DNSSEC - How to Sign your .gov ZoneMuch of the DNSSEC Documentation is based on NIST Special Publication 800-81 Rev 1 Secure Domain Name System Deployment Guide. The first step to signing a DNS zone is to create the key signing key and the zone signing keys. PREFERRED OPTION: NSEC3 Zone Signing (hashes child names to restrict enumeration) dnssec-keygen -f KSK -a NSEC3RSASHA1 -b 2048 -n ZONE official.gov dnssec-keygen -a NSEC3RSASHA1 -b 2048 -e -n ZONE official.gov dnssec-keygen -a NSEC3RSASHA1 -b 2048 -e -n ZONE official.gov When the commands finish, they will return a line like this for each keygen operation: Kofficial.gov.+007+56487 (*This is the Key Signing Key because of the -f KSK option, trusted key) Kofficial.gov.+007+62648 Kofficial.gov.+007+72348 OPTION B: NSEC Zone Signing - Less Secure, allows zone enumeration dnssec-keygen -f KSK -a RSASHA1 -b 2048 -n ZONE official.gov dnssec-keygen -a RSASHA1 -b 2048 -e -n ZONE official.gov dnssec-keygen -a RSASHA1 -b 2048 -e -n ZONE official.gov When the commands finish, they will return a line like this for each keygen operation: Kofficial.gov.+005+56487 (*This is the Key Signing Key because of the -f KSK option, trusted key) Kofficial.gov.+005+62648 Kofficial.gov.+005+72348 Note that two files are returned for each key created. Include the public key (with the .key extension) in the zone file. Also note that the KSK will be used to sign your zone file. The public KSK key will become the trusted key to validate official.gov. You should protect the private keys by keeping them offline and signing the zone offline. Here is a sample zone file for the official.gov zone: @ IN SOA ns1.official.gov dnsadm.official.gov. ( 2009010501 ; serial number (manually increment this number prior to each siging) 10800 ; refresh period (3 hours) 3600 ; retry refresh this often (1 hour) 604800 ; expiration period (1 week) 38400 ) ; minimum Time To Live (TTL) (10 hours 40 minutes) @ IN NS ns.official.gov. ns IN A 192.168.1.1 $include Kofficial.gov.+007+56487.key ;key signing key $include Kofficial.gov.+007+62648.key ;zone signing key $include Kofficial.gov.+007+72348.key ;pre-published zone signing key With the Option A keys included in the zonefile, we are ready to sign the zone with NSEC3 using the dnssec-signzone tool. dnssec-signzone -a -N increment -H 10 -3 bbab -k Kofficial.gov.+007+56487 -o official.gov -e +7776000 official.gov Kofficial.gov.+007+62648 Or, with the Option B keys included in the zone file, we are ready to sign the zone with NSEC using the dnssec-signzone tool. dnssec-signzone -a -N increment -k Kofficial.gov.+005+56487 -o official.gov -e +7776000 official.gov Kofficial.gov.+005+62648 The -o is not necessary if the zonename and filename are identical, but was added for clarity. The signed zone, official.gov.signed, is the new zone file that should be present in named.conf:
zone "official.gov" {
type master;
file "official.gov.signed";
};
Next, we add the following command to the named.conf options statements:
options {
...
...
dnssec-enable yes;
};
Next, we restart your nameserver with the following command: /etc/init.d/named restart In our final step, we upload the auto-generated dsset-official.gov. file to www.dotgov.gov to enable Basic DNSSEC service. Optionally, upload the auto-generated keyset-official.gov. to www.dotgov.gov to enable optional DNSSEC support. Official.gov will need to be resigned whenever the zone is changed or prior to the signatures expiring. KSK rollover will require new dssets to be uploaded into the dotgov system. Zones that have 'Opt-In' to the Optional Service will not need to upload keys or dssets to the www.dotgov.gov website after the initial upload. We recommend you roll your KSK by pre-publishing the new KSK in your zone at least TTL * 2 + 1 Day prior to signing the zone with the new KSK. OPTIONAL OPT-IN: KSK rollover will occur automatically at the TLD when a new KSK is found in your zone. Remember to follow the KSK and ZSK pre-publishing instructions in NIST Special Pub 800-81 and publish BOTH KSKs during rollover to ensure continuation of validation by name servers. Failure to publish both KSKs may cause validation errors during rollover. |