Configuring DNSSEC on Bind 9.8.2 on CentOS, RHEL,Ubuntu and Debian

Updated on September 3, 2017

This tutorial will help you to configure DNSSEC on Bind9 (version 9.8.2) on CentOS operating system. However, the procedure will work on RedHat Enterprise Linux Server, Ubuntu and Debian as well. I’ll be covering how to enable DNSSEC on your Authoritative name servers, creating keys, signing zones, adding trust anchors using DNSSEC Lookaside validation and testing.

If you are new to Bind configuration, then checkout this guide to know about BIND configuration. Moreover, if you are not sure what is DNSSEC and why you should enable it? then click here.

Disclaimer: I’m sharing the procedure that i learnt and tried out on my testbed and there is no guarantee that it will work on your environment. However, you may try out on your testbed before configuring it right away on your production systems.

Shall we move ahead?

Get your DNS environment ready with Bind configuration.

As this tutorial will talk about DNSSEC on Bind, make sure you have working Bind environment ready. To install and configure Bind, follow this simple guide.

Prerequisites:

Step 1: Download and Install dnssec-tools package. We’ll use this package to sign your zones.

$wget http://www.dnssec-tools.org/download/dnssec-tools-2.0.tar.gz
$tar xvzf dnssec-tools-2.0.tar.gz
$cd dnssec-tools-2.0

On debian and Ubuntu, may you install it via apt-get.

$apt-get install dnssec-tools

Step 2: Enable DNSSEC, Validation and Lookaside

$vi /etc/named.conf

However the path of named.conf might vary on your environment. You look for it at /etc/named/named.conf or /var/named/named.conf.

Lookout for ‘Options‘ directive in named.conf. If you don’t find it there, you may find it named.options file. Anyways, it does not make any difference.

Under the Options directive, modify the below attributes.

dnssec-enable yes;
dnssec-validation yes;
dnssec-lookaside auto;

Ok! This is how my Options directive looks like,

options {
listen-on port 53 { 10.180.1.115; };
listen-on-v6 port 53 { ::1; };
version "not currently available";
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { any; };
recursion no;
dnssec-enable yes;
dnssec-validation yes;
dnssec-lookaside auto;
/* Path to ISC DLV key */
 bindkeys-file "/etc/named.iscdlv.key";
managed-keys-directory "/var/named/dynamic";};

bindkeys-file: This line is required only if the bind keys are located in different location. Anyways, we’ll speak about it later.

dnssec-lookaside auto: This setting tells Bind to read DLV (DNSSEC Lookaside validation) key from bind.keys for the first time it executes. The present DLV is dlv.isc.org key.

To understand it better: To create a chain of trust, the entire DNS path from the root zone down to your own zone should be signed. For example, consider domain techglimpse.com. The root zone for techglimpse.com is .com which must be signed and then techglimpse.com, the zone should be signed. But not all the Top Level Domains (TLDs) are signed (at the time of writing this article). If the parent is not signed, then the trust chain is broken and you cannot use the root zone’s key as trust anchor in BIND configuration.

That is the reason DNSSEC lookaside validation (DLV) was introduced. It’s actually an alternative repository for trusted keys, where one can submit their zone keys, if there is no fully signed path from root zone down to your own zone. The functional DLV registry is dlv.isc.org. By default the root zone key and the dlv.isc.org key are included in /etc/named.iscdlv.key and that goes as a value to bindkeys-file attribute in Options directive. If you don’t find this automatically in named.conf or named.options, update your bind (yum install bind9) and check again.

Learn more about DLV registry:
DLV Solution by ISC : https://www.isc.org/solutions/dlv
DLV Background : https://dlv.isc.org/about/background
Status of TLDs signed: http://stats.research.icann.org/dns/tld_report/

dnssec-validation auto: This option is available only from Bind 9.8, 9.9 onward. Bind 9.7 does not support auto option for dnssec-validation, instead we use dnssec-validation: yes which means the root zone key isn’t loaded. To solve the issue, we can use bind.keys file.

$more bind.keys

managed-keys {
        # ISC DLV: See https://www.isc.org/solutions/dlv for details.
        # NOTE: This key is activated by setting "dnssec-lookaside auto;"
        # in named.conf.
        dlv.isc.org. initial-key 257 3 5 "BEAAAAPHMu/5onzrEE7z1egmhg/WPO0+juoZrW3euWEn4MxDCE1+lLy2
                brhQv5rN32RKtMzX6Mj70jdzeND4XknW58dnJNPCxn8+jAGl2FZLK8t+
                1uq4W+nnA3qO2+DL+k6BD4mewMLbIYFwe0PG73Te9fZ2kJb56dhgMde5
                ymX4BI/oQ+cAK50/xvJv00Frf8kw6ucMTwFlgPe+jnGxPPEmHAte/URk
                Y62ZfkLoBAADLHQ9IrS2tryAe7mbBZVcOwIeU/Rw/mRx/vwwMCTgNboM
                QKtUdvNXDrYJDSHZws3xiRXF1Rf+al9UmZfSav/4NWLKjHzpT59k/VSt
                TDN0YUuWrBNh";

        # ROOT KEY: See https://data.iana.org/root-anchors/root-anchors.xml
        # for current trust anchor information.
        # NOTE: This key is activated by setting "dnssec-validation auto;"
        # in named.conf.
        . initial-key 257 3 8 "AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF
                FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX
                bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD
                X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz
                W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS
                Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq
                QxA+Uk1ihz0=";
};

Then you can include the bind.keys in named.conf or named.options.

include "/etc/bind/bind.keys";

Note: Checkout for the correct path of bind.keys

Once done, restart Bind.

$service named restart
or
$/etc/init.d/bind9 restart
or
$rndc reload

Ok! Now we have enabled DNSSEC on Bind. Next, we’ll see how to sign a zone.

How to sign a zone in DNSSEC?

To sign a zone, we will use dnsssec-tools, which we installed at the beginning of this tutorial. dnssec-tools comes with zone signer commands which is a wrapper over dnssec-keygen and dnssec-signzone.

Checkout zonesigner man page for more information.

$man zonesigner

Location of the dnssec-tools configuration file : /usr/local/etc/dnssec-tools/dnssec-tools.conf. However the path may vary on your system.

To sign the zone, the command goes like this:

zonesigner -genkeys -usensec3 -zone <domain-name> <zone-file>

$zonesigner -genkeys -usensec3 -zone techglimpse.com db.techglimpse.com

if zonesigner appears hung, strike keys until the program completes
(see the "Entropy" section in the man page for details)

Generating key pair......................................++++++ ..............++++++
Generating key pair......++++++ ..++++++
Generating key pair...................................+++ ..................................+++
Verifying the zone using the following algorithms: NSEC3RSASHA1.
Zone signing complete:
Algorithm: NSEC3RSASHA1: KSKs: 1 active, 0 stand-by, 0 revoked
ZSKs: 1 active, 1 stand-by, 0 revoked

zone signed successfully

techglimpse.com:
KSK (cur) 47781 2048 11/14/13 (techglimpse.com-signset-00003)
ZSK (cur) 06809 1024 11/14/13 (techglimpse.com-signset-00001)
ZSK (pub) 26330 1024 11/14/13 (techglimpse.com-signset-00002)

zone will expire in 30 days
DO NOT delete the keys until this time has passed.

Checkout the directory to verify the key files.

$ ls -lrt
-rw-r--r--. 1 root root 571 Oct 14 14:09 db.10.180.4
-rw-------. 1 root root 1015 Nov 14 11:45 Ktecglimpse.com.+007+06809.private
-rw-r--r--. 1 root root 436 Nov 14 11:45 Ktechglimpse.com.+007+06809.key
-rw-------. 1 root root 1015 Nov 14 11:45 Ktechglimpse.com.+007+26330.private
-rw-r--r--. 1 root root 437 Nov 14 11:45 Ktechglimpse.com.+007+26330.key
-rw-------. 1 root root 1779 Nov 14 11:45 Ktechglimpse.com.+007+47781.private
-rw-r--r--. 1 root root 611 Nov 14 11:45 Ktechglimpse.com.+007+47781.key
-rw-r--r--. 1 root root 777 Nov 14 11:45 db.techglimpse.com
-rw-r--r--. 1 root root 173 Nov 14 11:45 dsset-techglimpse.com.
-rw-r--r--. 1 root root 7183 Nov 14 11:45 db.techglimpse.com.signed
-rw-r--r--. 1 root root 2172 Nov 14 11:45 techglimpse.com.krf

Verify whether everything went on well while signing.

$ donuts --level 8 -v db.techglimpse.com.signed techglimpse.com
--- loading rule file /usr/local/share/dnssec-tools/donuts/rules/check_nameserve rs.txt
 rules: MEMORIZE_NS_ADDRS DNS_SERVERS_MATCH_DATA
--- loading rule file /usr/local/share/dnssec-tools/donuts/rules/dns.errors.txt
 rules: DNS_SOA_REQUIRED MEMORIZE_NS_CNAME_RECORDS DNS_NS_NO_CNAME
--- loading rule file /usr/local/share/dnssec-tools/donuts/rules/dnssec.rules.tx t
 rules: DNSSEC_RRSIG_TTL_MATCH_ORGTTL DNSSEC_MEMORIZE_NS_RECORDS DNSSEC_CHECK _IF_NSEC3 DNSSEC_MISSING_NSEC_RECORD1 DNSSEC_MISSING_RRSIG_RECORD1 DNSSEC_RRSIG_ NOT_SIGNING_RRSIG DNSSEC_RRSIG_FOR_NS_GLUE_RECORD DNSSEC_NSEC_FOR_NS_GLUE_RECORD DNSSEC_RRSIG_SIGEXP DNSSEC_NSEC_TTL DNSSEC_NSEC3_TTL DNSSEC_DNSKEY_MUST_HAVE_SA ME_NAME DNSSEC_DNSKEY_PROTOCOL_MUST_BE_3 DNSSEC_BOGUS_NS_MEMORIZE DNSSEC_MISSING _RRSIG_RECORD2 DNSSEC_RRSIG_TTL_MUST_MATCH_RECORD DNSSEC_MISSING_NSEC_RECORD2 DN SSEC_RRSIG_SIGNER_NAME_MATCHES DNSSEC_NSEC_RRSEC_MUST_NOT_BE_ALONE DNSSEC_MEMORI ZE_KEYS DNSSEC_RRSIGS_VERIFY DNSSEC_TWO_ZSKS DNSSEC_OPENSSL_KEY_ISSUES
--- loading rule file /usr/local/share/dnssec-tools/donuts/rules/nsec_check.rule s.txt
 rules: DNSSEC_NSEC_MEMORIZE DNSSEC_NSEC3_MEMORIZE DNSSEC_NSEC3_CHECK DNSSEC_ NSEC_CHECK
--- loading rule file /usr/local/share/dnssec-tools/donuts/rules/parent_child.ru les.txt
 rules: DNS_MULTIPLE_NS DNSSEC_SUB_NOT_SECURE DNSSEC_DNSKEY_PARENT_HAS_VALID_ DS DNSSEC_DS_CHILD_HAS_MATCHING_DNSKEY
--- loading rule file /usr/local/share/dnssec-tools/donuts/rules/recommendations .rules.txt
 rules: DNS_REASONABLE_TTLS DNS_NO_DOMAIN_MX_RECORDS
--- Analyzing individual records in db.techglimpse.com.signed
--- Analyzing records for each name in db.techglimpse.com.signed
techglimpse.com:
 Rule Name: DNS_MULTIPLE_NS
 Level: 6
 Warning: Only 1 NS record(s) for techglimpse.com found, but at least 2
 are suggested/required
 Details: Tests to see if at least two NS records exist for a
 delegated zone.

results on testing techglimpse.com:
 rules considered: 38
 rules tested: 30
 records analyzed: 33
 names analyzed: 10
 errors found: 0

Now replace the signed zone (techglimpse.com) in named.conf

zone "techglimpse.com" {
 type master;
 file "/var/named/zones/master/db.techglimpse.com.signed";
 };

Restart Bind as below,

$service named restart
or
$/etc/init.d/bind9 restart

Test DNSSEC Setup using dig

Format of the dig command goes like this.

$dig @<dns_server> +dnssec <domain_name>

In the output look for ‘ad‘ in flags.

;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 3, ADDITIONAL: 1

AD stands for Authenticated Data flag, which will be set only if the resolver validated the answer it received from the authoritative name server.

That’s it! If everything went well, then you have successfully setup basic DNSSEC on Bind 9.8.2.

READ: Beginners guide to DNSSEC

READ: How to identify a domain is DNSSEC signed or not?

Tagged: security tutorial

Was this article helpful?

Yes No

About The Author

David Peter

I love bugs and I love fixing them!

Comments Leave a Comment

SIMON K BABY
6 years ago
Hello,
I added the below line in my named.option file.
dnssec-enable yes;
dnssec-validation yes;
dnssec-lookaside auto;
When I try to resolve a DNSSEC signed site, I did not see the query packet send from my client machine contains AD flag set. Is it set only when we receive answers? My client itself acts as a recursive resolver.