My own personal ramblings, epiphanies, odd bits of code, and other things worth sharing

So I finally got time to look into having my own DNS zones signed. However doesn't allow for doing this yet - at least not if you're running the DNS yourself. So after having been vaguely disappointed - I found out that I was in luck with my Danish domains, as DK-Hostmaster actually has already implemented this. Since this turned out involving quite a bit of reading - I decided to document it, should someone else want to join this bandwagon of higher security with DNS. I'm only using stock packages already available for CentOS - and the version of Bind I'm using is 9.7.0P2. Lastly, in my example the zone I'll be signing is

First we need to create two keys (I've chosen for simplicity to keep my key files along the zone files in /var/named/chroot/var/named/masters - as I'm using the chrooted installation of Bind)
dnssec-keygen -a RSASHA256 -b 2048 -n ZONE -f KSK
dnssec-keygen -a RSASHA256 -b 1024 -n ZONE

Next we need to make sure that Bind is sporting support for DNSSEC by altering the options section of named.conf

options { 
... dnssec-enable yes; dnssec-validation yes; dnssec-lookaside auto; };

After having generated the keys - they must be included in the top of the zone file right before the SOA statement

Naturally we need to increase the serial number - especially if you've got slave servers AXFRing down the zone.

For the signing of the zone we use dnssec-signzone

This will create the file named, which you must point Bind towards in the "file" statement for the zone.

After this we reload named to ensure that it's loaded the newly signed zone correctly, and that it's pushed to its slaves.

To find the right file to run through dnssec-dsfromkey to get the entry DK-Hostmasters system needs for the .dk-zone, we'll grep the zone keys
grep "DNSKEY 257"*key

This will produce the output (scrambled because of obvious security reasons) IN DNSKEY 257 X X XXXXXXX XXXXX=

So we now know that it's the file named we need to run through dnssec-dsfromkey.


The two sections blanked out by X'es we'll join together, and this makes up the hash value we need to put into the DK-Hostmasters webinterface. On how to put these values into their webinterface I'll refer to DNSSEC DK-Hostmaster guide, but mention that the YYYYY found in the previous output maps to their field "N√łgle ID" / "Key ID" and the concatenated X'es goes in their "Hash" field.

After completing this step - feel free to make some coffee, watch an episode of your favorite show, etc - as you'll now have to wait for the changes to propagate into the .dk-zone.

Finally we'll be able to verify that the zone now is properly signed - by using the debugger the guys over at Verisign Labs created.

November 02, 2011 in #Configs | | | Share on Google+