1 Preliminary Note I'm using three Debian Squeeze servers here: server1.example.

com (Master DNS server, authoritative): IP address 192.168.0 .100 server2.example.com (Slave DNS server, authoritative): IP address 192.168.0. 101 server3.example.com (resolving DNS server, not authoritative): IP address 19 2.168.0.102 I'm assuming that BIND is already installed and working on all three servers. I'm using the zone example.org throughout this tutorial to demonstrate the DNSSE C setup. That zone is already set up and working (through "normal" DNS) on the m aster (server1) and slave (server2). server1 (master): The BIND configuration directory is /etc/bind on Debian Squeeze/Ubuntu 11.10. Th at directory looks as follows: cd /etc/bind/ ls -l root@server1:/etc/bind# ls -l total 60 -rw-r--r-- 1 root root 665 Jan -rw-r--r-- 1 root root 237 Jan -rw-r--r-- 1 root root 271 Jan -rw-r--r-- 1 root root 237 Jan -rw-r--r-- 1 root root 353 Jan -rw-r--r-- 1 root root 270 Jan -rw-r--r-- 1 root root 2994 Jan -rw-r--r-- 1 root bind 463 Jan -rw-r--r-- 1 root bind 490 Jan -rw-r--r-- 1 root bind 167 Apr -rw-r--r-- 1 root bind 572 Jan -rw-r--r-- 1 root bind 722 Apr -rw-r----- 1 bind bind 77 Feb drwxr-s--- 2 root bind 4096 Feb -rw-r--r-- 1 root root 1317 Jan root@server1:/etc/bind#

15 15 15 15 15 15 15 15 15 13 15 13 7 7 15

2011 2011 2011 2011 2011 2011 2011 2011 2011 10:06 2011 10:06 2011 2011 2011

bind.keys db.0 db.127 db.255 db.empty db.local db.root named.conf named.conf.default-zones named.conf.local named.conf.options pri.example.org rndc.key slave zones.rfc1918

As you see, my example.org zone file is named pri.example.org. Yours might be na med differently, so you have to adjust the zone name in the commands from this t utorial. My example.org zone looks as follows (nothing special, a normal BIND zone): cat pri.example.org $TTL @ 3600 IN SOA server1.example.com. zonemaster.example.com. ( 2012041305 ; serial, todays date + todays serial # 7200 ; refresh, seconds 540 ; retry, seconds 604800 ; expire, seconds 86400 ) ; minimum, seconds

; example.org. example.org. example.org. example.org. example.org. mail 3600 A www 3600 A 3600 A 3600 86400 86400 3600 MX NS NS TXT 1.2.3.4 1.2.3.4 1.2.3.4 10 mail.example.org. server1.example.com. server2.example.com. "v=spf1 a mx ptr -all"

My named.conf.local looks as follows: cat named.conf.local zone "example.org" { type master; allow-transfer {192.168.0.101;}; also-notify {192.168.0.101;}; file "/etc/bind/pri.example.org"; }; server2 (slave): I've configured the slave to store its slave zone file (called sec.example.org) in the /etc/bind/slave directory, as you can see in the /etc/bind/named.conf.loc al file: cat /etc/bind/named.conf.local zone "example.org" { type slave; masters {192.168.0.100;}; allow-notify {192.168.0.100;}; allow-transfer {none;}; file "/etc/bind/slave/sec.example.org"; }; The slave is notified of zone file changes on the master so that it can retrieve a new zone file. As you see, nothing special here - a normal BIND setup. 2 Enabling DNSSEC On The Master (server1) server1 (master): I will use the dnssec-tools package in this tutorial as it comes with some handy tools such as zonesigner and rollerd that make DNSSEC management a lot easier. We can install it (and some other recommended packages) as follows: apt-get install dnssec-tools libnet-dns-sec-perl libmailtools-perl libcrypt-open ssl-random-perl Now go to the /etc/bind directory: cd /etc/bind Open named.conf.options...

vi named.conf.options ... and add dnssec-enable yes;, dnssec-validation yes;, and dnssec-lookaside aut o; to the options section: options { directory "/var/cache/bind"; // If there is a firewall between you and nameservers you want // to talk to, you may need to fix the firewall to allow multiple // ports to talk. See http://www.kb.cert.org/vuls/id/800113 // // // // If your ISP provided one or more IP addresses for stable nameservers, you probably want to use them as forwarders. Uncomment the following block, and insert the addresses replacing the all-0's placeholder.

// forwarders { // 0.0.0.0; // }; auth-nxdomain no; # conform to RFC1035 listen-on-v6 { any; }; dnssec-enable yes; dnssec-validation yes; dnssec-lookaside auto; //bindkeys-file "/etc/bind/bind.keys"; }; The bindkeys-file line is needed only if your bind.keys file is in a location ot her than /etc/bind/bind.keys - if it's /etc/bind/bind.keys, it's loaded by defau lt. dnssec-lookaside auto; makes that named reads the DLV key from bind.keys the fir st time it executes. This is the dlv.isc.org key. Normally, there should be a fully signed path from the root zone (.) down to you r own zone, which means that your parent zones (e.g. .org for example.org) must be signed as well. Unfortunately, not all TLDs have been signed yet. If any of y our parents aren't signed, the chain is broken, and you cannot use the root zone 's key as a trusted anchor in your BIND configuration. That's why DNSSEC look-aside validation (DLV) was invented. In short, DLV serves as an alternative repository for trusted keys where you can submit your zone ke ys if there's no fully signed path to your zone. The most prominent DLV reposito ry is dlv.isc.org (ISC is the company that makes BIND). Both the root zone key a nd the dlv.isc.org key are included in /etc/bind/bind.keys (if not, please updat e BIND... apt-get install bind9 ... and check again). You can find out more about DNSSEC look-aside validation (DLV) on https://www.is c.org/solutions/dlv and https://dlv.isc.org/about/background. If you want to sub mit your keys to the dlv.isc.org repository, you can register on https://dlv.isc .org/. You can find a list of signed TLDs on http://stats.research.icann.org/dns/tld_re

port/ and http://www.tldwithdnssec.se/. If your TLD is signed, the preferred met hod is to submit your keys to your registry so that they can create a DS record for your zone. You don't need a DLV record then. In BIND 9.8 and 9.9, the root zone key from bind.keys can be loaded with dnssecvalidation auto; - unfortunately, in BIND 9.7 (which we use) there's no auto opt ion for dnssec-validation (that's why we use dnssec-validation yes;) which means the root zone key isn't loaded (see https://www.isc.org/bind-keys). To overcome this issue, we can either add the root zone key from bind.keys... cat bind.keys [...] managed-keys { # ISC DLV: See https://www.isc.org/solutions/dlv for details. # NOTE: This key is activated by setting "dnssec-lookaside auto;" # in named.conf. dlv.isc.org. initial-key 257 3 5 "BEAAAAPHMu/5onzrEE7z1egmhg/WPO0+juoZrW 3euWEn4MxDCE1+lLy2 brhQv5rN32RKtMzX6Mj70jdzeND4XknW58dnJNPCxn8+jAGl2FZLK8t+ 1uq4W+nnA3qO2+DL+k6BD4mewMLbIYFwe0PG73Te9fZ2kJb56dhgMde5 ymX4BI/oQ+cAK50/xvJv00Frf8kw6ucMTwFlgPe+jnGxPPEmHAte/URk Y62ZfkLoBAADLHQ9IrS2tryAe7mbBZVcOwIeU/Rw/mRx/vwwMCTgNboM QKtUdvNXDrYJDSHZws3xiRXF1Rf+al9UmZfSav/4NWLKjHzpT59k/VSt TDN0YUuWrBNh"; # # # # . O8gcCjF FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq QxA+Uk1ihz0="; }; to named.conf.options, or we simply include bind.keys in named.conf.options (I p refer the latter method): vi named.conf.options ROOT KEY: See https://data.iana.org/root-anchors/root-anchors.xml for current trust anchor information. NOTE: This key is activated by setting "dnssec-validation auto;" in named.conf. initial-key 257 3 8 "AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0