trying DNSSEC with 9.9-rc1

Michael W. Lucas mwlucas at blackhelicopters.org
Wed Feb 1 22:18:59 UTC 2012 

Hi,

I'd put off DNSSEC because of the high maintenance requirement. But
with 9.9 and inline signing, it looks like I can now do DNSSEC the way
I need (static zone files that work with legacy tools, automatic key
rotation, etc.)

I see that 9.9-rc2 came out yesterday; I'm building it now, but I
don't see anything in the relnotes that tells me this has
changed. Unfortunately, I'm trying to figure out how to use DNSSEC
inline signing from the Internet's ten years of DNSSEC tutorials, none
of which exactly cover this setup. And the ARM isn't quite updated for
this yet.

If someone is kind enough to help me figure out DNSSEC, I'll happily
blog it for the next guy who comes along. I'm sure I won't be the
last...

My understanding of the process is:

1) create KSK and ZSK

nstest/etc/namedb/keys;dnssec-keygen -f KSK -a RSASHA1 -b 768 -n ZONE transnetworks.net
Generating key pair.........................................................++++++++ .++++++++
Ktransnetworks.net.+005+54607
nstest/etc/namedb/keys;dnssec-keygen -a RSASHA1 -b 768 -n ZONE transnetworks.net
Generating key pair......................................++++++++ ..................++++++++
Ktransnetworks.net.+005+51087

2) tell named.conf about the zone's DNSSEC:

zone transnetworks.net {
     type master;
     file "master/transnetworks.net";
     key-directory "keys/";
     inline-signing yes;
     auto-dnssec maintain;
};

I restart named, and see the following files:

transnetworks.net
transnetworks.net.jbk
transnetworks.net.signed

So, it appears that inline is doing something.

But dig shows:

nstest/etc/namedb/keys;dig transnetworks.net @localhost +dnssec

; <<>> DiG 9.8.1-P1 <<>> transnetworks.net @localhost +dnssec
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 42076
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;transnetworks.net.             IN      A

;; ANSWER SECTION:
transnetworks.net.      86400   IN      A       198.22.63.130

;; AUTHORITY SECTION:
transnetworks.net.      86400   IN      NS      ns1.minetworkservices.net.
transnetworks.net.      86400   IN      NS      ns2.minetworkservices.net.

;; Query time: 2 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Wed Feb  1 17:12:21 2012
;; MSG SIZE  rcvd: 116

My understanding is that once I get this to work, I use 

$ dnssec-dsfromkey -2 Ktransnetworks.net.<ksk #>

and give that to my registrar.

Any suggestions, folks? What am I not understanding?

Thanks,
==ml

-- 
Michael W. Lucas 	
http://www.MichaelWLucas.com/, http://blather.MichaelWLucas.com/
Latest book: SSH Mastery http://www.michaelwlucas.com/nonfiction/ssh-mastery
mwlucas at BlackHelicopters.org, Twitter @mwlauthor

More information about the bind-users mailing list