Configure DNSSEC for BIND DNS Server in CentOS 7 - CentLinux

Latest

Monday, 2 September 2019

Configure DNSSEC for BIND DNS Server in CentOS 7

configure-dnssec-bind-dns-server-centos-7

DNSSEC (Domain Name System Security Extensions) is a suite of IETF (Internet Engineering Task Force) specifications for securing certain kinds of information provided by the DNS (Domain Name System) as used on IP (Internet Protocol) networks.

It is a set of extensions to DNS which provide to DNS clients (resolvers) origin authentication of DNS data, authenticated denial of existence, and data integrity, but not availability or confidentiality.

We have already configured a master and slave authoritative DNS servers using BIND on CentOS 7. In this article, we will configure DNSSEC for BIND DNS server in CentOS 7.

 

This Article Provides:

     

    Environment Specification:

    We are using the same CentOS 7 virtual machines that we have configured in our previous article.

    Primary (Master) DNS Server:

    • CPU - 3.4 Ghz (1 Core)
    • Memory - 1 GB
    • Storage - 20 GB
    • Hostname - dns-01.example.com
    • IPv4 Address - 192.168.116.4 /24
    • IPv6 Address - fd15:4ba5:5a2b:1008::1 /64

    Secondary (Slave) DNS Server:

    • CPU - 3.4 Ghz (1 Core)
    • Memory - 1 GB
    • Storage - 20 GB
    • Hostname - dns-02.example.com
    • IPv4 Address - 192.168.116.5 /24
    • IPv6 Address - fd15:4ba5:5a2b:1008::2/64

     

    Installing Haveged on CentOS 7:

    Connect with dns-01.example.com using ssh as root user.

    The haveged project is an attempt to provide an easy-to-use, unpredictable random number generator based upon an adaptation of the HAVEGE algorithm. Haveged was created to remedy low-entropy conditions in the Linux random device that can occur under some workloads, especially on headless servers.

    We are installing haveged on our CentOS 7 Server to speedup the process of key generation during DNSSEC configuration.

    Havaged is available in EPEL (Extra Packages for Enterprise Linux) yum repository. Therefore, we have to install EPEL before installing haveged package.

    Install EPEL yum repository as follows.

    [root@dns-01 ~]# yum install -y epel-release Loaded plugins: fastestmirror Loading mirror speeds from cached hostfile * base: centos.hbcse.tifr.res.in * extras: centos.hbcse.tifr.res.in * updates: centos.hbcse.tifr.res.in base | 3.6 kB 00:00 extras | 3.4 kB 00:00 updates | 3.4 kB 00:00 Resolving Dependencies --> Running transaction check ---> Package epel-release.noarch 0:7-11 will be installed --> Finished Dependency Resolution Dependencies Resolved ================================================================================ Package Arch Version Repository Size ================================================================================ Installing: epel-release noarch 7-11 extras 15 k Transaction Summary ================================================================================ Install 1 Package Total download size: 15 k Installed size: 24 k Downloading packages: epel-release-7-11.noarch.rpm | 15 kB 00:01 Running transaction check Running transaction test Transaction test succeeded Running transaction Installing : epel-release-7-11.noarch 1/1 Verifying : epel-release-7-11.noarch 1/1 Installed: epel-release.noarch 0:7-11 Complete!

    Build cache for EPEL yum repository.

    [root@dns-01 ~]# yum makecache fast Loaded plugins: fastestmirror Loading mirror speeds from cached hostfile epel/x86_64/metalink | 8.0 kB 00:00 * base: centos.hbcse.tifr.res.in * epel: repos.del.extreme-ix.org * extras: centos.hbcse.tifr.res.in * updates: centos.hbcse.tifr.res.in base | 3.6 kB 00:00 epel | 5.4 kB 00:00 extras | 3.4 kB 00:00 updates | 3.4 kB 00:00 (1/3): epel/x86_64/group_gz | 88 kB 00:01 (2/3): epel/x86_64/updateinfo | 1.0 MB 00:31 (3/3): epel/x86_64/primary_db | 6.8 MB 00:49 Metadata Cache Created

    Now, we can install haveged from EPEL repository using yum command.

    [root@dns-01 ~]# yum install -y haveged Loaded plugins: fastestmirror Loading mirror speeds from cached hostfile * base: centos.hbcse.tifr.res.in * epel: epel.scopesky.iq * extras: centos.hbcse.tifr.res.in * updates: centos.hbcse.tifr.res.in Resolving Dependencies --> Running transaction check ---> Package haveged.x86_64 0:1.9.1-1.el7 will be installed --> Finished Dependency Resolution Dependencies Resolved ================================================================================ Package Arch Version Repository Size ================================================================================ Installing: haveged x86_64 1.9.1-1.el7 epel 61 k Transaction Summary ================================================================================ Install 1 Package Total download size: 61 k Installed size: 181 k Downloading packages: warning: /var/cache/yum/x86_64/7/epel/packages/haveged-1.9.1-1.el7.x86_64.rpm: Header V3 RSA/SHA256 Signature, key ID 352c64e5: NOKEY Public key for haveged-1.9.1-1.el7.x86_64.rpm is not installed haveged-1.9.1-1.el7.x86_64.rpm | 61 kB 00:01 Retrieving key from file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-7 Importing GPG key 0x352C64E5: Userid : "Fedora EPEL (7) <epel@fedoraproject.org>" Fingerprint: 91e9 7d7c 4a5e 96f1 7f3e 888f 6a2f aea2 352c 64e5 Package : epel-release-7-11.noarch (@extras) From : /etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-7 Running transaction check Running transaction test Transaction test succeeded Running transaction Installing : haveged-1.9.1-1.el7.x86_64 1/1 Verifying : haveged-1.9.1-1.el7.x86_64 1/1 Installed: haveged.x86_64 0:1.9.1-1.el7 Complete!

    Enable and start haveged.service.

    [root@dns-01 ~]# systemctl enable --now haveged.service Created symlink from /etc/systemd/system/multi-user.target.wants/haveged.service to /usr/lib/systemd/system/haveged.service.

     

    Configure DNSSEC on Master DNS Server:

    Edit BIND configuration file.

    [root@dns-01 ~]# vi /etc/named.conf

    Find and set following directives therein.

    dnssec-enable yes; dnssec-validation yes; dnssec-lookaside auto;

    Create a Zone Signing Key (ZSK) using following commands.

    [root@dns-01 ~]# cd /var/named [root@dns-01 named]# dnssec-keygen -a NSEC3RSASHA1 -b 2048 -n ZONE example.com Generating key pair...........................................................................+++ ...........................................................................................+++ Kexample.com.+007+28013

    Create a Key Signing Key (KSK) using following commands.

    [root@dns-01 named]# dnssec-keygen -f KSK -a NSEC3RSASHA1 -b 4096 -n ZONE example.com Generating key pair.......................................++ .................................................++ Kexample.com.+007+65445

    Include the generated keys in our zone file.

    [root@dns-01 named]# echo "\$include Kexample.com.+007+28013.key" >> /var/named/example.com [root@dns-01 named]# echo "\$include Kexample.com.+007+65445.key" >> /var/named/example.com

    Sign the zone using dnssec-signzone command.

    [root@dns-01 named]# dnssec-signzone -A -3 $(head -c 1000 /dev/random | sha1sum | cut -b 1-16) -N INCREMENT -o example.com -t example.com Verifying the zone using the following algorithms: NSEC3RSASHA1. Zone fully signed: Algorithm: NSEC3RSASHA1: KSKs: 1 active, 0 stand-by, 0 revoked ZSKs: 1 active, 0 stand-by, 0 revoked example.com.signed Signatures generated: 21 Signatures retained: 0 Signatures dropped: 0 Signatures successfully verified: 0 Signatures unsuccessfully verified: 0 Signing time in seconds: 0.039 Signatures per second: 529.233 Runtime in seconds: 0.046

    Above command created a signed zone file for example.com zone.

    We are now required to edit zone configuration to use example.com.signed file instead of example.com file.

    [root@dns-01 named]# vi /etc/named.conf.local

    Update the file directive as follows.

    zone "example.com" { type master; file "/var/named/example.com.signed"; allow-transfer {192.168.116.5;fd15:4ba5:5a2b:1008::2; }; also-notify {192.168.116.5;fd15:4ba5:5a2b:1008::2; }; # DNSSEC keys Location key-directory "/var/named/*.keys"; # Publish and Activate DNSSEC keys auto-dnssec maintain; # Use Inline Signing inline-signing yes; };

    Restart named.service to load changes.

    [root@dns-01 named]# systemctl reload named.service

    Check DNSKEY record using dig command.

    [root@dns-01 named]# dig DNSKEY example.com. +multiline ; <<>> DiG 9.9.4-RedHat-9.9.4-74.el7_6.2 <<>> DNSKEY example.com. +multiline ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 14498 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;example.com. IN DNSKEY ;; ANSWER SECTION: example.com. 3600 IN DNSKEY 256 3 7 ( AwEAAaGAIKYjx3rjdGVfTHShyBqZfYruv9XFdla4skgK f1lLSSDJ+1MN90rc5EjobINEgXJp9g8t6j6W3H5osa50 CQCmwIxXVWcCKzdm5goJBy0L26FPzl9KNFAExdyVnlyN CPXnBwTvxS2nS4iJM2zbTRynWxjcLebsOC+wAzkJmxcN +DLgkTH/M1dPx1m8R78gOCsNxJfEKy+Zzyq5cZ0H6IJ/ EnC3IDWuULHwQ5knmVo9LcP/7FiaZKmmd+SBjJF7rfSm xXmxEe//B5cIhedhMkkBcTCB1UPyhRnv8VX43tCfwxax u8t7iC31QdaN2gfQ2xd2a7lK5I+ceCbPJ+etQ3U= ) ; ZSK; alg = NSEC3RSASHA1; key id = 28013 example.com. 3600 IN DNSKEY 257 3 7 ( AwEAAfAS59V3GImmv9JpgmJxqDDCDxVmy/avEMViA8Zk W6MtC+PbWfywMWu1m+aCbCqBqx6GtbjVwvLMi9ccVfGs gJd0G5kXvdfSI3XvmbXsubby3ZF7Bz1abHVc/hoVeuQT 2p9q1UpjTy3jpgnxrouF7ROiFmyZEgKcNUzbmeJ12mIZ 5WMvd1TuOEguXHlv+H+wmGbqdfjsuqu/yJlqO8wT9eI5 JvuXL1SjXd3nDkcYwRNw352FsH9NxQ186BS6UwiUoVJN lKB98pidjIRHZngaHNnqzRrGGT/5HJjroZtRjooKcGWI mYdUhnTNIO3HXL6kS6yJzgAEoaKbnnuQQ4vME07/bJEN 9CYNqLGv2HsrHFyT1UQtZGlsyI+uyzOJOznQHBIKmVX8 uGD1a8twyYJy7U7xuiLgyAqLjNjTgDQiCwyW+0/TMys1 M6n/86S+xEzi0Z7HYbqMupfBJVB1xDiSh+vOjFetdWxB pyEkPRDlg1F3QONifkTA1u6rybCHtaZXa9BAJAWJRYrM tBN15tvc3UjSi0gNLEC73/cBYT39kca9ETni9rESQyXH Nh3tFahJU7GK1Ym+0sCzvnPbIjl2axJFY53cYUdtErkR PmNdno3x0IsVF+zDbcoGh4af5lNmNBZ12aZMEiKHY304 vPnlbXG+H1rvPdGP/54yVlG8GNxV ) ; KSK; alg = NSEC3RSASHA1; key id = 65445 ;; Query time: 0 msec ;; SERVER: 192.168.116.4#53(192.168.116.4) ;; WHEN: Sun Sep 01 22:11:18 PKT 2019 ;; MSG SIZE rcvd: 848

    We have configured DNSSEC on our master DNS server.

     

    Configure DNSSEC on Slave DNS Server:

    Connect with dns-02.example.com using ssh as root user.

    Copy KSK and ZSK files from Master to Slave DNS Server.

    [root@dns-02 ~]# scp root@dns-01.example.com:/var/named/Kexample.com.* /var/named/

    Include the KSK and ZSK keys in our zone file.

    [root@dns-02 ~]# echo "\$include Kexample.com.+007+28013.key" >> /var/named/example.com [root@dns-02 ~]# echo "\$include Kexample.com.+007+65445.key" >> /var/named/example.com

    Edit BIND configuration file.

    [root@dns-02 ~]# vi /etc/named.conf

    and set following directives to enable DNSSEC.

    dnssec-enable yes; dnssec-validation yes; dnssec-lookaside auto;

    Edit zone configuration file.

    [root@dns-02 ~]# vi /etc/named.conf.local

    and update file directive as follows.

    zone "example.com" { type slave; masters { 192.168.116.4; }; file "/var/named/example.com.signed"; # DNSSEC keys Location key-directory "/var/named/*.keys"; # Publish and Activate DNSSEC keys auto-dnssec maintain; # Use Inline Signing inline-signing yes; };

    Restart named.service to load changes.

    [root@dns-02 ~]# systemctl reload named.service

    Check if example.com.signed zone has been transferred to slave DNS Server.

    [root@dns-02 ~]# ls /var/named 116.168.192.in-addr.arpa example.com named.empty slaves data example.com.signed named.localhost dynamic named.ca named.loopback

    We have configured DNSSEC for our BIND DNS servers in CentOS 7.

    3 comments:

    1. Remember that the master cannot transfer the keys (KSK and ZSK) to the slave. You must copy them manually.

      ReplyDelete
      Replies
      1. Thanks for the advice. Same has been incorporated in above article.

        Delete
    2. So Helpful.
      Thank you a lot Mr. Ahmer!

      ReplyDelete