12 Nov 2015

DNSSEC with bind9

So there is recently much going on for the topic DNSSEC. It helps to prevent man-in-the-middle attacks for dns requests. Quite controversial is if dnssec is the right protocol for securing the dns requests/responses. At the moment its the only solution for this usecase and good for use. this should not mean the technology should stop here and not research further, but neither we should wait till something newer in the future is arriving.

Additionally its a base for the new protocol DANE which is very exciting and NEEDS dnssec.

With the today tools and implementation of dnssec its easy to use and maintain, which I now explain.

Requirements

What you need to get dnssec running.

  • A domain registrar which allows to deposit DS Records or the KSK Publickey in its parent zone.
  • A working bind server wich is managed by you
  • BIND version 9.9 or higher

Why BIND Version 9.9 ? Because it allows inline signing which allows you as a simple (or lazy?) admin much work.

For me it was tricky to find some swiss registrar which allows maintain the publickeys by my own.
One of the registrars which this is working over their webportal is the cool hoster Cyon. Cyon is very innovative and has implemented a lot of security features. And their support is awesome, which helped me a lot to get dnssec work.

Implement

The Blog from the Swiss Registry (switch) provides a good article for dnssec and how to use it for your own.

Creating Keys

cd /etc/bind/keys
dnssec-keygen -a RSASHA256 -b 2048 -f KSK example.com
dnssec-keygen -a RSASHA256 -b 1024 example.com

This Commands created a KSK (Key Signing Key) and a ZSK (Zone Signing Key). Later the KSK will be deposited into the parent zone. for example.com is this in into the .com zone.

If you were thinking, hey 1024 bits for a key, are you weak?!
Yes today you are right, 1024 bits for encryption is not good enough. But this key is only used for hashing for the signature and not for encrypting. also its rolled over very often and lives not long enough to break it. And this are the right values if you pay attention to the RFC standards (RFC6781).

Configuring Bind
In my case i'm running a BIND on a rasperry pi.

We will now adapt the BIND configuration file to use inline signing. We start by changing the global options section with some general settings:

options {
# look for dnssec keys here:
key-directory "/etc/bind/keys";
# only sign DNSKEY with KSK
dnssec-dnskey-kskonly yes;
# expiration time 21d, refresh period 16d
sig-validity-interval 21 16;
...
};

And configure the zone for dnssec with auto inline signing:

zone example.com {
    type master;
    file "/etc/bind/zones/db.example.com";
    # publish and activate dnssec keys
    auto-dnssec maintain;
    # use inline signing 
    inline-signing yes;
};

Well done. Now we tell bind to reload the configuration.

/usr/sbin/rndc reconfig

This should automatically sign your zone. You can check the signed zone with dig ony your authorative nameserver:

dig @localhost example.com +dnssec

In addition, the /etc/bind/zones directory now contains a signed version of your zone. Congratulations, you now have signed the example.com zone.

Thins to keep in mind

As normal you have to increment the zone serial if you are changing something on your zone records. if you reloading bind then, it signs automatically your new zone. So your Zone rollover is done automatically, but keep in mind that it is a good practice to roll over the KSK all 1 to 3 years.

If your DNSSEC breaks, all validating resolver will refuse the information from you dns server. So you should verify your changes which targets DNSSEC changes, like key rollover. This is very well explained in the switch blog entry.

Trust Anchor

Now you have to deposit your KSK or DS records of your KSK to the parent zone.

In my case this is .ch and my registrar cyon.ch takes this action for me. All I have to do is upload the DNSKEY of my KSK to the registrar.

After that you can verify it easy on some dnssec test site:

Next

You should monitor your zones to detect some problems over time.

Congratulations, now you are able to step to the next topic to setup DANE!

Next Post Previous Post

Add a comment