Tags

, ,

In previous two blogs (1st part2nd part) I explain how to setup NSD as primary DNS server and BIND as secondary. Now let’s see how can we implement DNSEC with it.

1. You can put all the key in single folder; but for better understanding I put necessary information in 4 folders:
ZONES: All zone files, SIGNED: All signed zone files, ZSK: All ZSK keys, KSK: All KSK Keys
sudo mkdir /etc/nsd/SIGNED /etc/nsd/KSK /etc/nsd/ZSK

2. Time to install ldns, a NLnet Labs’ project:
sudo apt-get install ldnsutils

3. Create ZSK /etc/nsd/ZSK
cd /etc/nsd/ZSK
sudo ldns-keygen -a RSASHA1_NSEC3 -b 1024 ssh.com.bd

Create KSK
cd /etc/nsd/KSK
sudo ldns-keygen -a RSASHA1_NSEC3 -b 2048 -k ssh.com.bd

ldns-keygen will create 3 files: a .key file with the public DNSKEY, a .private file with the private keydata and a .ds with the DS record of the DNSKEY record.

4. Edit /etc/nsd/nsd.conf to change the path for the signed zones:
zonesdir: "/etc/nsd/SIGNED"

more changes:

zone:
name: “ssh.com.bd”
zonefile: “ssh.com.bd.zone.signed”

5. Now use the ldns-signzone command to sign ssh.com.bd and to create a new file ready for DNSSEC queries.

sudo ldns-signzone /etc/nsd/ZONES/ssh.com.bd.zone \
/etc/nsd/KSK/Kssh.com.bd.+007+22704 \
/etc/nsd/ZSK/Kssh.com.bd.+007+04664 \
-f /etc/nsd/SIGNED/ssh.com.bd.zone.signed

This will create a signed zone file under /etc/nsd/SIGNED folder.

6. Reload nsd; now you have DNSEC for the zone ssh.com.bd.

7. To have a complete implementation you need to upload your DS record to the parent. Following screenshot shows how you could add DS record in godaddy hosting.

This slideshow requires JavaScript.


8. Now test the DNSSEC with dig command. Pay attention to the ad in the flags. Following example for the domain apnictraining.net

dig @8.8.8.8 apnictraining.net +dnssec +multi

dns_sec.png

For Reverse Zone, most of the process is same. Only difference in add DS Record. for Reverse Zone we need to add it in RIR portal. In my case I add it in myAPNIC.

dnssec_myapnic

DNSVIZ is a good site to validate the DNSSEC. Following URL gives you the DNSSEC details for both Forward & Reverse Zone

http://dnsviz.net/d/96.125.202.in-addr.arpa/dnssec/

http://dnsviz.net/d/apnictraining.net/dnssec/