MAGPRO DNS.

SIGNING A ZONE USING THE DNSSEC-SIGNZONE UTILITY

Installation

dnssec-signzone is an utility from BIND DNS-server. You should have OpenSSL 1.0.0 installed ( Installing and configuring OpenSSL 1.0.0) and patched BIND compiled with it (BIND+GOST HowTo).

Preparation

For operation of a signing zone we recommend to create a separate directory, «zone-dnssec» for example as subfolder in the BIND work directory. We reccomend to set «root» as owner, same group as the user under which BIND starts and 750 as the mode for this directiory. Copy zone files to sign to this directory.

Generating Keys

For speeding up process of generation you may press random keys on keyboard and move mouse while gathering entropy.
First pairs of keys (ZSK) - Zone Signing Key (public + private)

# /usr/local/sbin/dnssec-keygen -r /dev/random -a GOST2001 -b 512 -n ZONE example.com

ATTENTION: when you are generating keys and when you signing zone, you should invoke programs by entering full path to them to aviod invoking standard utilities that doesn't support GOST cryptoalgorithms. You also can modify environment variable PATH in apropriate way.

As the result of executing this command there are two files created:
Kexample.com.+012+XXXXX.key and Kexample.com.+012+XXXXX.private - public and private ZSK keys.
Second pair of keys (KSK — Keys signing key) are used for signing ZSK and generating DS-records.

# /usr/local/sbin/dnssec-keygen -r /dev/random -f KSK -a GOST2001 -b 512 -n ZONE example.com

As the result of executing this command there are two files created:
Kexample.com.+012+YYYYY.key и Kexample.com.+012+YYYYY.private - public and private KSK keys.
To distinguish ZSK from KSK you shold look at the public key part (#cat Kexample.com.+012+YYYYY.key for example). There should be comment like:

; This is a zone-signing key, keyid 4796, for example.com.

Or you can differ them by IN DNSKEY code: 256 — ZSK, 257 — KSK, like:

example.com. IN DNSKEY 256 3 12 4/M4Fhcg0B56sRFrnDnprJhfvnA77uNleBtGSH+jVbl04lbVpOJ9A0qT r+zX6lnEZjqrMAxNNcJ7ZKQ+cp3v9g==

You also may check key algorithm number: 12 is GOST.
You should add public parts of ZSK and KSK to unsigned zone

# cat Kexample.com*key >> example.com

Signing a zone

ATTENTION: before signing zone you should increment serial. When zone is signed this operation is extremally complicated.

# /usr/local/sbin/dnssec-signzone -r /dev/random example.com

As the result of executing this command there are two files created:
dsset-example.com.
example.com.signed

dsset-example.com. file is DS-records needed to build trust chain.
example.com.signed file is the signed zone

After this your DS-records should be sent to administrator of higher domain (only if it supports DNSSEC and ready to be an entry point or part of chain of trust).

Reload configuration

After changing configuration of BIND or zone files you should restart daemon.
If you only modified zones use this command:

$ sudo rndc reload