DNSSEC Part II: the Implementation

Reconfigure Zone's BIND Config

Now that you have a new .signed zone file, you will need to update your zone's config in BIND so that it uses it instead of the plain-text file, which is pretty straightforward:


zone "greenfly.org" {
  type master;
  file "/etc/bind/db.greenfly.org.signed";
  allow-transfer { slaves; };
};

Enable DNSSEC Support in BIND

Next, update the options that are enabled in your main BIND configuration file (often found in named.conf or named.conf.options), so that DNSSEC is enabled, the server attempts to validate DNSSEC for any recursive queries and DLV (DNSSEC Lookaside Validation) is supported:


options {
  dnssec-enable yes;
  dnssec-validation yes;
  dnssec-lookaside auto;
};

When you set dnssec-lookaside to auto, BIND automatically will trust the DLV signature it has for dlv.isc.org as it's included with the BIND software. Alternatively, you can add a DLV key manually if you add an additional BIND option and trusted key:


options { dnssec-lookaside . trust-anchor dlv.isc.org.; };
trusted-keys {
        dlv.isc.org. 257 3 5
"BEAAAAPHMu/5onzrEE7z1egmhg/WPO0+juoZrW3euWEn4MxDCE1+lLy2
brhQv5rN32RKtMzX6Mj70jdzeND4XknW58dnJNPCxn8+jAGl2FZLK8t+
1uq4W+nnA3qO2+DL+k6BD4mewMLbIYFwe0PG73Te9fZ2kJb56dhgMde5
ymX4BI/oQ+cAK50/xvJv00Frf8kw6ucMTwFlgPe+jnGxPPEmHAte/URk
Y62ZfkLoBAADLHQ9IrS2tryAe7mbBZVcOwIeU/Rw/mRx/vwwMCTgNboM
QKtUdvNXDrYJDSHZws3xiRXF1Rf+al9UmZfSav/4NWLKjHzpT59k/VSt TDN0YUuWrBNh";
};

Once you are done changing your BIND configuration files, reload or restart BIND, and your zone should be ready to reply to DNSSEC queries.

Test DNSSEC

To test DNSSEC support for a zone, just add the +dnssec argument to dig. Here's an example query against www.greenfly.org:


$ dig +dnssec www.greenfly.org

; <<>> DiG 9.8.1-P1 <<>> +dnssec www.greenfly.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 13093
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 3, ADDITIONAL: 5

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;www.greenfly.org.              IN      A

;; ANSWER SECTION:
www.greenfly.org.       900     IN      A       64.142.56.172
www.greenfly.org.       900     IN      RRSIG   A 5 3 900 20130523213855
20130423213855 58317 greenfly.org.
cZS1G2Jj3FNB0UrU4W+LbpCJlvVa+3yos1ni5V0pct4x4lWvXGQNoh1G
/uFFJ62YRYXskL/c17wiAEIqsJ0O/wzek5KFWAoiJ3zW051l9c/8KPGF
7LzmEumdAVM2MmrPVu+PKGfilPlfofjwJLbgVhyYqepbbD8xv3bmg0Np YnM=

;; AUTHORITY SECTION:
greenfly.org.           900     IN      NS      ns2.greenfly.org.
greenfly.org.           900     IN      NS      ns1.greenfly.org.
greenfly.org.           900     IN      RRSIG   NS 5 2 900 20130523213855
20130423213855 58317 greenfly.org.
d/7E3iCxzS/qBSOl/x7m/yMMqbl5mUGH7tVw/j7U/qyC7D9YZJIXNp3J
uU8vueo09cZf+yjwHusdWDWgdW8mkAVoGR5K/azoY4o2xRBvt8Z5pf3a
BqmNIHzROZkf6BOrx6Nqv65npSGoNLQBoEc90FvDFe/N5I27LBTIxCv4 3UQ=

;; ADDITIONAL SECTION:
ns1.greenfly.org.       900     IN      A       64.142.56.172
ns2.greenfly.org.       900     IN      A       75.101.46.232
ns1.greenfly.org.       900     IN      RRSIG   A 5 3 900 20130523213855
20130423213855 58317 greenfly.org.
VDeJSlfEYRwHkjRnCvmDXFHneG3Fhw15mCSALT8m8fOtQkMroI8t0qu3
K8Tdt4q8/t1JYucpwQbpjsR3f+rmJc0t4L7HSVA/1LHajOqA+Wn2XH8L
Rp01qVkeBIZ7g+K7LY2XRU3DGSzbeFUKrViqtakbTQxZ9o3Oj6ZqL0Pv 0nQ=
ns2.greenfly.org.       900     IN      RRSIG   A 5 3 900 20130523213855
20130423213855 58317 greenfly.org.
dUU/6bbc6sHoSl+e2uGwoEXLMGyr4Qaedk3E74ArnUOb4VViBd3CxvGF
SPG2QK3AggDv8z3+9Wm6NA11oTFcuIGnbBarxDQIrbERHFfcSQaekvSR
UcSSD7wft9YO7UTIiQrc8LkItXZAKd72Gy1ZP4mhhLxwwOIhlHshQ9d2 uTY=

;; Query time: 196 msec
;; SERVER: 64.142.56.172#53(64.142.56.172)
;; WHEN: Fri Apr 26 16:13:22 2013
;; MSG SIZE  rcvd: 817

Tell Your Parent

The final step once you have confirmed that DNSSEC is returning signed records for your zone is to go to your zone's parent (typically through the registrar you used to buy the domain to begin with) and provide them with the DS record (in that dsset-zonename file that dnssec-signzone generated) so they can sign it. Unfortunately, only a small number of registrars provide DNSSEC support today, and some charge extra for the service. In either case, you may want to use DLV instead via a service like dlv.isc.org. To do that, simply visit https://dlv.isc.org and follow the instructions to create an account and register your zone with them. They provide a simple interface that validates DNSSEC on your zone and even will send you alerts if you forget to update your zone's signatures after a month.

So, although enabling DNSSEC isn't as simple as a regular BIND configuration (and to many people even that is pretty complicated), it's also not all that difficult once you know the proper steps. Hopefully, this column has encouraged you to try out DNSSEC on your zones.

______________________

Kyle Rankin is a director of engineering operations in the San Francisco Bay Area, the author of a number of books including DevOps Troubleshooting and The Official Ubuntu Server Book, and is a columnist for Linux Journal.

Webinar
One Click, Universal Protection: Implementing Centralized Security Policies on Linux Systems

As Linux continues to play an ever increasing role in corporate data centers and institutions, ensuring the integrity and protection of these systems must be a priority. With 60% of the world's websites and an increasing share of organization's mission-critical workloads running on Linux, failing to stop malware and other advanced threats on Linux can increasingly impact an organization's reputation and bottom line.

Learn More

Sponsored by Bit9

Webinar
Linux Backup and Recovery Webinar

Most companies incorporate backup procedures for critical data, which can be restored quickly if a loss occurs. However, fewer companies are prepared for catastrophic system failures, in which they lose all data, the entire operating system, applications, settings, patches and more, reducing their system(s) to “bare metal.” After all, before data can be restored to a system, there must be a system to restore it to.

In this one hour webinar, learn how to enhance your existing backup strategies for better disaster recovery preparedness using Storix System Backup Administrator (SBAdmin), a highly flexible bare-metal recovery solution for UNIX and Linux systems.

Learn More

Sponsored by Storix