1,760
edits
Changes
→Investigation 3: Configuring DNSSec on an Authoritative Server
</ol>
==Investigation 3: Configuring DNSSec DNSSEC on an Authoritative Server==
Perform the following steps as sudoer or root on your VM2 in the virtual lab:
<ol>
<li>Now that you know how to configure a recursive nameserver to perform authentication of other domains (so long as they are configured to provide authentication), it is time to configure your own domain to support authentication using DNSSecDNSSEC.</li>
<li>First you need to make sure that the named service is able to modify the master zone files, as it will need to do so in order to add the RRSIG records it generates for you. This requires two things:
*The SELinux boolean <b>named_write_master_zones</b> must be set to on to (this should have already been done in a previous lab, and is currently the default setting).
*Double check that the value you put in the key-directory parameter matches the directory you created your key files in.
</li>
<li>Make sure the dnssec-enable parameter in /etc/named.conf is set to yes so that your server will provide the extra DNSSec DNSSEC records if a client requests them.
*This is the default value, so unless you took it out, it should already be there.
*Note that this parameter is different from the dnssec-validation parameter which only controls whether or not your server will request those records from other servers when a client asks for them.
</li>
<li>Restart the named service. If you have dynamic DNS set up from the earlier labs, you can use named-journalprint to view the journal files for your zones in order to see the new records.</li>
<li>In order to confirm that your server will provide the extra records when requested, use the dig command to obtain a zone transfer (including the DNSSec DNSSEC records) from your server:
*Making sure to replace <yourzone> with the name of your zone, and <ip-of-server> with the ip address of your server.
<source>dig AXFR <yourzone> @<ip-of-server></source></li>