1,576
edits
Changes
m
Protected "OPS535-online-L8": OER transfer ([Edit=Allow only administrators] (indefinite) [Move=Allow only administrators] (indefinite))
=OPS535 Lab 8=
==Objectives==
* Study the responses of DNSSec DNSSEC enabled DNS queries* Configure an authoritative DNS server to provide DNS responses authenticated with DNSSecDNSSEC.
==Pre-Requisites==
* For Investigation 3, you should do it on your VM2 in the Virtual Lab.
==Investigation 1: Performing queries using DNSSecDNSSEC==
Perform the following steps on your own pri-dns CentOS 8.x at home:
<ol>
</li>
<li>Once you have a response, can you be sure it is reliable?
*Re-run the previous dig command, but this time add +dnssec to request authentication of the results using DNSSecDNSSEC.
<source>
[rchan@pri-dns labs]$ dig senecacollege.ca @1.1.1.1 +dnssec
</source>
*Notice the addition of the <b>flags: do</b> flag (<font color='blue'>DNSSec DNSSEC Ok</font>, that is the server we queried is willing to perform authentication), but no other difference in output. This information is '''not''' authenticated.
</li>
<li>Now we will run a query that does get authenticated:
</source>
*Notice that in addition to the <b>do</b> flag, the answer to this query also has an <b>ad</b> flag (<font color='blue'>Authenticated Data</font>), along with extra information in the answer itself (the <b>RRSIG</b> record). This result '''is''' authenticated.
*If you want to see this result without the DNSSec DNSSEC information, simply re-run the query without the +dnssec request.
</li>
</ol>
==Investigation 2: Configuring DNSSec DNSSEC on a Recursive Server==
Perform the following steps as root on your co-nfs VM at home:
<ol>
*Note that this relies on your server also having the initial key it will use to authenticate the root name servers it communicates with.
*This can be found in /etc/named.root.key.
*These This too are is included by default when you first install bind. If they are it is not there, add the following lines line to your options statement and restart your service:
<source>
include "/etc/named.root.key";
</source>
</li>
<li>Make sure your recursive DNS server is configured to be provide recursive answers to other machines in your network, and that it will allow traffic to udp/tcp port 53.
*All of this should have already been done, so long as you followed the instructions in previous labs, and didn’t deliberately break anything.
</li>
<li>Run the following command from one of your other VMs (making sure to use the ip address of your own DNS serverinstead of 192.168.49.53 shown):
<source>
[rchan@vm2 pri-dns labs]$ dig +tcp +dnssec @192.168.49.53 isc.org
; <<>> DiG 9.11.20-RedHat-9.11.20-5.el8_3.1 <<>> +tcp +dnssec @192.168.49.53 isc.org
</source>
*Again, note the <b>do </b> and <b>ad </b> flags, along with the RRSIG record (and similar data for the nameservers in the isc.org domain).
</li>
<li>Your server is now able to request DNSSec DNSSEC records from other zones, and authenticate them.</li>
</ol>
==Investigation 3: Configuring DNSSec DNSSEC on an Authoritative Server==Perform the following steps as sudoer or root on your Vm1VM2 in the virtual lab:
<ol>
<li>Now that you know your how to configure a recursive nameserver is capable of performing to perform authentication of other domains (so long as they are configured to provide authentication), it is time to set up authentication in configure your own domainto support authentication using DNSSEC.</li><li>First you need ot to make sure that the named service is able to modify the master zone files, as it will need to do so in order to add the RRSIG records it generates for youryou. This requires two things:*The SELinux boolean <b>named_write_master_zones </b> must be set to on to (this should have already been done in a previous lab, and is currently the default setting).*The named account must have write permission to hte the /var/named directory. Again, this is currently the default setting, but double check that it is correct.
*If either of those settings is not configured correctly, fix them now.</li>
<li>Install the <b>haveged </b> service to generate random values for your system.
*It can be found in the epel-release repo. Install that if you have not already done so.
*You would not have to use this service on a ‘real’ server, but our VMs will may not have enough activity to provide normally random data within a reasonable time-frame.*Start, but do not enable <b>haveged </b> service, as we will not need it on a regular basis. Anytime you need to re-generate the random keys from the next step, simply start the service.
</li>
<li>Next, we will use the <b>dnssec-keygen </b> command to generate two sets of paired keys.
<ul>
<li>Create a directory at /etc/named/<yourdomain>-keys
<ul><li>Making sure you replace <yourdomain> with the name of your domain</li>
<li>Make sure it has that only <b>root </b> and the <b>named service user can </b> have read/write access to it.</li>
<li>cd into that directory so the keys you are about to generate get created there.</li>
</ul>
</li>
<li>First, to generate the <b>Zone Signing Key </b> (ZSK) that is used to sign individual records (make sure to use your own zone name):
<source>dnssec-keygen -a RSASHA256 -b 1024 <yourzone></source></li>
<li>And to generate the <b>Key Signing Key </b> (KSK) that is used to create an RRSIG for your DNSKEY (the public half of the ZSK):
<source>dnssec-keygen -a RSASHA256 -b 2048 -f KSK <yourzone></source></li>
<li>Note that the algorithm and number of bytes used here are current standards, but may change over time.</li>
Our machines only have two zone statements (the forward and reverse lookups of your domain), so it won’t make a significant difference where we place them. If your server hosted multiple domains, the placement of these parameters would be something to consider:
*Add the following lines to your two zones (again replacing <yourdomain> with the name of your domain):
<source>key-directory “/etc/named/<yourdomain>-keys”;
inline-signing yes;
auto-dnssec maintain;
key-directory “/etc/named/<yourdomain>-keys”;
</source>
*Double check that the value you put in the key-directory parameter matches the directory you created your key files in.
</li>
<li>Make sure the dnssec-enable parameter in /etc/named.conf is set to yes so that your server will provide the extra DNSSec DNSSEC records if a client requests them.
*This is the default value, so unless you took it out, it should already be there.
*Note that this parameter is different from the dnssec-validation parameter which only controls whether or not your server will request those records from other servers when a client asks for them.
</li>
<li>Restart the named service. If you have dynamic DNS set up from the earlier labs, you can use named-journalprint to view the journal files for your zones in order to see the new records.</li>
<li>In order to confirm that your server will provide the extra records when requested, use the dig command to obtain a zone transfer (including the DNSSec DNSSEC records) from your server:
*Making sure to replace <yourzone> with the name of your zone, and <ip-of-server> with the ip address of your server.
<source>dig AXFR <yourzone> @<ip-of-server></source></li>
==Completing the Lab==
Your DNS server is now capable of performing recursive queries using DNSSec DNSSEC when client machines request it. It has also been configured to provide the extra DNSSec DNSSEC records when clients request them.Note that it is not yet truly providing DNSSec DNSSEC answers, as it is not being authenticated through the domain above yours.
Follow the instructions on blackboard to submit the lab.
