DNSSEC joys

So I finally got time to look into having my own DNS zones signed. However Joker.com doesn't allow for doing this yet - at least not if you're running the DNS yourself. So after having been vaguely disappointed - I found out that I was in luck with my Danish domains, as DK-Hostmaster actually has already implemented this. Since this turned out involving quite a bit of reading - I decided to document it, should someone else want to join this bandwagon of higher security with DNS. I'm only using stock packages already available for CentOS - and the version of Bind I'm using is 9.7.0P2. Lastly, in my example the zone I'll be signing is perlpimp.dk.

First we need to create two keys (I've chosen for simplicity to keep my key files along the zone files in /var/named/chroot/var/named/masters - as I'm using the chrooted installation of Bind)
dnssec-keygen -a RSASHA256 -b 2048 -n ZONE -f KSK perlpimp.dk
dnssec-keygen -a RSASHA256 -b 1024 -n ZONE perlpimp.dk

Next we need to make sure that Bind is sporting support for DNSSEC by altering the options section of named.conf

options { 
... dnssec-enable yes; dnssec-validation yes; dnssec-lookaside auto; };

After having generated the keys - they must be included in the top of the zone file right before the SOA statement
$include Kperlpimp.dk.+008+10924.key
$include Kperlpimp.dk.+008+26376.key

Naturally we need to increase the serial number - especially if you've got slave servers AXFRing down the zone.

For the signing of the zone we use dnssec-signzone
dnssec-signzone perlpimp.dk

This will create the file named perlpimp.dk.signed, which you must point Bind towards in the "file" statement for the zone.

After this we reload named to ensure that it's loaded the newly signed zone correctly, and that it's pushed to its slaves.

To find the right file to run through dnssec-dsfromkey to get the entry DK-Hostmasters system needs for the .dk-zone, we'll grep the zone keys
grep "DNSKEY 257" Kperlpimp.dk.+*key

This will produce the output (scrambled because of obvious security reasons)
Kperlpimp.dk.+008+10924.key:perlpimp.dk. IN DNSKEY 257 X X XXXXXXX XXXXX=

So we now know that it's the file named Kperlpimp.dk.+008+10924.key we need to run through dnssec-dsfromkey.

[root@termite masters]# dnssec-dsfromkey Kperlpimp.dk.+008+10924.key 
perlpimp.dk. IN DS YYYYY 8 1 CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC
perlpimp.dk. IN DS YYYYY 8 2 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXX

The two sections blanked out by X'es we'll join together, and this makes up the hash value we need to put into the DK-Hostmasters webinterface. On how to put these values into their webinterface I'll refer to DNSSEC DK-Hostmaster guide, but mention that the YYYYY found in the previous output maps to their field "Nøgle ID" / "Key ID" and the concatenated X'es goes in their "Hash" field.

After completing this step - feel free to make some coffee, watch an episode of your favorite show, etc - as you'll now have to wait for the changes to propagate into the .dk-zone.

Finally we'll be able to verify that the zone now is properly signed - by using the debugger the guys over at Verisign Labs created.

| | 2016-11-23 01:56:26 | DNSSEC joys, part two |

I've used a few minutes this evening to research the status of DNSSEC DS records for .net with Joker.com as the registrar. It turns out that for .org you need to send them an email (using their support system), which I've tried doing with my .net domain now. I'm still waiting for a reply from them, but according to what I've managed to find out, they should process the request within three working days. I'll be sure to publish an update when I receive any sort of reply from them.

The format to use according to what I've been able to dig up is (use the reference below in the post for the values to extract from dnssec-dsfromkey):
ds-1-alg:T
ds-1-digest:CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC
ds-1-digest_type:O
ds-1-keytag:YYYYY
ds-2-alg:Q
ds-2-digest:BXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
ds-2-digest_type:Z
ds-2-keytag:YYYYY
In the mean time, I've decided to swap out my perlpimp.dk for perlpimp.net, which I got from Go Daddy for practically a steal! The reason being that I've wanted to for a while, and they have excellent support or most of the domains one'd want to use with DNSSEC, except for the most of the ccTLD ones. They've even published a nice guide for setting it up - and it genuinely just works!

In the spirit of my previous guide - I'll quickly recap using the previous example, what one has to put in what fields in their interface.
root@termite masters]# dnssec-dsfromkey Kperlpimp.dk.+008+10924.key
perlpimp.dk. IN DS YYYYY T O CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC
perlpimp.dk. IN DS YYYYY Q Z XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXX

In the Go Daddy interface fill in the fields using the fields mapped to values in the above example output from dnssec-dsfromkey

Key Tag: YYYYY
Algorithm: Q
Digest Type: Z
Digest: All the X'es concatenated

| | 2016-11-23 01:59:11 | DNSSEC joys, part three |

Today I received an email from Joker.com support, which stated, that the formular I'd used to request DS records to be put in my zone unixpimps.net, was put in place. After confirming it with "dig" it is indeed there - and according to the the DNSSEC debugger - it works! So it turns out Joker.com does indeed support this fully in their backend. This also means that I can conclude my setup of DNSSEC for all my domains, and simply sit back - and enjoy that I've done my part to make the internet more secure.

Show Comments