Latest

Sunday, 10 July 2022

Configure BIND DNSSEC for your Private DNS Server

Configure BIND DNSSEC for your Private DNS Server

In this article, you will learn how to configure BIND DNSSEC for your Private DNS Server (Linux based).

 

Table of Contents:

 

DNSSEC Explained:

DNSSEC (Domain Name System Security Extensions) is a suite of IETF (Internet Engineering Task Force) specifications for securing certain kinds of information provided by the DNS (Domain Name System) as used on IP (Internet Protocol) networks.

It is a set of extensions to DNS which provide to DNS clients (resolvers) origin authentication of DNS data, authenticated denial of existence, and data integrity, but not availability or confidentiality.

You have already configured a master and slave DNS servers by using BIND on Rocky Linux 8. In this article, you will configure DNSSEC on the same BIND Private DNS Server.

Configure BIND DNSSEC for your Private DNS Server

Recommended Online Training: Basics of BIND DNS Server
Recommended Book: DNS and BIND (5th Edition) by Cricket Liu & Paul Albitz

 

Install Haveged on Rocky Linux:

Connect with your Master DNS Server i.e. nameserver-01.centlinux.com as root user by using a ssh client.

The haveged project is an attempt to provide an easy-to-use, unpredictable random number generator based upon an adaptation of the HAVEGE algorithm. Haveged was created to remedy low-entropy conditions in the Linux random device that can occur under some workloads, especially on headless servers.

You should install haveged before configuring BIND DNSSEC to speedup the process of key generation during configuration process.

Haveged software package is provided by third party yum repository, therefore, you need to install EPEL (Extra Packages for Enterprise Linux) yum repository on your Linux operating system.

# dnf install -y epel-release

Build yum cache for newly installed yum repository.

# dnf makecache
Rocky Linux 8 - AppStream                       409  B/s | 4.8 kB     00:11
Rocky Linux 8 - BaseOS                          2.1 kB/s | 4.3 kB     00:02
Rocky Linux 8 - Extras                          1.7 kB/s | 3.5 kB     00:02
Extra Packages for Enterprise Linux 8 - x86_64  331 kB/s |  12 MB     00:37
Extra Packages for Enterprise Linux Modular 8 - 7.3 kB/s | 1.0 MB     02:21
Metadata cache created.

Now you can easily install havaged on your Linux server by executing dnf command.

# dnf install -y haveged
Last metadata expiration check: 0:02:17 ago on Sat 09 Jul 2022 02:06:09 PM PKT.
Dependencies resolved.
================================================================================
 Package           Architecture     Version                Repository      Size
================================================================================
Installing:
 haveged           x86_64           1.9.14-1.el8           epel            78 k

Transaction Summary
================================================================================
Install  1 Package

Total download size: 78 k
Installed size: 205 k
Downloading Packages:
haveged-1.9.14-1.el8.x86_64.rpm                  10 kB/s |  78 kB     00:07
--------------------------------------------------------------------------------
Total                                           9.5 kB/s |  78 kB     00:08
Extra Packages for Enterprise Linux 8 - x86_64  1.6 MB/s | 1.6 kB     00:00
Importing GPG key 0x2F86D6A1:
 Userid     : "Fedora EPEL (8) <epel@fedoraproject.org>"
 Fingerprint: 94E2 79EB 8D8F 25B2 1810 ADF1 21EA 45AB 2F86 D6A1
 From       : /etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-8
Key imported successfully
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
  Preparing        :                                                        1/1
  Installing       : haveged-1.9.14-1.el8.x86_64                            1/1
  Running scriptlet: haveged-1.9.14-1.el8.x86_64                            1/1
  Verifying        : haveged-1.9.14-1.el8.x86_64                            1/1

Installed:
  haveged-1.9.14-1.el8.x86_64

Complete!

Enable and start haveged.service.

# systemctl enable --now haveged.service
Created symlink /etc/systemd/system/sysinit.target.wants/haveged.service → /usr/lib/systemd/system/haveged.service.

 

Configure BIND DNSSEC on Master DNS Server:

To enable BIND DNSSEC, you need to configure following settings on your Primary DNS Server (Master).

Edit named.conf configuration file in vim text editor.

# vi /etc/named.conf

Locate and set following two directives in this file.

dnssec-enable yes;
dnssec-validation yes;

Add following directive just below the above settings.

dnssec-lookaside auto;

Create a Zone Signing Key (ZSK) by executing following commands at Linux Bash.

# cd /var/named
# dnssec-keygen -a NSEC3RSASHA1 -b 2048 -n ZONE centlinux.com
Generating key pair......+++++ ..........................................................+++++
Kcentlinux.com.+007+64074

Create a Key Signing Key (KSK) by executing following command at Linux Bash.

# dnssec-keygen -f KSK -a NSEC3RSASHA1 -b 4096 -n ZONE centlinux.com
Generating key pair....................++++ .........................................................................................................++++
Kcentlinux.com.+007+60889

Include the generated keys in your zone file.

# echo "\$include Kcentlinux.com.+007+64074.key" >> /var/named/centlinux.com
# echo "\$include Kcentlinux.com.+007+60889.key" >> /var/named/centlinux.com

Sign the zone entries by using dnssec-signzone command.

# dnssec-signzone -A -3 $(head -c 1000 /dev/random | sha1sum | cut -b 1-16) -N INCREMENT -o centlinux.com -t centlinux.com
Verifying the zone using the following algorithms: NSEC3RSASHA1.
Zone fully signed:
Algorithm: NSEC3RSASHA1: KSKs: 1 active, 0 stand-by, 0 revoked
                         ZSKs: 1 active, 0 stand-by, 0 revoked
centlinux.com.signed
Signatures generated:                       19
Signatures retained:                         0
Signatures dropped:                          0
Signatures successfully verified:            0
Signatures unsuccessfully verified:          0
Signing time in seconds:                 0.039
Signatures per second:                 476.692
Runtime in seconds:                      0.044

Above command created a signed zone file for your centlinux.com zone.

Check zone file for any possible errors.

# named-checkzone centlinux.com /var/named/centlinux.com.signed
zone centlinux.com/IN: loaded serial 2022070402 (DNSSEC signed)
OK

The above output shows that your zone file is now DNSSEC signed.

Edit your zone configuration file by using vim text editor.

# vi /etc/named.conf.local

Update the file path, now it is pointing towards the signed zone file.

Also include DNSSEC related settings therein. (Changes are highlighted in yellow color)

zone "centlinux.com" {
   type master;
   allow-transfer {192.168.116.129; };
   also-notify {192.168.116.129; };
   file "/var/named/centlinux.com.signed";

   # DNSSEC keys Location
   key-directory "/var/named/*.keys";

   # Publish and Activate DNSSEC keys
   auto-dnssec maintain;

   # Use Inline Signing
   inline-signing yes;
};

zone "116.168.192.in-addr.arpa" {
   type master;
   allow-transfer {192.168.116.129; };
   also-notify {192.168.116.129; };
   file "/var/named/116.168.192.in-addr.arpa";
};

Restart your named.service to apply changes.

# systemctl restart named.service

 

Configure BIND DNSSEC on Slave DNS Server:

Now connect to your Secondary DNS Server (Slave) i.e. nameserver-02.centlinux.com as root user by using a ssh client.

Edit named.conf configuration file in vim text editor.

# vi /etc/named.conf

Locate and set following two directives in this file.

dnssec-enable yes;
dnssec-validation yes;

Add following directive just below the above settings.

dnssec-lookaside auto;

Edit your zone configuration file by using vim text editor.

# vi /etc/named.conf.local

Update the file path, now it is pointing towards the signed zone file.

Also include DNSSEC related settings therein. (Changes are highlighted in yellow color)

zone "centlinux.com" {
   type slave;
   masters { 192.168.116.128; };
   file "/var/named/centlinux.com.signed";

   # DNSSEC keys Location
   key-directory "/var/named/*.keys";

   # Publish and Activate DNSSEC keys
   auto-dnssec maintain;

   # Use Inline Signing
   inline-signing yes;
};

zone "116.168.192.in-addr.arpa" {
   type slave;
   masters { 192.168.116.128; };
   file "/var/named/116.168.192.in-addr.arpa";
};

Restart your named.service to apply changes.

# systemctl restart named.service

After service restart the zone files will be fetched from Master DNS Server.

Check zone file for any possible errors.

# named-checkzone centlinux.com /var/named/centlinux.com.signed
zone centlinux.com/IN: loaded serial 2022070402 (DNSSEC signed)
OK

The above output shows that your Zone file is now DNSSEC signed.

Also Read: 

Configure Authoritative DNS Server in CentOS 7
Configure Caching Only DNS Server in CentOS 7

 

Conclusion:

In this article, you have learned how to configure BIND DNSSEC for your Private DNS Server (Linux based).

No comments:

Post a Comment