In this article, you will learn how to configure BIND DNSSEC for your Private DNS Server (Linux based).
Table of Contents:
- DNSSEC Explained
- Install Haveged on Rocky Linux
- Configure BIND DNSSEC on Master DNS Server
- Configure BIND DNSSEC on Slave DNS Server
- Conclusion
DNSSEC Explained:
DNSSEC (Domain Name System Security Extensions) is a suite of IETF (Internet Engineering Task Force) specifications for securing certain kinds of information provided by the DNS (Domain Name System) as used on IP (Internet Protocol) networks.
It is a set of extensions to DNS which provide to DNS clients (resolvers) origin authentication of DNS data, authenticated denial of existence, and data integrity, but not availability or confidentiality.
You have already configured a master and slave DNS servers by using BIND on Rocky Linux 8. In this article, you will configure DNSSEC on the same BIND Private DNS Server.
Recommended Online Training: Basics of BIND DNS Server
Recommended Book: DNS and BIND (5th Edition) (PAID LINK) by Cricket Liu & Paul Albitz
Install Haveged on Rocky Linux:
Connect with your Master DNS Server i.e. nameserver-01.centlinux.com as root user by using a ssh client.
The haveged project is an attempt to provide an easy-to-use, unpredictable random number generator based upon an adaptation of the HAVEGE algorithm. Haveged was created to remedy low-entropy conditions in the Linux random device that can occur under some workloads, especially on headless servers.
You should install haveged before configuring BIND DNSSEC to speedup the process of key generation during configuration process.
Haveged software package is provided by third party yum repository, therefore, you need to install EPEL (Extra Packages for Enterprise Linux) yum repository on your Linux operating system.
# dnf install -y epel-release
Build yum cache for newly installed yum repository.
# dnf makecache
Rocky Linux 8 - AppStream 409 B/s | 4.8 kB 00:11
Rocky Linux 8 - BaseOS 2.1 kB/s | 4.3 kB 00:02
Rocky Linux 8 - Extras 1.7 kB/s | 3.5 kB 00:02
Extra Packages for Enterprise Linux 8 - x86_64 331 kB/s | 12 MB 00:37
Extra Packages for Enterprise Linux Modular 8 - 7.3 kB/s | 1.0 MB 02:21
Metadata cache created.
Now you can easily install havaged on your Linux server by executing dnf command.
# dnf install -y haveged
Last metadata expiration check: 0:02:17 ago on Sat 09 Jul 2022 02:06:09 PM PKT.
Dependencies resolved.
================================================================================
Package Architecture Version Repository Size
================================================================================
Installing:
haveged x86_64 1.9.14-1.el8 epel 78 k
Transaction Summary
================================================================================
Install 1 Package
Total download size: 78 k
Installed size: 205 k
Downloading Packages:
haveged-1.9.14-1.el8.x86_64.rpm 10 kB/s | 78 kB 00:07
--------------------------------------------------------------------------------
Total 9.5 kB/s | 78 kB 00:08
Extra Packages for Enterprise Linux 8 - x86_64 1.6 MB/s | 1.6 kB 00:00
Importing GPG key 0x2F86D6A1:
Userid : "Fedora EPEL (8) <epel@fedoraproject.org>"
Fingerprint: 94E2 79EB 8D8F 25B2 1810 ADF1 21EA 45AB 2F86 D6A1
From : /etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-8
Key imported successfully
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
Preparing : 1/1
Installing : haveged-1.9.14-1.el8.x86_64 1/1
Running scriptlet: haveged-1.9.14-1.el8.x86_64 1/1
Verifying : haveged-1.9.14-1.el8.x86_64 1/1
Installed:
haveged-1.9.14-1.el8.x86_64
Complete!
Enable and start haveged.service.
# systemctl enable --now haveged.service
Created symlink /etc/systemd/system/sysinit.target.wants/haveged.service → /usr/lib/systemd/system/haveged.service.
Configure BIND DNSSEC on Master DNS Server:
To enable BIND DNSSEC, you need to configure following settings on your Primary DNS Server (Master).
Edit named.conf configuration file in vim text editor.
# vi /etc/named.conf
Locate and set following two directives in this file.
dnssec-enable yes; dnssec-validation yes;
Add following directive just below the above settings.
dnssec-lookaside auto;
Create a Zone Signing Key (ZSK) by executing following commands at Linux Bash.
# cd /var/named # dnssec-keygen -a NSEC3RSASHA1 -b 2048 -n ZONE centlinux.com Generating key pair......+++++ ..........................................................+++++ Kcentlinux.com.+007+64074
Create a Key Signing Key (KSK) by executing following command at Linux Bash.
# dnssec-keygen -f KSK -a NSEC3RSASHA1 -b 4096 -n ZONE centlinux.com
Generating key pair....................++++ .........................................................................................................++++
Kcentlinux.com.+007+60889
Include the generated keys in your zone file.
# echo "\$include Kcentlinux.com.+007+64074.key" >> /var/named/centlinux.com # echo "\$include Kcentlinux.com.+007+60889.key" >> /var/named/centlinux.com
Sign the zone entries by using dnssec-signzone command.
# dnssec-signzone -A -3 $(head -c 1000 /dev/random | sha1sum | cut -b 1-16) -N INCREMENT -o centlinux.com -t centlinux.com
Verifying the zone using the following algorithms: NSEC3RSASHA1.
Zone fully signed:
Algorithm: NSEC3RSASHA1: KSKs: 1 active, 0 stand-by, 0 revoked
ZSKs: 1 active, 0 stand-by, 0 revoked
centlinux.com.signed
Signatures generated: 19
Signatures retained: 0
Signatures dropped: 0
Signatures successfully verified: 0
Signatures unsuccessfully verified: 0
Signing time in seconds: 0.039
Signatures per second: 476.692
Runtime in seconds: 0.044
Above command created a signed zone file for your centlinux.com zone.
Check zone file for any possible errors.
# named-checkzone centlinux.com /var/named/centlinux.com.signed zone centlinux.com/IN: loaded serial 2022070402 (DNSSEC signed) OK
The above output shows that your zone file is now DNSSEC signed.
Edit your zone configuration file by using vim text editor.
# vi /etc/named.conf.local
Update the file path, now it is pointing towards the signed zone file.
Also include DNSSEC related settings therein. (Changes are highlighted in yellow color)
zone "centlinux.com" { type master; allow-transfer {192.168.116.129; }; also-notify {192.168.116.129; }; file "/var/named/centlinux.com.signed"; # DNSSEC keys Location key-directory "/var/named/*.keys"; # Publish and Activate DNSSEC keys auto-dnssec maintain; # Use Inline Signing inline-signing yes; }; zone "116.168.192.in-addr.arpa" { type master; allow-transfer {192.168.116.129; }; also-notify {192.168.116.129; }; file "/var/named/116.168.192.in-addr.arpa"; };
Restart your named.service to apply changes.
# systemctl restart named.service
Configure BIND DNSSEC on Slave DNS Server:
Now connect to your Secondary DNS Server (Slave) i.e. nameserver-02.centlinux.com as root user by using a ssh client.
Edit named.conf configuration file in vim text editor.
# vi /etc/named.conf
Locate and set following two directives in this file.
dnssec-enable yes; dnssec-validation yes;
Add following directive just below the above settings.
dnssec-lookaside auto;
Edit your zone configuration file by using vim text editor.
# vi /etc/named.conf.local
Update the file path, now it is pointing towards the signed zone file.
Also include DNSSEC related settings therein. (Changes are highlighted in yellow color)
zone "centlinux.com" { type slave; masters { 192.168.116.128; }; file "/var/named/centlinux.com.signed"; # DNSSEC keys Location key-directory "/var/named/*.keys"; # Publish and Activate DNSSEC keys auto-dnssec maintain; # Use Inline Signing inline-signing yes; }; zone "116.168.192.in-addr.arpa" { type slave; masters { 192.168.116.128; }; file "/var/named/116.168.192.in-addr.arpa"; };
Restart your named.service to apply changes.
# systemctl restart named.service
After service restart the zone files will be fetched from Master DNS Server.
Check zone file for any possible errors.
# named-checkzone centlinux.com /var/named/centlinux.com.signed zone centlinux.com/IN: loaded serial 2022070402 (DNSSEC signed) OK
The above output shows that your Zone file is now DNSSEC signed.
Also Read:
Configure Authoritative DNS Server in CentOS 7
Configure Caching Only DNS Server in CentOS 7
Conclusion:
In this article, you have learned how to configure BIND DNSSEC for your Private DNS Server (Linux based).