{"id":6268,"date":"2019-10-09T14:37:13","date_gmt":"2019-10-09T12:37:13","guid":{"rendered":"https:\/\/thebc.ch\/blog\/?p=6268"},"modified":"2021-12-30T19:38:27","modified_gmt":"2021-12-30T18:38:27","slug":"dnssec-with-bind9-11-on-debian10-1","status":"publish","type":"post","link":"https:\/\/thebc.ch\/blog\/?p=6268","title":{"rendered":"DNSSEC with bind 9(.11) on debian 10(.1)"},"content":{"rendered":"<p><em><strong>Please use this writeup only for bind version before 9.9.0! Since this version it is much easier to configure dnssec: <a href=\"https:\/\/kb.isc.org\/docs\/aa-00626\">https:\/\/kb.isc.org\/docs\/aa-00626<\/a><\/strong><\/em><\/p>\n<p>Since I needed hours to configure dnssec (because of one little failure), I made here a little write-up (in short).<\/p>\n<p><span style=\"color: #000000;\"><div class='toc toc'>\n<h2>Contents<\/h2>\n<ul class='toc-odd level-1'>\n\t<li>\n\t\t<a href=\"#Configuration\"><strong>Configuration<\/strong><\/a>\n\t<\/li>\n\t<li>\n\t\t<a href=\"#The_keys\"><strong>The keys<\/strong><\/a>\n\t<\/li>\n\t<li>\n\t\t<a href=\"#Signing\"><strong>Signing<\/strong><\/a>\n\t<\/li>\n\t<li>\n\t\t<a href=\"#Restart\"><strong>Restart<\/strong><\/a>\n\t<\/li>\n\t<li>\n\t\t<a href=\"#Testing\"><strong>Testing<\/strong><\/a>\n\t<\/li>\n\t<li>\n\t\t<a href=\"#Registrar\"><strong>Registrar<\/strong><\/a>\n\t<\/li>\n\t<li>\n\t\t<a href=\"#Update_zone_files\"><strong>Update zone files<\/strong><\/a>\n\t<\/li>\n\t<li>\n\t\t<a href=\"#Subdomains\"><strong>Subdomains<\/strong><\/a>\n\t<\/li>\n\t<li>\n\t\t<a href=\"#Troubleshooting\"><strong>Troubleshooting<\/strong><\/a>\n\t<\/li>\n<\/ul>\n<\/ul>\n<\/ul>\n<\/div>\n<div class='toc-end'>&nbsp;<\/div><\/span><\/p>\n<span id=\"Configuration\"><h3><strong>Configuration<\/strong><\/h3><\/span>\n<p><span style=\"color: #000000;\"># <span style=\"color: #134173;\">vi \/etc\/bind\/named.conf.local<\/span><\/span><br \/>\nadd<br \/>\n<span style=\"color: #134173;\">file &#8220;\/var\/lib\/bind\/example.com.zone.signed&#8221;;<\/span><br \/>\n<span style=\"color: #134173;\">key-directory &#8220;\/var\/lib\/bind\/&#8221;;<\/span><br \/>\n<span style=\"color: #134173;\">auto-dnssec maintain;<\/span><br \/>\n<span style=\"color: #134173;\">inline-signing yes;<\/span><br \/>\n<span style=\"color: #000000;\">to your domain<\/span><\/p>\n<p># <span style=\"color: #134173;\">vi \/etc\/bind\/named.conf.options<\/span><br \/>\nadd<br \/>\n<span style=\"color: #134173;\">dnssec-enable yes;<\/span><br \/>\n<span style=\"color: #134173;\">dnssec-validation auto;<\/span><br \/>\n<span style=\"color: #134173;\">dnssec-lookaside auto;<\/span><\/p>\n<span id=\"The_keys\"><h3><strong>The keys<\/strong><\/h3><\/span>\n<p># <span style=\"color: #134173;\">cd \/var\/lib\/bind\/<\/span><br \/>\n(because the directory must me writable by bind and \/etc\/bind\/ shouldn&#8217;t)<\/p>\n<p>create the zone signing key (zsk)<br \/>\n# <span style=\"color: #134173;\">dnssec-keygen -a RSASHA256 -b 2048 example.com<\/span><br \/>\ncreate the key signing key (ksk)<br \/>\n# <span style=\"color: #134173;\">dnssec-keygen -a RSASHA256 -b 4096 -f KSK example.com<\/span><\/p>\n<p>change permissions and the owner<br \/>\n(all keys must be readable by bind)<br \/>\n# <span style=\"color: #134173;\">chmod 644 Kexample.com*.key<\/span><br \/>\n# <span style=\"color: #134173;\">chmod 600 Kexample.com*.private<\/span><br \/>\n# <span style=\"color: #134173;\">chown bind Kexample.com*<\/span><\/p>\n<p>you have now 4 keys &#8211; two pairs of zsk and ksk. you have to add the public keys which contain the DNSKEY record to the zonefile. the following will do this:<br \/>\n# <span style=\"color: #134173;\">for key in `ls Kexample.com*.key`<\/span><br \/>\n<span style=\"color: #134173;\">do<\/span><br \/>\n<span style=\"color: #134173;\">echo &#8220;\\$INCLUDE $key&#8221;&gt;&gt; example.com.zone<\/span><br \/>\n<span style=\"color: #134173;\">done<\/span><\/p>\n<span id=\"Signing\"><h3><strong>Signing<\/strong><\/h3><\/span>\n<p>sign the key<br \/>\n# <span style=\"color: #134173;\">dnssec-signzone -A -3 $(head -c 1000 \/dev\/urandom | sha256sum | cut -b 1-16) -N INCREMENT -o example.com -t example.com.zone<\/span><\/p>\n<span id=\"Restart\"><h3><strong>Restart<\/strong><\/h3><\/span>\n<p># <span style=\"color: #134173;\">\/etc\/init.d\/bind9 restart<\/span><\/p>\n<span id=\"Testing\"><h3><strong>Testing<\/strong><\/h3><\/span>\n<p># <span style=\"color: #134173;\">dig DNSKEY example.com. @localhost +multiline<\/span><br \/>\nif everything went right you should see the two keys. if not, you have done something wrong.<\/p>\n<p>some good DNSSEC testing sites:<br \/>\n<a href=\"https:\/\/dnssec-analyzer.verisignlabs.com\/\" target=\"_blank\" rel=\"noopener\">https:\/\/dnssec-analyzer.verisignlabs.com\/<\/a><br \/>\n<a href=\"http:\/\/dnsviz.net\/\" target=\"_blank\" rel=\"noopener\">http:\/\/dnsviz.net\/<\/a><br \/>\n<a href=\"https:\/\/mxtoolbox.com\/DNSKey.aspx\" target=\"_blank\" rel=\"noopener\">https:\/\/mxtoolbox.com\/DNSKey.aspx<\/a>dnsviz<br \/>\ndnsviz<\/p>\n<span id=\"Registrar\"><h3><strong>Registrar<\/strong><\/h3><\/span>\n<p>when we ran the dnssec-signzone command apart from the .signed zone file, a file named dsset-example.com was also created, this contains the DS records.<br \/>\n# <span style=\"color: #134173;\">cat dsset-example.com.<\/span><br \/>\ngo to the registrar of your domain and enter those DS records<\/p>\n<span id=\"Update_zone_files\"><h3><strong>Update zone files<\/strong><\/h3><\/span>\n<ol>\n<li style=\"list-style-type: none;\">\n<ol>\n<li>make changes to the example.com.zone file<\/li>\n<li># <span style=\"color: #134173;\">rndc freeze example.com<\/span><\/li>\n<li>delete all example.com.zone.signet* files (i have not found another way)<\/li>\n<li>resign the key<br \/>\n# <span style=\"color: #134173;\">dnssec-signzone -A -3 $(head -c 1000 \/dev\/urandom | sha256sum | cut -b 1-16) -N INCREMENT -o example.com -t example.com.zone<\/span><\/li>\n<li># <span style=\"color: #134173;\">rndc reload example.com<\/span><\/li>\n<li># <span style=\"color: #134173;\">rndc thaw example.com<\/span><\/li>\n<\/ol>\n<\/li>\n<\/ol>\n<span id=\"Subdomains\"><h3><strong>Subdomains<\/strong><\/h3><\/span>\n<p>&#8230;are automatically signed with your domain<\/p>\n<span id=\"Troubleshooting\"><h3><strong>Troubleshooting<\/strong><\/h3><\/span>\n<p>if you get an error like:<br \/>\n<span style=\"color: #800000;\">No response was received until the UDP payload size was decreased, indicating that the server might be attempting to send a payload that exceeds the path maximum transmission unit (PMTU) size. <\/span><br \/>\non <a href=\"http:\/\/dnsviz.net\/\" target=\"_blank\" rel=\"noopener\">dnsviz.net<\/a>, and you have a firewall kike pfsense before the dns-server, try to disable scrubbing:<br \/>\n<span style=\"color: #134173;\">Disable Firewall Scrub (Diables the PF srubbing option with can sometimes interfere with NFS traffic.)<\/span><br \/>\nanother solution, with pfsense, is here: <a href=\"https:\/\/melkfl.es\/article\/2018\/07\/edns\/\" target=\"_blank\" rel=\"noopener\">https:\/\/melkfl.es\/article\/2018\/07\/edns\/<\/a><br \/>\nanother, but last option, is to reduce the udp-package-size in bind&#8217;s named.conf.options<br \/>\n# <span style=\"color: #134173;\">vi \/etc\/bind\/named.conf.options<\/span><br \/>\nadd<br \/>\n<span style=\"color: #134173;\">edns-udp-size 512;<\/span><br \/>\n<span style=\"color: #134173;\">max-udp-size 512;<\/span><\/p>\n<p>If you like this write-up or I missed something, please let me know.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Please use this writeup only for bind version before 9.9.0! Since this version it is much easier to configure dnssec: https:\/\/kb.isc.org\/docs\/aa-00626 Since I needed hours to configure dnssec (because of one little failure), I made here a little write-up (in &hellip; <a href=\"https:\/\/thebc.ch\/blog\/?p=6268\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[11,5,13],"tags":[454,461,446,460,456,457,455,462,459,463],"class_list":["post-6268","post","type-post","status-publish","format-standard","hentry","category-debian","category-linux","category-security","tag-bind","tag-bind-9-11","tag-debian","tag-debian-10-1","tag-dns","tag-dnskey","tag-dnssec","tag-ds-record","tag-named","tag-pfsense"],"_links":{"self":[{"href":"https:\/\/thebc.ch\/blog\/index.php?rest_route=\/wp\/v2\/posts\/6268","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/thebc.ch\/blog\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/thebc.ch\/blog\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/thebc.ch\/blog\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/thebc.ch\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=6268"}],"version-history":[{"count":53,"href":"https:\/\/thebc.ch\/blog\/index.php?rest_route=\/wp\/v2\/posts\/6268\/revisions"}],"predecessor-version":[{"id":6492,"href":"https:\/\/thebc.ch\/blog\/index.php?rest_route=\/wp\/v2\/posts\/6268\/revisions\/6492"}],"wp:attachment":[{"href":"https:\/\/thebc.ch\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=6268"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/thebc.ch\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=6268"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/thebc.ch\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=6268"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}