Bind authoritative name server with DNSSEC in CentOS 6

I’m going to explain how to implement DNSSEC in CentOS, using Bind as authoritative name server and the dnssec-tools utilities. To deploy DNSSEC, your parent zone must be signed, you can check it here.

The main reference for this post is in the dnssec-tools Wiki:
https://www.dnssec-tools.org/wiki/index.php/Authoritative_Server

The main Bind configuration file /etc/named.conf looks like:

acl dns-slaves {
    /* Your slave DNS servers */
    x.x.x.x;
};

acl trusted {
   localhost;
   /* Trusted hosts which can do recursive queries */
   x.x.x.x;
};

options {
    listen-on port 53 { any; };
    listen-on-v6 port 53 { any; };
    directory       "/var/named";
    allow-query     { any; };
    allow-query-cache { trusted; };
    allow-recursion { trusted; };
    allow-transfer { dns-slaves; };

    dnssec-enable yes;
    dnssec-validation yes;
    dnssec-lookaside auto;

    /* Path to ISC DLV key */
    bindkeys-file "/etc/named.iscdlv.key";

    managed-keys-directory "/var/named/dynamic";
};

zone "." IN {
        type hint;
        file "named.ca";
};

include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
zone "example.com" IN {
    type master;
    file "masters/example.com.zone";
};

Enable the epel repository and compile dnssec-tools.

$ rpmbuild --rebuild dnssec-tools-2.0-1.fc16.src.rpm

In /var/named/masters/ we have the zone file example.com.zone
To generate the keys for the first time, run:

# cd /var/named/masters
# zonesigner -verbose -genkeys -usensec3 -zone example.com ./example.com.zone

This will generate all needed keys and a signed zone file called ./example.com.zone.signed

To load the signed data, modify /etc/named.conf:

zone "example.com" IN {
    type master;
    file "masters/example.com.zone.signed";
};

And reload named:
# service named reload

Now, set in your registrar, the DS record, it is stored in /var/named/masters/dsset-example.com. Unfortunately, not many registrars support adding this record to the parent domain, I have used gkg.net for this, they have a perfect support for DS records and IPv6.
Another not so good option is using ISC’s DNSSEC Look-aside validation

In the future, when you want to modify your zone, do the changes in ./example.com.zone (no need to increase the SOA serial, it’s done automatically) and resign the file again with zonesigner, without the option -genkeys:

# cd /var/named/masters
# zonesigner -verbose -usensec3 -zone example.com ./example.com.zone
# service named reload

Next step is using the rollerd daemon to automatically issue new keys when the current ones are about to expire. Create a config file with the rollinit util:

# rollinit -directory /var/named/masters -zonefile ./example.com.zone.signed -keyrec ./example.com.krf -admin hostmaster@example.com example.com > /etc/named/all.rollrec

Create a init script /etc/init.d/rollerd to run the daemon:

#!/bin/bash
#
# rollerd       Rollerd daemon
#
# chkconfig: - 10 90
# description: rollerd daemon

### BEGIN INIT INFO
# Provides: rollerd
# Short-Description: start and stop rollerd
# Description: Rollerd daemon
### END INIT INFO

# Source function library.
. /etc/init.d/functions

prog=rollerd
lockfile=/var/lock/subsys/$prog
pidfile=/var/run/${prog}.pid
OPTIONS="-verbose -loglevel info -logfile /var/log/dnssec-tools/rollerd.log -directory /var/named/masters -rrfile /etc/named/all.rollrec -logtz local -pidfile $pidfile -sleep 60"

start() {
        [ -x /usr/bin/rollerd ] || exit 5

        # Start daemons.
        echo -n $"Starting $prog: "
        daemon $prog $OPTIONS
        RETVAL=$?
        echo
        [ $RETVAL -eq 0 ] && touch $lockfile
        return $RETVAL
}

stop() {
        [ "$EUID" != "0" ] && exit 4
        echo -n $"Shutting down $prog: "
        killproc -p $pidfile
        RETVAL=$?
        echo
        [ $RETVAL -eq 0 ] && rm -f $lockfile
        return $RETVAL
}

# See how we were called.
case "$1" in
  start)
        start
        ;;
  stop)
        stop
        ;;
  status)
        status $prog
        ;;
  restart|force-reload)
        stop
        start
        ;;
  try-restart|condrestart)
        if status $prog > /dev/null; then
            stop
            start
        fi
        ;;
  reload)
        exit 3
        ;;
  *)
        echo $"Usage: $0 {start|stop|status|restart|try-restart|force-reload}"
        exit 2
esac

# chkconfig --add rollerd
# chkconfig rollerd on
# service rollerd start

Another useful utility in the dnssec-tools package is donutsd. It allows us to check for problems in our DNSSEC zones, and get notifications.

First, create a configuration file with the zones you want to check and your notification email address, one per line. /etc/named/checkzones.txt:

/var/named/masters/example.com.zone.signed     example.com    hostmaster@example.com

And run donutsd with:

# nohup donutsd -a "-verbose --features=live,nsec_check --level=8 --rules=/usr/share/dnssec-tools/donuts/rules/*.txt" -s smtp.example.com -f noreply@example.com -i /etc/named/checkzones.txt -z 86400 -v >> /var/log/dnssec-tools/donutsd.log 2>&1 &

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s