932
edits
Changes
→Investigation 3: Configuring DNSSec on an Authoritative Server: - Adding body to investigation 3
==Investigation 3: Configuring DNSSec on an Authoritative Server==
Perform the following steps as root on your Vm1:
<ol>
<li>Now that you know your nameserver is capable of performing authentication of other domains (so long as they are configured to provide authentication), it is time to set up authentication in your domain.</li>
<li>First you need ot make sure that the named service is able to modify the zone files, as it will need to do so in order to add the RRSIG records it generates for your. This requires two things:
*The SELinux boolean named_write_master_zones must be set to on to (this should have already been done in a previous lab, and is currently the default setting).
*The named account must have write permission to hte /var/named directory. Again, this is currently the default setting, but double check that it is correct.
*If either of those settings is not configured correctly, fix them now.</li>
<li>Install the haveged service to generate random values for your system.
*It can be found in the epel-release repo. Install that if you have not already done so.
*You would not have to use this service on a ‘real’ server, but our VMs will not have enough activity to provide normally random data within a reasonable time-frame.
*Start, but do not enable haveged service, as we will not need it on a regular basis. Anytime you need to re-generate the random keys from the next step, simply start the service.
</li>
<li>Next, we will use the dnssec-keygen command to generate two sets of paired keys.
<ul>
<li>Create a directory at /etc/named/<yourdomain>-keys
<ul><li>Making sure you replace <yourdomain> with the name of your domain</li>
<li>Make sure it has that only root and the named service user can access it.</li>
<li>cd into that directory so the keys you are about to generate get created there.</li>
</ul>
</li>
<li>First, to generate the Zone Signing Key (ZSK) that is used to sign individual records (make sure to use your own zone name):
<source>dnssec-keygen -a RSASHA256 -b 1024 <yourzone></source></li>
<li>And to generate the Key Signing Key (KSK) that is used to create an RRSIG for your DNSKEY (the public half of the ZSK):
<source>dnssec-keygen -a RSASHA256 -b 2048 -f KSK <yourzone></source></li>
<li>Note that the algorithm and number of bytes used here are current standards, but may change over time.</li>
<li>Change the permissions on those files so that only root and the named service can read them.</li>
</ul>
</li>
<li>There are three parameters for bind that need to be set in order to sign your zones. The first two could be set in the options statement, but the third is only acceptable in a zone statement.<br />
Our machines only have two zone statements (the forward and reverse lookups of your domain), so it won’t make a significant difference where we place them. If your server hosted multiple domains, the placement of these parameters would be something to consider:
*Add the following lines to your two zones (again replacing <yourdomain> with the name of your domain):
<source>key-directory “/etc/named/<yourdomain>-keys”;
inline-signing yes;
auto-dnssec maintain;
</source>
*Double check that the value you put in the key-directory parameter matches the directory you created your key files in.
</li>
<li>Make sure the dnssec-enable parameter in /etc/named.conf is set to yes so that your server will provide the extra DNSSec records if a client requests them.
*This is the default value, so unless you took it out, it should already be there.
*Note that this parameter is different from the dnssec-validation parameter which only controls whether or not your server will request those records from other servers when a client asks for them.
</li>
<li>Restart the named service. If you have dynamic DNS set up from the earlier labs, you can use named-journalprint to view the journal files for your zones in order to see the new records.</li>
<li>In order to confirm that your server will provide the extra records when requested, use the dig command to obtain a zone transfer (including the DNSSec records) from your server:
*Making sure to replace <yourzone> with the name of your zone, and <ip-of-server> with the ip address of your server.
<source>dig AXFR <yourzone> @<ip-of-server></source></li>
<li>Repeat the steps from this investigation so you have a signed copy of your reverse zone too.</li>
<li>Normally, there would be a few more steps here to create an encrypted copy of your ZSK to provide to your parent zone as a DS record, but we will not be configuring that in this lab.
*Note that this means responses your server provides will not be ‘authenticated data’, and will not have the ad flag.
*You will be performing this final step in the next assignment.
</li>
</ol>
==Completing the Lab==
