Sign Your Zone
So you've read all about the DNS Vulnerability and you want to sign your zone. You've come to the right place!
Sign Your Zone!
The DNSSEC-Tools package makes it easy to sign you zone quickly with as little hassle as possible. This describes the steps you need to go through, many of which you're already doing.
Don't like words? Watch the video!
If you'd rather watch a video, please see the Getting Started with DNSSEC video.
Power User Quick Start
If you just want to get going without much help:
- Install Everything
- First run: zonesigner -genkeys -zone example.com db.example.com
- Future runs: zonesigner -zone example.com db.example.com
Start by installing the DNSSEC-Tools package. This page should help you get it installed on your system.
Start with your zone file
You'll need your zone file for your domain. Whether it's edited by hand or generated, it'll be the starting point. For our example purposes, we'll use the following very simple zone:
$TTL 3600 example.com. 600 IN SOA test.example.com. admin.example.com. ( 20080821 ; serial 7200 ; refresh (2 hours) 3600 ; retry (1 hour) 604800 ; expire (1 week) 600 ; minimum (10 minutes) ) 600 NS ns1.example.com. ns1 600 IN A 192.0.2.1 www 600 IN A 192.0.2.2
Place this zonefile in a directory that you don't mind some other related files being placed with it. In the process of signing your zone, we'll need to generate some keys for you as well as store some other signing-related state-data.
Sign it the first time
The first time, we'll need to add the -genkeys option to instruct zonesigner that we wish to generate new keys for the zone (since you don't have any yet). Simply run zonesigner as follows (the bold is the command that was run, and everything else is the output):
# zonesigner -genkeys example.com if zonesigner appears hung, strike keys until the program completes (see the "Entropy" section in the man page for details) zone signed successfully example.com: KSK (cur) 25816 -b 2048 08/21/08 (example.com-signset-3) ZSK (cur) 54228 -b 1024 08/21/08 (example.com-signset-1) ZSK (pub) 28878 -b 1024 08/21/08 (example.com-signset-2) zone will expire in 4 weeks, 2 days, 0 seconds DO NOT delete the keys until this time has passed.
We now have a new file in the same directory called example.com.signed. Take a look at it if you like.
- In this example, The example.com.signed file is the file that we should now publish.
Note the time we highlighted in RED that shows when your new signatures expire. In other words:
- you must sign your zone again before the end of that time.
This is the single biggest changed to running a zone with DNSSEC support, so I'll say it again in a different way:
- even if your zone data doesn't change, you must resign your zone on a regular basis.
Resigning your zone
Every time you change the contents of your zone (you can continue using the original zone file, like our example.com file in this example). Even if you don't change you data, as mentioned above, you should resign your zone once a month.
But, let's say we added a new www2 record to the example.com file:
www2 600 IN A 192.0.2.3
Then we simply run zonesigner again, but this time without the -genkeys option.
# zonesigner example.com if zonesigner appears hung, strike keys until the program completes (see the "Entropy" section in the man page for details) zone signed successfully example.com: KSK (cur) 25816 -b 2048 08/21/08 (example.com-signset-3) ZSK (cur) 54228 -b 1024 08/21/08 (example.com-signset-1) ZSK (pub) 28878 -b 1024 08/21/08 (example.com-signset-2) zone will expire in 4 weeks, 2 days, 0 seconds DO NOT delete the keys until this time has passed.
That's it! Not much more to it! See below for other information, but you now know enough to get started. There are other very good DNSSEC kits to use but it doesn't get much simpler than this!
zonesigner has a lot of options and you may wish to use some of them. One worth mentioning here is the -zone option, which can be used if your file name doesn't match your zone name. For example, if your file name was db.example.com then you'd need to add the -zone flag to indicate the zone name:
# zonesigner -zone example.com db.example.com
The DNSSEC-Tools package has a number of other tools that will help zone administrators both with DNSSEC and with DNS in general.
- The Authoritative Zone Administrator tutorial describes some of these other tools and how to use them.
- The zonesigner page provides more details on the zonesigner tool itself.
- The Recursive Server page describes how to configure your recursive server to start using DNSSEC in a recursive resolver in order to check the responses from other zones.