1,760
edits
Changes
→Investigation 3: Configuring DNSSec on an Authoritative Server
==Investigation 3: Configuring DNSSec on an Authoritative Server==
Perform the following steps as sudoer or root on your Vm1VM2 in the virtual lab:
<ol>
<li>Now that you know your how to configure a recursive nameserver is capable of performing to perform authentication of other domains (so long as they are configured to provide authentication), it is time to set up authentication in configure your own domainto support authentication using DNSSec.</li><li>First you need ot to make sure that the named service is able to modify the master zone files, as it will need to do so in order to add the RRSIG records it generates for youryou. This requires two things:*The SELinux boolean <b>named_write_master_zones </b> must be set to on to (this should have already been done in a previous lab, and is currently the default setting).*The named account must have write permission to hte the /var/named directory. Again, this is currently the default setting, but double check that it is correct.
*If either of those settings is not configured correctly, fix them now.</li>
<li>Install the <b>haveged </b> service to generate random values for your system.
*It can be found in the epel-release repo. Install that if you have not already done so.
*You would not have to use this service on a ‘real’ server, but our VMs will may not have enough activity to provide normally random data within a reasonable time-frame.*Start, but do not enable <b>haveged </b> service, as we will not need it on a regular basis. Anytime you need to re-generate the random keys from the next step, simply start the service.
</li>
<li>Next, we will use the <b>dnssec-keygen </b> command to generate two sets of paired keys.
<ul>
<li>Create a directory at /etc/named/<yourdomain>-keys
<ul><li>Making sure you replace <yourdomain> with the name of your domain</li>
<li>Make sure it has that only <b>root </b> and the <b>named service user can </b> have read/write access to it.</li>
<li>cd into that directory so the keys you are about to generate get created there.</li>
</ul>
</li>
<li>First, to generate the <b>Zone Signing Key </b> (ZSK) that is used to sign individual records (make sure to use your own zone name):
<source>dnssec-keygen -a RSASHA256 -b 1024 <yourzone></source></li>
<li>And to generate the <b>Key Signing Key </b> (KSK) that is used to create an RRSIG for your DNSKEY (the public half of the ZSK):
<source>dnssec-keygen -a RSASHA256 -b 2048 -f KSK <yourzone></source></li>
<li>Note that the algorithm and number of bytes used here are current standards, but may change over time.</li>
Our machines only have two zone statements (the forward and reverse lookups of your domain), so it won’t make a significant difference where we place them. If your server hosted multiple domains, the placement of these parameters would be something to consider:
*Add the following lines to your two zones (again replacing <yourdomain> with the name of your domain):
<source>key-directory “/etc/named/<yourdomain>-keys”;
inline-signing yes;
auto-dnssec maintain;
key-directory “/etc/named/<yourdomain>-keys”;
</source>
*Double check that the value you put in the key-directory parameter matches the directory you created your key files in.