Authoritative Zone Administrator

From DNSSEC-Tools
Jump to: navigation, search

This is a brief description of the parts of DNSSEC-Tools a zone administrator could find useful. In general, this is someone who wants to setup and maintain one or more signed DNS zones.

Contents

DNSSEC Zone Administrator

DNSSEC-Tools has several useful tools for a Zone Administrator. Zonesigner is the workhorse tool for signing zones. A Zone Admin can use it for all the general tasks involved in signing a zone file. Donuts is another useful DNSSEC-Tools. It is used for error checking the signed zone files. Lastly, DNSSEC-Tool's mapper can be used to graphically display the contents of a zone file.

Zonesigner

DNSSEC-Tools Component
zonesigner
This describes zonesigner, which in the Zone Administration Tools category within the DNSSEC-Tools Components framework of tools.
Tool Name: zonesigner
Tool Type: Zone Administration Tools
Manual: Manual
Example: Example
CLI: Help

Zonesigner is used for signing DNS zone files. In fact if you only use one thing from the DNSSEC-Tools package this is the most important one as it will help you Sign Your Zone. This is one of the main tools a Zone Administrator or Authoritative DNS Administrator will find useful when deploying a DNSSEC-enabled zone. It can make signing a zone as easy as typing, 'zonesigner example.com'. Zonesigner is capable of performing a large number of zone manipulations. It can sign a zone file, create and update both Zone Signing Keys (ZSKs) and Key Signing Keys (KSKs) while allowing more detailed configuration from the command line or a configuration file.

Zonesigner was designed to make many of the other signing tools easy to use and to "do the right thing by default" wherever possible. It is highly configurable, but most people will likely be happy running it without any of the extra arguments. Currently, it uses (and requires) the Bind tool kit to handle most of the tasks it performs.

Get started with zonesigner

To get started with zonesigner follow the following steps given a zone example.com, and its zone file 'zonefile'.

  • The first time, add the -genkeys argument to generate new DNSSEC keys.
  • For future runs, leave that option off since you will already have keys for your zone. See Rollerd for more details about changing keys on a regular basis.
>  zonesigner -genkeys -zone example.com ./zonefile

      if zonesigner appears hung, strike keys until the program completes
      (see the "Entropy" section in the man page for details)


zone signed successfully

example.com:
                KSK (cur) 08824  -b 2048  02/12/08      (signing-set-3)
                ZSK (cur) 53265  -b 1024  02/12/08      (signing-set-1)
                ZSK (pub) 41622  -b 1024  02/12/08      (signing-set-2)

zone will expire in 4 weeks, 2 days, 0 seconds
DO NOT delete the keys until this time has passed.
>

The above:

  • creates signed zone file zonefile.signed
  • it is ready for use, just configure the DNS to load it. Again, the next time the zone needs to be signed (before 4 weeks 2days has elapsed), run the same command but without the -genkeys argument.

A ready to use signed zone file, 'zonefile.signed', is generated. Created along with it are the associated Zone and Key Signing Keys (ZSKs/KSKs), keyset files, dsset file, and a zonesigner configuration file for example.com. Note that these files are generated in the same directory as the zone file that is signed. The location of these files can be adjusted through command line arguments to zonesigner.

(Even easier, if your zone file name matches the zone itself, e.g. example.com, simply running the command 'zonesigner -genkeys example.com' will generate example.com.signed.)

Zonesigner offers a large number of additional options to affect zone file signing. The key expiration times, file name and locations can all be adjusted from the command line. It will even do the various steps required for key rollovers, although it is much easier to use rollerd to execute the needed key-rolling steps automatically.

Note

To fully use zonesigner and understand zone signing, a good grasp of how DNSSEC works is necessary. A working, signed zone file can be created by just using the default values provided by zonesigner. But it is beneficial for a zone administrator to have a general familiarity with DNSSEC. The following links are good places to start to learn about DNSSEC:

RFC 4033, RFC 4034, RFC 4035, www.dnssec.net, ISOC's DNSSSEC Theory

Donuts: an error/warning checker

DNSSEC-Tools Component
donuts
This describes donuts, which in the Zone Administration Tools category within the DNSSEC-Tools Components framework of tools.
Tool Name: donuts
Tool Type: Zone Administration Tools
Manual: Manual
Example: Example
CLI: Help

Donuts is used for error checking zone files. It checks for general DNS warnings and errors as well as DNSSEC specific issues.

Get started with donuts

To check the above 'zonefile.signed' file:

> donuts zonefile.signed example.com

dyn.example.com:
  Error:       sub-domain dyn.example.com is not securely
               delegated.  It is missing a DS record.

pictures.example.com:
  Error:       RRSIG on name: pictures.example.com type: CNAME 
               failed to verify: RSA Verification failed

2 errors found in zonefile.signed
>

Donuts will output the number of errors (0+) and list a brief description of the errors found in the signed zone file. It is similar to Bind's named-checkzone except that it checks for some additional operational warnings and errors and is highly extensible so you can write your own rules and check for site-specific policies and requirements.

Mapper: graphically map your zones

DNSSEC-Tools Component
mapper
This describes mapper, which in the Error Checking Tools category within the DNSSEC-Tools Components framework of tools.
Tool Name: mapper
Tool Type: Error Checking Tools
Manual: Manual
Example: Example
CLI: Help

Mapper displays the zone file graphically. It will create a PNG file of the zone file.

Get started with mapper

To generate a picture of the above zone file:

 > mapper zonefile.signed example.com
mapper map of test.dnssec-tools.org

The file map.png will hold a picture of the zone file. Mapper has a number of command line arguments that can change how the map is organized. See the full documentation for more details.

Error Checking tools

Check out the error checking tools section included below. It includes general DNSSEC error checking tools as well as tools that error check for a specific type of use or user. Some of the tools may be useful to you even though we didn't think they applied specifically to DNSSEC Zone Administration.

Software Summary

The following documents the most useful tools that a Authoritative Zone Administrator may wish to use.

Zone Administration Tools
zonesigner Manual
Example
CLI Help
Will generate keys and sign zones with one command.
donuts Manual
Example
CLI Help
Donuts4.png
Error check the contents of your zone.
You can extend it by Writing your own rules
donuts does general DNS error checking including DNSSEC-specific checks.
mapper Manual
Example
CLI Help
Mapper5.png
Graphically display the contents of your zone
DNS Error Checking Tools
DNSSEC-Check
Dnssec-check.png
Check your resolvers for DNSSEC compliance.
dnspktflow Manual
Example
CLI Help
Dnspktflow.png
Visually trace DNS packets being sent on the network.
validate Manual
CLI Help
command line DNS validation checking (similar to dig). This is part of the libval and libsres package.
mapper Manual
Example
CLI Help
Mapper5.png
Graphically display the contents of your zone
trustman Manual
CLI Help
Detects key changes in trust anchors (TAs), it can update TAs and it can run as a daemon.
donuts Manual
Example
CLI Help
Donuts4.png
Error check the contents of your zone.
You can extend it by Writing your own rules
donuts does general DNS error checking including DNSSEC-specific checks.
logwatch Example Included in current versions of logwatch
A logwatch plugin for DNSSEC parsing of the BIND server's system logging messages.
Personal tools