DNSSEC: Configuring auto-signed dynamic zone HOWTO

Eugene Crosser crosser at average.org
Fri Feb 19 07:12:31 UTC 2010


Please comment!

Eugene

=======
        HOW TO CONFIGURE AUTO-SIGNED DYNAMIC ZONES WITH BIND9

        This document describes how to configure bind9 to
        automatically sign zones as they are being modified
        by dynamic update mechanism. It is assumed that
        you already know how to configure manually signed
        zones [1] and know how to configure zones for dynamic
        updates [2].

        For the purpose of this discussion, we presume that
        you control the parent zone 'example.com' which does
        not allow dynamic updates and is manually signed.
        The child zone 'dyn.example.com' is set up for dynamic
        updates. Your 'named' is not run in chroot environment,
        and executes under effective uid 'bind' and gid 'bind'.
        Bind configuration files and manually signed zones are
        kept in directory /etc/bind which is readable but not
        writable by 'bind' uid, and dynamically updatable
        zones are kept in directory /var/cache/bind which is
        readable and writable by 'bind' uid.

        The following are the steps to make 'dyn.example.com'
        zone automatically signed:

0.      Make sure that you are using bind version 9.6 or later.

1.      Create a directory to contain zone keys the are
        "visible" to named and therefore available to auto-
        signing mechanism:

                # mkdir /etc/bind/keys
                # chgrp bind /etc/bind/keys
                # chmod 0750 /etc/bind/keys

2.      Create zone-signing keys for the zone
        'dyn.example.com' and make the private key readable
        to 'bind' uid:

                # cd /etc/bind/keys
                # dnssec-keygen -a RSASHA1 -b 1024 \
                > -n ZONE dyn.example.com
                # chgrp bind *.private
                # chmod 0640 *.private

3.      Include DNSKEY into 'dyn.example.com' zone and
        manually sign it. The file must be made writable to
        'bind' uid:

                # cd /var/cache/bind
                # rndc freeze dyn.example.com

        edit the file 'dyn.example.com' and add this line:

        '$include /etc/bind/keys/Kdyn.example.com.[...].key'

        (substitute the actual name of the key file)

                # dnssec-signzone -g -d /etc/bind/keys \
                > dyn.example.com \
                > /etc/bind/keys/Kdyn.example.com.[...].private

        (substitute the actual name of the key file)
        This step will create the file dyn.example.com.signed,
        and in addition to that, the file
        '/etc/bind/keys/dsset-dyn.example.com.'.

                # chown bind:bind dyn.example.com.signed

4.      Include DS records into the parent zone:

                # cd /etc/bind

        edit the file example.com and add this line:

        '$include keys/dsset-dyn.example.com.'

        (don't forget to also update the zone's serial.)

        Manually sign the 'example.com' zone as you usually
        do.

5.      Update bind's configuration:

        In the definition of 'dyn.example' zone, change
        the line

        'file "/var/cache/bind/dyn.example.com";'

        to

        'file "/var/cache/bind/dyn.example.com.signed";'

        In the 'options' section, add this lines:

        'sig-validity-interval 2400;'
        'key-directory "/etc/bind/keys";'

        (substitute '2400' to whatever period you deem
        appropriate. 2400 is 40 minutes.)

6.      Make named re-read the configuration and thaw
        the dynamic zone:

        # rndc reload
        # rndc thaw dyn.example.com

7.      Check that things work as expected.

References:

[1] http://www.nlnetlabs.nl/publications/dnssec_howto/index.html
    DNSSEC HOWTO, a tutorial in disguise, by Olaf Kolkman

[2] http://answers.oreilly.com/topic/192-how-to-allow-dynamic-updates-with-bind/
    How to allow dynamic updates with BIND, O'Reilly Answers
=======

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 252 bytes
Desc: OpenPGP digital signature
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20100219/6e16298d/attachment.bin>


More information about the bind-users mailing list