Sign Your Zone

From DNSSEC-Tools
Jump to: navigation, search

So you've read all about the DNS Vulnerability and you want to sign your zone. You've come to the right place!

Contents

Sign Your Zone!

The DNSSEC-Tools package makes it easy to sign you zone quickly with as little hassle as possible. This describes the steps you need to go through, many of which you're already doing.

Don't like words? Watch the video!

If you'd rather watch a video, please see the Getting Started with DNSSEC video.

Power User Quick Start

If you just want to get going without much help:

  • Install Everything
  • First run: zonesigner -genkeys -zone example.com db.example.com
  • Future runs: zonesigner -zone example.com db.example.com

Install DNSSEC-Tools

Start by installing the DNSSEC-Tools package. This page should help you get it installed on your system.

After installation, make sure you run dtinitconf after installation to help you set up your dnssec-tools.conf configuration file.

Start with your zone file

You'll need your zone file for your domain. Whether it's edited by hand or generated, it'll be the starting point. For our example purposes, we'll use the following very simple zone:

$TTL 3600
example.com.   600     IN SOA  test.example.com. admin.example.com. (
                                       20080821   ; serial
                                       7200       ; refresh (2 hours)
                                       3600       ; retry (1 hour)
                                       604800     ; expire (1 week)
                                       600        ; minimum (10 minutes)
                                       )
                       600     NS      ns1.example.com.

ns1                    600     IN A    192.0.2.1
www                    600     IN A    192.0.2.2

Place this zonefile in a directory that you don't mind some other related files being placed with it. In the process of signing your zone, we'll need to generate some keys for you as well as store some other signing-related state-data.

Sign it the first time

We'll now use zonesigner to sign the zone file. Zonesigner does make use of the bind tools, so you'll need the bind software installed as well as perl.

The first time, we'll need to add the -genkeys option to instruct zonesigner that we wish to generate new keys for the zone (since you don't have any yet). Simply run zonesigner as follows (the bold is the command that was run, and everything else is the output):

 # zonesigner -genkeys example.com

         if zonesigner appears hung, strike keys until the program completes
         (see the "Entropy" section in the man page for details)


 zone signed successfully

 example.com:
         KSK (cur) 25816  -b 2048  08/21/08      (example.com-signset-3)
         ZSK (cur) 54228  -b 1024  08/21/08      (example.com-signset-1)
         ZSK (pub) 28878  -b 1024  08/21/08      (example.com-signset-2)

 zone will expire in 4 weeks, 2 days, 0 seconds
 DO NOT delete the keys until this time has passed.

We now have a new file in the same directory called example.com.signed. Take a look at it if you like.

In this example, The example.com.signed file is the file that we should now publish.

Note the time we highlighted in RED that shows when your new signatures expire. In other words:

you must sign your zone again before the end of that time.

This is the single biggest changed to running a zone with DNSSEC support, so I'll say it again in a different way:

even if your zone data doesn't change, you must resign your zone on a regular basis.

Resigning your zone

Every time you change the contents of your zone (you can continue using the original zone file, like our example.com file in this example). Even if you don't change you data, as mentioned above, you should resign your zone once a month.

But, let's say we added a new www2 record to the example.com file:

www2                    600     IN A    192.0.2.3

Then we simply run zonesigner again, but this time without the -genkeys option.

 # zonesigner example.com

         if zonesigner appears hung, strike keys until the program completes
         (see the "Entropy" section in the man page for details)


 zone signed successfully

 example.com:
         KSK (cur) 25816  -b 2048  08/21/08      (example.com-signset-3)
         ZSK (cur) 54228  -b 1024  08/21/08      (example.com-signset-1)
         ZSK (pub) 28878  -b 1024  08/21/08      (example.com-signset-2)

 zone will expire in 4 weeks, 2 days, 0 seconds
 DO NOT delete the keys until this time has passed.

That's it! Not much more to it! See below for other information, but you now know enough to get started. There are other very good DNSSEC kits to use but it doesn't get much simpler than this!

Further reading

Other Options

zonesigner has a lot of options and you may wish to use some of them. One worth mentioning here is the -zone option, which can be used if your file name doesn't match your zone name. For example, if your file name was db.example.com then you'd need to add the -zone flag to indicate the zone name:

 # zonesigner -zone example.com db.example.com

Other Resources

The DNSSEC-Tools package has a number of other tools that will help zone administrators both with DNSSEC and with DNS in general.

  • The Authoritative Zone Administrator tutorial describes some of these other tools and how to use them.
  • The zonesigner page provides more details on the zonesigner tool itself.
  • The Recursive Server page describes how to configure your recursive server to start using DNSSEC in a recursive resolver in order to check the responses from other zones.
Personal tools