Open main menu

CDOT Wiki β

Changes

OPS535-lab-dnssec

4,918 bytes added, 13:16, 9 October 2019
Investigation 2: Configuring DNSSec on a Recursive Server: - Adding body to investigation 2
==Investigation 2: Configuring DNSSec on a Recursive Server==
Perform the following steps as root on your VM1:
<ol>
<li>Now that you can spot the differences between authenticated and non-authenticated data, it is time to configure your local DNS server to perform authentication when your client machines request it.</li>
<li>Simply set the dnssec-validation parameter in your /etc/named.conf file to yes (it is already set this way if you didn’t change it in an earlier lab).
*Note that this relies on your server also having the initial key it will use to authenticate the root name servers it communicates with.
*This can be found in /etc/named.iscdlv.key and /etc/named.root.key.
*These too are included by default when you first install bind. If they are not there, add the following lines to your options statement and restart your service:
<source>
bindkeys-file "/etc/named.iscdlv.key";
include "/etc/named.root.key";
</source>
</li>
<li>Make sure your dns server is configured to be provide recursive answers to other machines in your network, and that it will allow traffic to tcp port 53.
*All of this should have already been done, so long as you followed the instructions in previous labs, and didn’t deliberately break anything.
</li>
<li>Run the following command from one of your other VMs (making sure to use the ip address of your own DNS server):
<source>>dig +tcp +dnssec @192.168.83.1 www.isc.org</source>
*You should get output similar to the following:
<source>
; <<>> DiG 9.9.4-RedHat-9.9.4-61.el7_5.1 <<>> +tcp +dnssec @192.168.83.1 www.isc.org
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 13512
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 5, ADDITIONAL: 13
 
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
 
;; QUESTION SECTION:
;www.isc.org. IN A
 
;; ANSWER SECTION:
www.isc.org. 60 IN A 149.20.64.69
www.isc.org. 60 IN RRSIG A 5 3 60 20181128233334
20181029233334 19923 isc.org.
EzPGoD0DDKUONuWUhXsNqW0xt1q3l8Nwg8Ec3SW9QZafwyQDYj9/dZ/F
d4ch3UIQ1oKfHYUtAsev7aVjwbisM5HgHSjGtBMWZngzY/mBTmy+uVog
yBKuXHawR13il4fY6Z68qTZpaq8gH9jKqpPJYomruSxYFZVAI8Ct+tBB 0SE=
 
;; AUTHORITY SECTION:
isc.org. 6575 IN NS ord.sns-pb.isc.org.
isc.org. 6575 IN NS sfba.sns-pb.isc.org.
isc.org. 6575 IN NS ams.sns-pb.isc.org.
isc.org. 6575 IN NS ns.isc.afilias-nst.info.
isc.org. 6575 IN RRSIG NS 5 2 7200 20181128233334
20181029233334 19923 isc.org.
IzXvpUxVCC15yG74ChGSlUgNOAPtvb6688zZm97SYSB6772gzS09VhmR
WfpdOx5IJFwhhIl87bB49yiEHP4SimMrAfoAmGIpe5G4hI8uirhGlWNM
Rh6SVIMSXdPMCKF8pSqe387ERK9ZcEPfVVTxeA+/C0Ajyg+KhrwbS4A6 3wU=
 
;; ADDITIONAL SECTION:
ams.sns-pb.isc.org. 85775 IN A 199.6.1.30
ams.sns-pb.isc.org. 85775 IN AAAA 2001:500:60::30
ord.sns-pb.isc.org. 85775 IN A 199.6.0.30
ord.sns-pb.isc.org. 85775 IN AAAA 2001:500:71::30
sfba.sns-pb.isc.org. 85775 IN A 149.20.64.3
sfba.sns-pb.isc.org. 85775 IN AAAA 2001:4f8:0:2::19
ams.sns-pb.isc.org. 7200 IN RRSIG A 5 4 7200 20181128233334
20181029233334 19923 isc.org.
fN6lhMQKcNsl889c8e0n7b0xBLWHnp9oLUn8ji4T7sNykobHObfihcvL
LpX2DGqVKUW/9kIe5hvikVNfiDxjZx89V6jMnhyavSsJdchyv3zuEedx
pFa8Kq9y28Na+/7v+3eCVp/L0SRx1na88bxiFpLpIk1aIV5pAthgtQSH 9hY=
ams.sns-pb.isc.org. 7200 IN RRSIG AAAA 5 4 7200 20181128233334
20181029233334 19923 isc.org.
mvlEcSyHnq/O1B8+awGkUPp3+G+QOHf5Vdeq+vhReo+um8Jg8aks3uYy
CMZjC/NAtFPNUzjTyDtirn79/lDan3GgwpICHvWq2DHCslp7hbZC7qRs
cFQjstONnLcprPS5q8T1TRFs97SuqTS7OK4B3f0Lf0ilC+ohOYQR/1bW Fg8=
ord.sns-pb.isc.org. 7200 IN RRSIG A 5 4 7200 20181128233334
20181029233334 19923 isc.org. ZPsHODiOXBRsXN3K1Al/Nq+
+dkx0HMaUpSdEMLXwlcASrC8FWjKETiRS
NhgXq1u+JiBkXTEWVsR81CSk2uFEAxMlWOfoIKKVnc9Hp7ZNjdHlgIWe
bLWGweMoCwGa6o6yuRqMjCrceDqTKQSq1RTvQRL3As9J1V4vMY5i+KQy IhY=
ord.sns-pb.isc.org. 7200 IN RRSIG AAAA 5 4 7200 20181128233334
20181029233334 19923 isc.org.
usTQJB2VfLzzfA3TPWTUXiSKM3w7bfK6zGQf1t+LXdJBDLLrjvhmwWTp
5DjLDIxIvd77mudcFQsXq7oVvmiJHmnA6zaJhF6cFAIKI7dJm5rGhGFs
ZkX7OD4x5LxDH1knah7AYTPdme+QDxcLzIsmY5iozQeMh3UKd+gfpork RqI=
sfba.sns-pb.isc.org. 7200 IN RRSIG A 5 4 7200 20181128233334
20181029233334 19923 isc.org.
ryZ18IlvB7q/qPwIFHgLU7LSjnTBx3JpzpV2BQtb/2jdDM7zBQ/bnQ28
/H+MSWoAAKmPEiND2XWqtvdCPwOv4kcQexcTnLoIfieq6HgraO8//AIL
wMmwUBgZc51tZ1e+k9krCvNlLKZXe92KgGYWwGNxp3Gp1TkdlywRtMUM Y9w=
sfba.sns-pb.isc.org. 7106 IN RRSIG AAAA 5 4 7200 20181128233334
20181029233334 19923 isc.org.
betjxdRZREj3fMHm7TsE7kn8vrZHRdpzrkJ3mxIe4jdhyUbQytxcIfnJ
aTOz5JT5ESF5n7k/pq+UK05ApZFc5b5slX0g5S/ahYm7ynLzz/Uw8/sW
UrPFePNdAxS00mX91rRYG7tVLHq79VOvIt18C69ac+oVGVfIBN/OJzan /gE=;;
;;Query time: 85 msec
;;SERVER: 192.168.83.1#53(192.168.83.1)
;;WHEN: Sun Nov 04 18:18:23 EST 2018
;;MSG SIZE rcvd: 1623
</source>
*Again, note the do and ad flags, along with the RRSIG record (and similar data for the nameservers in the isc.org domain).
</li>
<li>Your server is now able to request DNSSec records from other zones, and authenticate them.</li>
</ol>
==Investigation 3: Configuring DNSSec on an Authoritative Server==
932
edits