Tag Archives: dnssec

DNSSEC and possible problems with DNS resolvers

DNSSEC replies are much bigger than traditional DNS answers.
Typical DNS replies fit into the 512-byte standard UDP DNS packet.
So if they get bigger we need EDNS Support.
To test if your DNS Servers can successfully forward bigger
packages you should use OARC’s DNS Reply Size Test Server:

$ dig +short rs.dns-oarc.net txt

If should then output something like this:

;; Truncated, retrying in TCP mode.
" sent EDNS buffer size 4096"
" DNS reply size limit is at least 3843"
"Tested at 2013-06-18 19:16:29 UTC"

Explanation can be found here

Enabling DNSSEC on Bind

1. Enable DNSSEC

Update named.conf options section:

options {
 dnssec-enable yes;
 dnssec-validation yes;

Also don’t forget add managed-keys section or include bind.keys sullied with bind.
At least ROOT KEY must included to work dnssec validation:

managed-keys {
 # ROOT KEY: See https://data.iana.org/root-anchors/root-anchors.xml
 # for current trust anchor information.
 # NOTE: This key is activated by setting "dnssec-validation auto;"
 # in named.conf.
 . initial-key 257 3 8 "AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF

2. Generate Keys

ZSK (Zone Signing Key) is responsible for signing records within a zone. This one will need to be changed frequently (typical recommendation is every month):

$ dnssec-keygen -a RSASHA1 -b 1024 -n ZONE zonename

KSK (Key Signing Key) which can be stronger since you will need to change it less (typically every year):

$ dnssec-keygen -a RSASHA1 -b 4096 -n ZONE -f KSK zonename

3. Add keys to zonefile

; Zone Signing Key
$INCLUDE Kzonename.+001+11111.key
; Key Signing Key
$INCLUDE Kzonename.+001+22222.key

4. Sign the Zone

$ dnssec-signzone zonefile
Output is zonefile.signed

5. Validate the zonefile

$ donuts zonefile.signed zonename

6. Publish the signed zone

Update named.conf with signed zonename file:

zone "zonename" {
 file "/etc/bind/zonename/zonefile.signed";

7. Testing

$ dig zonename SOA +dnssec +multiline