Grundkonfiguration

• cat /etc/bind/named.conf.options

options {
	directory "/var/cache/bind";
        key-directory "/var/bind/keys";
	dnssec-validation auto;
};

Verzeichnis erstellen

• mkdir -p /etc/bind/keys/
• chown -R bind:bind /etc/bind/keys/

Key Signing Key (KSK) generieren

• cd /etc/bind/keys/
• dnssec-keygen -3 -a NSEC3RSASHA1 -b 2048 -f KSK -n ZONE kit.lab

Zone Signing Key (ZSK) generieren

Den Zone Signing Key erzeugt man im Anschluß daran wie folgt, gefolgt von einer Neuzuordnung der Dateiattribute.

• dnssec-keygen -3 -a NSEC3RSASHA1 -b 2048 -n ZONE kit.lab
• chown -R bind:bind /etc/bind/keys/

/etc/bind/named.conf.local

• cat /etc/bind/named.conf.local

zone "kit.lab" {
        type master;
        file "kit.lab";
};

/var/cache/bind/kit.lab

$TTL 300        ; 5 minutes
@                       IN SOA  leroy.kit.lab. technik.xunix.de. (
                               2023021401 ; serial
                               14400      ; refresh (4 hours)
                               3600       ; retry (1 hour)
                               3600000    ; expire (5 weeks 6 days 16 hours)
                               86400      ; minimum (1 day)
                               )
                       NS      leroy.kit.lab.
leroy.kit.lab.          IN      A       10.0.11.109

Die Keys der Zonendatei hinzufügen

• for key in Kkit.lab.*.key; do echo "\$INCLUDE /etc/bind/keys/$key" >> /var/cache/bind/kit.lab; done
• /etc/bind/keys# cat /var/cache/bind/kit.lab

Die Zone signieren

• dnssec-signzone -3 - -H 50 -A -N INCREMENT -o kit.lab -t /var/cache/bind/kit.lab

Verifying the zone using the following algorithms:
- NSEC3RSASHA1
Zone fully signed:
Algorithm: NSEC3RSASHA1: KSKs: 1 active, 0 stand-by, 0 revoked
                         ZSKs: 1 active, 0 stand-by, 0 revoked
/var/cache/bind/kit.lab.signed
Signatures generated:                        8
Signatures retained:                         0
Signatures dropped:                          0
Signatures successfully verified:            0
Signatures unsuccessfully verified:          0
Signing time in seconds:                 0.039
Signatures per second:                 200.005
Runtime in seconds:                      0.071

Konfiguration anpassen

• cat /etc/bind/named.conf.options

options {
	directory "/var/cache/bind";
        key-directory "/var/bind/keys";
	dnssec-enable yes;
	dnssec-validation yes;
	dnssec-lookaside auto;
};

Zonenverweis anpassen

• cat /etc/bind/named.conf.local

zone "kit.lab" {
        type master;
        file "kit.lab.signed";
};

Neustarten

• systemctl restart bind9

Checken

Logdatei

• grep kit.lab /var/log/syslog

Feb 14 21:48:02 debian named[18295]: zone kit.lab/IN: loaded serial 2023021402 (DNSSEC signed)

dig

• dig @127.0.0.1 kit.lab dnskey +noall +answer +multiline

kit.lab.		300 IN DNSKEY 257 3 7 (
				AwEAAdNJqnVniG3n6D1d83Eitz2xlc1QCGxFfZm9Sfyn
				4rM7S1UhcmFEQLz2Yi5kydOWVycxtHzQBvlg4FYUXX2M
				vqQwiRRboj25kDeOPpoDffLVf2+EeUgPGLLsjzG8hCGt
				zOQDvHiomBard+90lKjUKyoxkT0ZPIq2LSVi6KXazXHs
				razsMG2qC23eioFwSTeRQB5hYs6IzBcYvzxQJYmm+OHH
				5an+8iNb2IieNsX0v3xfZG+sqgawSU5JiP1S63Oc7O4M
				5Urucbl6RJNR12gziZdsUjOeXuV0mYblJ8rKIcfq6TWW
				aeLuT9XxCHwtNMpBoZahMluUB78RuhaIu+aQ7Ms=
				) ; KSK; alg = NSEC3RSASHA1 ; key id = 32178
kit.lab.		300 IN DNSKEY 256 3 7 (
				AwEAAa9m+o7OWmpwWTTLAK08Xb9hjm5Xy3rTk8RjXkix
				pXs60SRzGWlcstJi3fIHqiw91ZjstN6olHY3u8uVk3DZ
				CY3pC7SzHpwFvuhA66x3aHGshKScXafav9YBtR1hLDdu
				kDDDwDaWfpV/AbPQIV8Ej26iQ/r6kfl6Cmiwt6iwWSnf
				bD+yciAsvs3LPrbaypUeLByoqkCrYp1M0avXE2Eq4qyK
				4F7MxDkjFasdblfqIOlRKR3WdaVoRJ1X2mG77oZ/KD8b
				fJIrf/R1aFmNxcaG0CzxdwKvjd4yNOdGFsuUtw88/nMJ
				6ADq7w5TxWBPGjl8z7LuepKucnIPp/lLWcMj1Pk=
				) ; ZSK; alg = NSEC3RSASHA1 ; key id = 65282

Quellen

• https://www.linuxmaker.com/linux/bind9-mit-dnssec-absichern/konfiguration-von-dnssec.html
• https://bind9.readthedocs.io/en/latest/dnssec-guide.html
• https://www.scip.ch/?labs.20140911