Automated zone INLINE signing with BIND --------------------------------------- Remember that if you see '#' before a command, it means you need to run this command as root, either via: a) sudo -s b) sudo command We'll build on the previous labs and enable inline signing on BIND (9.9+) When doing inline signing, the original zone is never modified: this allows the operator to make, for example, a dump of a DB to create the zone, and BIND will just sign it. When the unsigned zone is updated, named detects the changes, and re-signs. *** ON YOUR MASTER (auth1) SERVER *** 1. We're going to add a couple of statements to the BIND named.conf configuration file to enable inline dnssec signing. First, edit named.conf under /etc/bind/, and make the following changes: zone "MYTLD" { file "/etc/bind/master/MYTLD"; // <--- remove ".signed", if there type master; allow-transfer { key MYTLD-key; }; // <-- leave it if there key-directory "/etc/bind/keys"; // <--- Add this if not done auto-dnssec maintain; // <--- Add this if not yet done inline-signing yes; // <--- Add this // update-policy local; // <--- Remove if it's there }; Save and exit. 2. Preparing the keys If you've done the manual signing lab from before, you have already generated keys, and we can reuse those. Otherwise, we'll generate a new set of keys. a) If you already have keys (otherwise go to step b) We need to make sure the directory has the right permissions - since BIND will be managing this, it needs access to the files and the directory: # chown -R bind /etc/bind/keys Let's look at the keys: # cd /etc/bind/keys/ # ls -lt KMYTLD* -rw-r--r-- 1 bind wheel 591 Feb 18 15:52 KMYTLD.+008+52159.key -rw------- 1 bind wheel 1774 Feb 18 15:52 KMYTLD.+008+52159.private -rw-r--r-- 1 bind wheel 417 Feb 18 15:52 KMYTLD.+008+51333.key -rw------- 1 bind wheel 1010 Feb 18 15:52 KMYTLD.+008+51333.private If you have extra ZSK and KSK from manual key rollover exercizes, delete the oldest ZSK and KSK. Make sure to leave just one KSK and one ZSK. If you delete the wrong ones, reconfig with RZM. b) If you don't have keys yet: # mkdir -p /etc/bind/keys # chown -R bind /etc/bind/keys # cd /etc/bind/keys - Generate first key pair (Zone Signing Key) # dnssec-keygen -r /dev/urandom -a RSASHA256 MYTLD ( will output something like: Generating key pair......................+++++ + .... KMYTLD.+008+51333) - Generate second key pair (Key Signing Key) # dnssec-keygen -r /dev/urandom -f KSK -a RSASHA256 MYTLD KMYTLD.+008+52159 (once again, some output will show) Check that the keys are there: # ls -l KMYTLD* Notice that we don't specify any flags such as algorithm, key size, etc... We're using the defaults for now. 3. Now let's take care of the zone file If you have made a backup of your zone file, let's copy it back over our zone, to start fresh: # cd /etc/bind/master Note the serial number in "MYTLD" # cp MYTLD.backup MYTLD Increment the serial number in MYTLD to be higher than what we noted above. It must be higher than anything the 'Net has seen. Remove the old .signed zone - BIND will create that automatically! # rm MYTLD.signed Again, remember to check in named.conf, that you are loading "MYTLD", and *NOT* "MYTLD.signed". We also need to make sure BIND can write in the master directory: # chown bind /etc/bind/master 4. Now reconfig the nameserver # rndc reconfig At this point you should see some new files appear in the master/ dir: # cd /etc/bind/master # ls -l ... -rw-r--r-- 1 root wheel 497 Sep 13 14:56 MYTLD -rw-r--r-- 1 root wheel 497 Sep 12 09:49 MYTLD.backup -rw-r--r-- 1 bind wheel 512 Sep 13 15:04 MYTLD.jbk -rw-r--r-- 1 bind wheel 1331 Sep 13 15:04 MYTLD.signed -rw-r--r-- 1 bind wheel 3581 Sep 13 15:04 MYTLD.signed.jnl ... Check that signing did work: # rndc signing -list MYTLD Done signing with key 52159/RSASHA256 Done signing with key 51333/RSASHA256 Also look in the logs: # less /etc/bind/log/general 13-Sep-2012 15:04:27.444 reloading configuration succeeded 13-Sep-2012 15:04:27.450 zone MYTLD/IN (unsigned): loaded serial 2012022301 13-Sep-2012 15:04:27.451 any newly configured zones are now loaded 13-Sep-2012 15:04:27.471 zone MYTLD/IN (signed): loaded serial 2012022301 13-Sep-2012 15:04:27.493 zone MYTLD/IN (signed): receive_secure_serial: unchanged 13-Sep-2012 15:04:27.501 zone MYTLD/IN (signed): reconfiguring zone keys 13-Sep-2012 15:04:27.544 zone MYTLD/IN (signed): next key event: 13-Sep-2012 16:04:27.501 # dig @10.192.X.1 MYTLD NS # dig @10.192.X.1 MYTLD SOA Note that the signed zone is not stored in a human readable format. To see the contents of the signed zone, one can either do a zone transfer (axfr) or: # named-checkzone -D -f raw -o - MYTLD /etc/bind/master/MYTLD.signed | less 5. Changes to the zone So how do we update the zone and resign it ? Simple! Let's modify the zone and add a "mail" record with the IP address of the auth1 server: mail A 10.192.X.3 ; X is your group So edit the zone file "MYTLD" and add the line above. Remember to increment the serial. Now, reload the zone. named will be automatically resign the zone: # rndc reload MYTLD Wait a few seconds, then: # tail /etc/bind/log/general What do you observe ? # dig @10.192.X.1 mail.MYTLD a # dig @10.192.X.1 MYTLD soa Notice the serial 6. After 2 x TTL the changes you observed locally should be visible globally. Test this with # dig @10.192.0.230 mail.MYTLD a +dnssec +multi # dig @10.192.0.230 MYTLD soa +dnssec +multi # dig @10.192.0.230 MYTLD dnskey +dnssec +multi You should see the AD bit set in all cases. Do you notice anything about the size of the DNSKEY response?