Category Archives: DNSSEC

DNSSEC and possible problems with DNS resolvers

DNSSEC replies are much bigger than traditional DNS answers.
Typical DNS replies fit into the 512-byte standard UDP DNS packet.
So if they get bigger we need EDNS Support.
To test if your DNS Servers can successfully forward bigger
packages you should use OARC’s DNS Reply Size Test Server:

$ dig +short rs.dns-oarc.net txt

If should then output something like this:

;; Truncated, retrying in TCP mode.
rst.x3827.rs.dns-oarc.net.
rst.x3837.x3827.rs.dns-oarc.net.
rst.x3843.x3837.x3827.rs.dns-oarc.net.
"217.23.92.200 sent EDNS buffer size 4096"
"217.23.92.200 DNS reply size limit is at least 3843"
"Tested at 2013-06-18 19:16:29 UTC"

Explanation can be found here

Enabling DNSSEC on Bind

1. Enable DNSSEC

Update named.conf options section:

options {
 dnssec-enable yes;
 dnssec-validation yes;
};

Also don’t forget add managed-keys section or include bind.keys sullied with bind.
At least ROOT KEY must included to work dnssec validation:

managed-keys {
 # ROOT KEY: See https://data.iana.org/root-anchors/root-anchors.xml
 # for current trust anchor information.
 # NOTE: This key is activated by setting "dnssec-validation auto;"
 # in named.conf.
 . initial-key 257 3 8 "AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF
  FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX
  bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD
  X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz
  W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS
  Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq
  QxA+Uk1ihz0=";
};

2. Generate Keys

ZSK (Zone Signing Key) is responsible for signing records within a zone. This one will need to be changed frequently (typical recommendation is every month):

$ dnssec-keygen -a RSASHA1 -b 1024 -n ZONE zonename

KSK (Key Signing Key) which can be stronger since you will need to change it less (typically every year):

$ dnssec-keygen -a RSASHA1 -b 4096 -n ZONE -f KSK zonename

3. Add keys to zonefile

; Zone Signing Key
$INCLUDE Kzonename.+001+11111.key
; Key Signing Key
$INCLUDE Kzonename.+001+22222.key

4. Sign the Zone

$ dnssec-signzone zonefile
Output is zonefile.signed

5. Validate the zonefile

$ donuts zonefile.signed zonename

6. Publish the signed zone

Update named.conf with signed zonename file:

zone "zonename" {
 file "/etc/bind/zonename/zonefile.signed";
};

7. Testing

$ dig zonename SOA +dnssec +multiline