone "1metric.com" {
    type master;
    allow-transfer { 119.63.201.2; };
    also-notify { 119.63.201.2;};
    file "/var/named/1metric.com.signed";
    };
    
  10. Then reload named for the changes to take effect
    [root@ns1 named]# /etc/init.d/named reload
    Reloading named:                                      [  OK  ]
    
  11. The final step to get DNSSEC work is to now create the DS Records with your domain register so the chain of trust is created.
  12. The dnssec-signzone would have created a file called dsset- in the same directory as your zone file. If you have a look at this file it will contain 2 DS records.
    [root@ns1 named]# cat dsset-1metric.com.
    1metric.com.            IN DS 2836 5 1 5A6B31BEEFE106EEBBA4337F9451A3D3AEF199C5
    1metric.com.            IN DS 2836 5 2 5B9FF3598D53112D52FE1D4F33BBD73DC262946DED2D1BA2C5120085 B45BF2E5
    

    In our case of using Godaddy. From the domain management page, click the Name Servers in the top navigation and select Name Servers and from the drop down select Manage DS RecordsGoDaddy Add DS Record
    A New window will open. Click the link “Add New DS Record”

  13. We have to create both DS records listed in the dsset file. It will ask you for the following from the dsset file:
    • Key Tag: This is the 4th column in our case 2836
    • Algorithm: This is the 5th column in our case 5
    • Digest Type: This will either be 1 for SHA-1 or 2 for SHA-256. This is the 6th column the first record is 1 and the second is 2
    • Digest: This is the final string of numbers and letters. Note for the second record for Godaddy to accept it you must remove the space between the last 2 fields
  14. When you click next it will verify that everything is ok. If it is you can save the changes. It may take a couple of hours for the DS records to take effect
  15. Use dig to check that the DS records have taken effect
    [root@fs1 ~]# dig +short DS 1metric.com
    2836 5 2 5B9FF3598D53112D52FE1D4F33BBD73DC262946DED2D1BA2C5120085 B45BF2E5
    2836 5 1 5A6B31BEEFE106EEBBA4337F9451A3D3AEF199C5
    
  16. Once you are done you can check from a DNSSEC aware recursive server to make sure that all the ad flag is being returned and everything works
    [root@fs1 ~]# dig +dnssec 1metric.com
    ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.17.rc1.el6_4.4 <<>> +dnssec 1metric.com
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 60247
    ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 3, ADDITIONAL: 5
    
    ;; OPT PSEUDOSECTION:
    ; EDNS: version: 0, flags: do; udp: 4096
    ;; QUESTION SECTION:
    ;1metric.com.                   IN      A
    
    ;; ANSWER SECTION:
    1metric.com.            82425   IN      A       119.63.201.6
    1metric.com.            82425   IN      RRSIG   A 5 2 86400 20130620011431 20130516011431 45888 1metric.com. Zf6MqTwivaVl2KYnBOZU0VHKA8u3UyeODv26TpTT9VfGMSNYJe2xw1sY GkpN/Z0CBnP14bj0+RvmnAm9H6r08adiHwRCrkm9dZZnbQCrkExvTIDk sCxX5YXPF8oTyP4veHEHO8zRVx7RleaWmbaXJU/1td1GzhNcbrfIg53I zsM=
    
    ;; AUTHORITY SECTION:
    1metric.com.            82425   IN      NS      ns1.1metric.com.
    1metric.com.            82425   IN      NS      ns2.1metric.com.
    1metric.com.            82425   IN      RRSIG   NS 5 2 86400 20130620011431 20130516011431 45888 1metric.com. GdpYtx0kvr4i4B576B1bF7Mwhzc2efu5INDKKkdxss/yVkWv+XuZGjxk BzsmAewwmbEGSa62iZens+Br8aHcNN3CO4MoR6u2RbVSzGmZB9mNOKhd IWLWdL+nc9nkWIMufLwo8XrmG40jnrWx5Y6g1DnA0DzblRGrN3ry3HRr dbk=
    
    ;; ADDITIONAL SECTION:
    ns1.1metric.com.        168825  IN      A       119.63.201.6
    ns2.1metric.com.        168825  IN      A       119.63.201.2
    ns1.1metric.com.        82425   IN      RRSIG   A 5 3 86400 20130620011431 20130516011431 45888 1metric.com. nk/r0/jgssjhQ2EgKIhvzrezdqZq0b+ciHbP3ErsagDQCspf4c2OdbH3 yXCXeIBe1JuTvssmOdER6GEh86fTtGvg1CxMUSLgwg+GagX9AGjll4Tm dspKt3OOF03KowV9ca0YhNGCfHpvop3MOM3Sq7uhXgvLBQ17aD6A0wVL ShI=
    ns2.1metric.com.        82425   IN      RRSIG   A 5 3 86400 20130620011431 20130516011431 45888 1metric.com. uD1VtA7XS9ZdthqnjKOdVMQrZ29xG4NHyaP0xtI6hzGI+B1fMhVIb9Kw EjRW3R7F+9uBAS4A42GJmsAvgUkTzS4p2qdFV5iko+O2v9srypgWqJZt VtbS+ve9DOUACvgohR0Nbf/H3/T7Phr6i/x3d6Mxb7YMYe8+rq05X/x3 JlE=
    

    The main thing to check for that the flags field has ad for example:

    ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 3, ADDITIONAL: 5
    
  17. You don’t need to make any changes to your secondary. It will grab the zone that includes the public ZSK and KSK.
  18. If you have any issues Verizon have a great tool to check your domain at dnssec-debugger.verisignlabs.com/

Steps

Introduction
How DNSSEC Works
Name Server Setup
Registrar Setup
Sign the Zone