MAGPRO DNS.
SIGNING A ZONE USING THE DNSSEC-SIGNZONE UTILITY
Installation
dnssec-signzone is an utility from BIND DNS-server. You should have
OpenSSL 1.0.0 installed (
Installing and configuring OpenSSL 1.0.0) and
patched BIND compiled with it (BIND+GOST HowTo).
Preparation
For operation of a signing zone we recommend to create a separate
directory, «zone-dnssec» for example as subfolder in the BIND
work directory. We reccomend to set «root» as owner, same group
as the user under which BIND starts and 750 as the mode for this directiory.
Copy zone files to sign to this directory.
Generating Keys
For speeding up process of generation you may press random keys on keyboard and move mouse while gathering entropy.
First pairs of keys (ZSK) - Zone Signing Key (public + private)
# /usr/local/sbin/dnssec-keygen -r /dev/random -a GOST2001 -b 512 -n ZONE example.com
ATTENTION: when you are generating keys and when you signing zone, you should invoke programs by entering full path to them to aviod invoking standard utilities that doesn't support GOST cryptoalgorithms. You also can modify environment variable PATH in apropriate way.
As the result of executing this command there are two files created:
Kexample.com.+012+XXXXX.key and Kexample.com.+012+XXXXX.private - public and private ZSK keys.
Second pair of keys (KSK — Keys signing key) are used for signing ZSK and generating DS-records.
# /usr/local/sbin/dnssec-keygen -r /dev/random -f KSK -a GOST2001 -b 512 -n ZONE example.com
As the result of executing this command there are two files created:
Kexample.com.+012+YYYYY.key и Kexample.com.+012+YYYYY.private - public and private KSK keys.
To distinguish ZSK from KSK you shold look at the public key part (#cat Kexample.com.+012+YYYYY.key for example). There should be comment like:
; This is a zone-signing key, keyid 4796, for example.com.
Or you can differ them by IN DNSKEY code: 256 — ZSK, 257
— KSK, like:
example.com. IN DNSKEY 256 3 12 4/M4Fhcg0B56sRFrnDnprJhfvnA77uNleBtGSH+jVbl04lbVpOJ9A0qT r+zX6lnEZjqrMAxNNcJ7ZKQ+cp3v9g==
You also may check key algorithm number: 12 is GOST.
You should add public parts of ZSK and KSK to unsigned zone
# cat Kexample.com*key >> example.com
Signing a zone
ATTENTION: before signing zone you should increment serial. When zone is signed this operation is extremally complicated.
# /usr/local/sbin/dnssec-signzone -r /dev/random example.com
As the result of executing this command there are two files created:
dsset-example.com.
example.com.signed
dsset-example.com. file is DS-records needed to build trust chain.
example.com.signed file is the signed zone
After this your DS-records should be sent to administrator of higher domain (only if it supports DNSSEC and ready to be an entry point or part of chain of trust).
Reload configuration
After changing configuration of BIND or zone files you should restart
daemon. If you only modified zones use this command:
$ sudo rndc reload
MagPro DNS
Installing and configuring OpenSSL
1.0.0
DNSSEC FAQ
|