Apr 1, 2012

Setting up BIND to secure DNS with DNSSEC (III)

In the last article about Setting up BIND to secure DNS with DNSSEC, we completed the configuration of DNSSEC in order to sign a zone file. When you sign a zone, you have to take into account that the dnssec-signzone command generates signatures which are valid only for 30 days, unless you indicate another date by means of the option -e end-time.

If your signature expires, you will have to resign the zone and use the new signed file. You will also have to resign your zone if you make some change (add, modify or remove some record) in the zone file. At any rate, it is highly recommended to regenerate the KSK key at least every year and ZSK every three months.

After setting up DNSSEC, the next step is to provide our zone's DS (Delegation Signer) record to our parent, whenever the parent is also using DNSSEC. We can utilize for this purpose the following command, by passing as argument the ZSK file.

[root@dns test.local]# dnssec-dsfromkey Ktest.local.+005+05775.key 
test.local. IN DS 5775 5 1 01FC6E8961D76D6438CAC77260EFF2E28AC0EFB0
test.local. IN DS 5775 5 2 175D8A898137886AADE03886FD69F9EA0D3EF1230B803AAB7EF23F9B 409079E1

Let's move on by using another CentOS 6.2 client in order to check the DNSSEC configuration. This new computer will have as main DNS, the server that we have just set up, and it will request DNSSEC records (+dnssec) through a query.

[root@localhost ~] yum install bind-utils    

[root@localhost ~]# dig @dns.test.local test.local +dnssec
...
;; AUTHORITY SECTION:
test.local.        86400    IN    SOA    dns.test.local. admin.test.local. 1 21600 3600 604800 86400
test.local.        86400    IN    RRSIG    SOA 5 2 86400 20120410195007 20120311195007 5775 test.local. KozjX5R/1gTw4Q4xYzVnkpOnyRwviJVbqrrWzH95qwuWVSaMqOrlchvn giTYs94B1esCdD1xHouPkqIQ+BmIin5OEd3+G0038b1GGv7QY7ylzJr5 LO+TFF6M7toZLAmTMrQigYvV/1IDVvqxKvI1zjJahU49e6Sl+Hyfl85B vCE=
test.local.        86400    IN    NSEC    dns.test.local. NS SOA RRSIG NSEC DNSKEY
test.local.        86400    IN    RRSIG    NSEC 5 2 86400 20120410195007 20120311195007 5775 test.local. Fxo9aBIpTgd52p+sEseqA7CWPLmRLhCzv2d4gZhdgbvk+whoSOpu6ZMf GotfqkocX6+nafHeFBJvknJY0R25yiYP75nSaZoxAdDnBWv7VgE0Ywzi lges8wZyGX0VUMVTUWrvJYdZr+aThJqE0Shf4TuVKjhQqlwxsio+YXeS WhU=
...

As you can appreciate above, we can get the corresponding RRSIG (Resource Record Signature) for each record.

And finally, also point out a quick method to validate if our DNS server is using DNSSEC. We can perform a DNS lookup by asking for the next name: www.dnssec-failed.org. If you come across a "not found" error as shown below, that means you are using a DNSSEC-validating DNS server.

[root@localhost ~]# host www.dnssec-failed.org
Host www.dnssec-failed.org not found: 3(NXDOMAIN)


No comments:

Post a Comment