trying DNSSEC with 9.9-rc1
Michael W. Lucas
mwlucas at blackhelicopters.org
Wed Feb 1 22:18:59 UTC 2012
Hi,
I'd put off DNSSEC because of the high maintenance requirement. But
with 9.9 and inline signing, it looks like I can now do DNSSEC the way
I need (static zone files that work with legacy tools, automatic key
rotation, etc.)
I see that 9.9-rc2 came out yesterday; I'm building it now, but I
don't see anything in the relnotes that tells me this has
changed. Unfortunately, I'm trying to figure out how to use DNSSEC
inline signing from the Internet's ten years of DNSSEC tutorials, none
of which exactly cover this setup. And the ARM isn't quite updated for
this yet.
If someone is kind enough to help me figure out DNSSEC, I'll happily
blog it for the next guy who comes along. I'm sure I won't be the
last...
My understanding of the process is:
1) create KSK and ZSK
nstest/etc/namedb/keys;dnssec-keygen -f KSK -a RSASHA1 -b 768 -n ZONE transnetworks.net
Generating key pair.........................................................++++++++ .++++++++
Ktransnetworks.net.+005+54607
nstest/etc/namedb/keys;dnssec-keygen -a RSASHA1 -b 768 -n ZONE transnetworks.net
Generating key pair......................................++++++++ ..................++++++++
Ktransnetworks.net.+005+51087
2) tell named.conf about the zone's DNSSEC:
zone transnetworks.net {
type master;
file "master/transnetworks.net";
key-directory "keys/";
inline-signing yes;
auto-dnssec maintain;
};
I restart named, and see the following files:
transnetworks.net
transnetworks.net.jbk
transnetworks.net.signed
So, it appears that inline is doing something.
But dig shows:
nstest/etc/namedb/keys;dig transnetworks.net @localhost +dnssec
; <<>> DiG 9.8.1-P1 <<>> transnetworks.net @localhost +dnssec
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 42076
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;transnetworks.net. IN A
;; ANSWER SECTION:
transnetworks.net. 86400 IN A 198.22.63.130
;; AUTHORITY SECTION:
transnetworks.net. 86400 IN NS ns1.minetworkservices.net.
transnetworks.net. 86400 IN NS ns2.minetworkservices.net.
;; Query time: 2 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Wed Feb 1 17:12:21 2012
;; MSG SIZE rcvd: 116
My understanding is that once I get this to work, I use
$ dnssec-dsfromkey -2 Ktransnetworks.net.<ksk #>
and give that to my registrar.
Any suggestions, folks? What am I not understanding?
Thanks,
==ml
--
Michael W. Lucas
http://www.MichaelWLucas.com/, http://blather.MichaelWLucas.com/
Latest book: SSH Mastery http://www.michaelwlucas.com/nonfiction/ssh-mastery
mwlucas at BlackHelicopters.org, Twitter @mwlauthor
More information about the bind-users
mailing list