thorko . de
Linux / Unix systems administrator
DNSSEC with bind9
DNSSEC is an extension to prevent DNS answers of manipulation. DNS (Domain Name System) is the most important service throughout the internet. Without DNS the entire internet wouldn't work as we use it every day.
DNS translates the domain names such as www.google.com into an IP address. These IP addresses are unique in the internet.
Now imagine if we can manipulate the translation of www.google.com and provide an IP address of a computer which is under our control we are simply able to serve www.google.com. So anybody who wants to visit www.google.com will be sent to our computer and any search he is doing will be done using our computer. Of course this wouldn't be really harmful for the user, but consider we pretend to be a bank.
To prevent any manipulation of DNS answers the DNSSEC got developed and implemented already on all DNS root servers (since 5th of May 2010).
How does DNSSEC work
DNSSEC uses an asymmetric crypto algorithm. This uses a pair of keys, a public and a private key. Of course the private key has to be kept confidential. To verify a message which has been signed with the private key the public key will be used. Of course this wouldn't help for our DNS problem, because everybody can create a keypair and sign any DNS answer with its private key even if it is the wrong DNS answer. So it needs a hierachy which you can trust. So for instance your public key will be signed by the next higher level of DNS servers.
Each DNS server has to maintain 2 pairs of keys - the zone signing key pair (ZSK) and the key signing key pair (KSK). The ZSK will be used to sign the zones data and the KSK is used for authentication. The KSK public key will be stored in the DS record of the parent DNS server.
Configure bind to use dnssec
At first it needs to generate the DNS key pairs
For ZSK
# dnssec-keygen -a NSEC3DSA -b 1024 -n zone thorko.de
For KSK
# dnssec-keygen -f KSK -a NSEC3DSA -b 1024 -n zone thorko.de
Add both public keys to your zone file
# cat Kthorko.*.key >> db.thorko.de
Sign your zone file by using the ZSK private
# dnssec-signzone -t -3 "614f" -r /dev/urandom -H 8 -g -P -o thorko.de db.thorko.de Kthorko.de.+005+12345.private
This will generate a file called db.thorko.de.signed. This file needs to be changed in your named.conf configuration
zone "thorko.de" {
type master;
//file "/etc/bind/db.thorko.de";
file "/etc/bind/db.thorko.de.signed";
};
Afterwards you can restart bind and test the answers
# dig @thorko.de ebook.thorko.de A +dnssec +multiline +retry=1
2010-08-10 10:17 pm
 | Info |
 | Download Zabbix Agent 1.8.10 - amd64 deb file Zabbix Server MySQL 1.8.10 - amd64 deb file Zabbix Frontend 1.8.10 - amd64 deb file Firefox 9.0.1 - x86_64 Thunderbird 9.0 - x86_64 LSI Util - manage LSI raid controller Nictool 2.0.8 Cisco VPN Client 4.9.01 for Mac |
 | Goodies Varnishd - Highly scalable web caching server CFengine - Configuration and installation automation of enterprise environments Open Benno - Another open source mail archive system (License: GPL). Lucene search engine, no database needed, mails stored in a directory structure |
 | Contact me |