Please use this writeup only for bind version before 9.9.0! Since this version it is much easier to configure dnssec: https://kb.isc.org/docs/aa-00626
Since I needed hours to configure dnssec (because of one little failure), I made here a little write-up (in short).
Contents
Configuration
# vi /etc/bind/named.conf.local
add
file “/var/lib/bind/example.com.zone.signed”;
key-directory “/var/lib/bind/”;
auto-dnssec maintain;
inline-signing yes;
to your domain
# vi /etc/bind/named.conf.options
add
dnssec-enable yes;
dnssec-validation auto;
dnssec-lookaside auto;
The keys
# cd /var/lib/bind/
(because the directory must me writable by bind and /etc/bind/ shouldn’t)
create the zone signing key (zsk)
# dnssec-keygen -a RSASHA256 -b 2048 example.com
create the key signing key (ksk)
# dnssec-keygen -a RSASHA256 -b 4096 -f KSK example.com
change permissions and the owner
(all keys must be readable by bind)
# chmod 644 Kexample.com*.key
# chmod 600 Kexample.com*.private
# chown bind Kexample.com*
you have now 4 keys – two pairs of zsk and ksk. you have to add the public keys which contain the DNSKEY record to the zonefile. the following will do this:
# for key in `ls Kexample.com*.key`
do
echo “\$INCLUDE $key”>> example.com.zone
done
Signing
sign the key
# dnssec-signzone -A -3 $(head -c 1000 /dev/urandom | sha256sum | cut -b 1-16) -N INCREMENT -o example.com -t example.com.zone
Restart
# /etc/init.d/bind9 restart
Testing
# dig DNSKEY example.com. @localhost +multiline
if everything went right you should see the two keys. if not, you have done something wrong.
some good DNSSEC testing sites:
https://dnssec-analyzer.verisignlabs.com/
http://dnsviz.net/
https://mxtoolbox.com/DNSKey.aspxdnsviz
dnsviz
Registrar
when we ran the dnssec-signzone command apart from the .signed zone file, a file named dsset-example.com was also created, this contains the DS records.
# cat dsset-example.com.
go to the registrar of your domain and enter those DS records
Update zone files
-
- make changes to the example.com.zone file
- # rndc freeze example.com
- delete all example.com.zone.signet* files (i have not found another way)
- resign the key
# dnssec-signzone -A -3 $(head -c 1000 /dev/urandom | sha256sum | cut -b 1-16) -N INCREMENT -o example.com -t example.com.zone - # rndc reload example.com
- # rndc thaw example.com
Subdomains
…are automatically signed with your domain
Troubleshooting
if you get an error like:
No response was received until the UDP payload size was decreased, indicating that the server might be attempting to send a payload that exceeds the path maximum transmission unit (PMTU) size.
on dnsviz.net, and you have a firewall kike pfsense before the dns-server, try to disable scrubbing:
Disable Firewall Scrub (Diables the PF srubbing option with can sometimes interfere with NFS traffic.)
another solution, with pfsense, is here: https://melkfl.es/article/2018/07/edns/
another, but last option, is to reduce the udp-package-size in bind’s named.conf.options
# vi /etc/bind/named.conf.options
add
edns-udp-size 512;
max-udp-size 512;
If you like this write-up or I missed something, please let me know.