In this tutorial I’m going to instruct you how you can generate and enable DNSSEC security for DNS. This is most requested instruction by the visitors.
DNSSEC creates a secure domain name system by adding cryptographic signatures to existing DNS records. These digital signatures are stored in DNS name servers alongside common record types like A, AAAA, MX, CNAME, etc. By checking its associated signature, you can verify that a requested DNS record comes from its authoritative name server and wasn’t altered en-route, opposed to a fake record injected in a man-in-the-middle attack.
First install haveged to generate keys :
EL/centos/redhat
yum install -y haveged systemctl enable haveged
In below command examples replace “domain.tld” with your domain name
Second Change the Directory to /var/named :
cd /var/named/
Third generate ZSK Key :
dnssec-keygen -L 3600 -a RSASHA256 -b 2048 -r /dev/urandom domain.tld
Fourth generate KSK key
dnssec-keygen -L 3600 -r /dev/urandom -f KSK -a RSASHA256 -b 4096 domain.tld
Fifth adding keys to domain zone file
cat /var/named/Kdomain.tld.+008+*.key >> /var/named/domain.tld.db
Sixth sign the zone file :
dnssec-signzone -A -3 $(head -c 1000 /dev/urandom | sha1sum | cut -b 1-16) -N INCREMENT -o domain.tld -t domain.tld.db
Seventh edit named configuration file /etc/named.conf and add this line
dnssec-lookaside auto;
** find this lines dnssec-enable yes; dnssec-validation yes; add dnssec-lookaside auto; after it
Now you need to edit domain zone file config in /etc/named.conf and rename the zone file to signed :
// zone domain.tld zone "domain.tld" {type master; file "/var/named/domain.tld.db";}; // zone_end domain.tld
to
// zone domain.tld zone "domain.tld" {type master; file "/var/named/domain.tld.db.signed";}; // zone_end domain.tld
Centos/el/RHEL Reload/Restart the named service :
service named reload or systemctl reload named
and you’re done.
If I have a DNS cluster with DNS Slave manager and additional Slave 2 DNS servers, just like referenced here:
https://wiki.centos-webpanel.com/slave-dns-server-manager-dns-cluster
Do I then only have to add dnssec-lookaside auto; into /etc/named.conf, or do I have to install per your description everything in this article on all Slave 2 DNS Servers?
With only doing what you mentioned in your article, and implementing for one domain.tld on a web server, I can see on the Slave 2 DNS server the /var/named/slave/db.domain.tld is updated to DNSSEC.
Should I still follow instructions on top on DNS servers, or it’s ready to go as is? Only web servers need to run the installation for DNSSEC per each domain that needs DNSSEC?
Thanks for all your documentation!
I did NOT copy the key/private files to my slave DNS server. I turned on the dnssec-enabled & dnssec-validation & dnssec-lookaside configuration in my slave DNS server…. DNSSEC appears to be enabled successfully on my servers so I suppose this is the correct configuration, but I’m not sure 🙁 I wish to know the answer to your question as well. Can anyone answer this? In the meantime, you can verify your DNSSEC at this tool: https://dnssec-debugger.verisignlabs.com/ and http://dnsviz.net/d/
[root@scwp01 ~]# cd /var/named/
[root@serv001 named]# dnssec-keygen -a RSASHA256 -b 2048 -r /dev/urandom mysterydata.com
Generating key pair……………+++++ ……………….+++++
Kmysterydata.com.+008+34081
[root@scwp01 named]# dnssec-keygen -r /dev/urandom -f KSK -a RSASHA256 -b 4096 mysterydata.com
Generating key pair………………………………………………………………………………………………………………++++ ….++++
Kmysterydata.com.+008+52624
[root@scwp01 named]# cat Kmysterydata.com.+008+*.key >> /var/named/mysterydata.com
[root@scwp01 named]# dnssec-signzone -A -3 $(head -c 1000 /dev/urandom | sha1sum | cut -b 1-16) -N INCREMENT -o mysterydata.com -t mysterydata.com
dnssec-signzone: warning: mysterydata.com:5: no TTL specified; zone rejected
dnssec-signzone: fatal: failed loading zone from ‘mysterydata.com’: no ttl
[root@scwp01 named]#
thanks updated the tutorial with default TTL to 3600 and added the correct path
private keys müssen mit nach /var/named/ kopiert werden ansonsten erhält man den Fehler: DNSKEY is not signed (keys offline or inactive?)
You need to follow the tutorial and don’t skip any command or line. The keys are already created in /var/named/
Hello SANDEEP, there is a possibility to implement this on Rocky-Linux or CentOS 8, because there are several error messages and BIND cannot be restarted afterwards
Hello, i didn’t understand what you meant here “several error messages and BIND cannot be restarted afterwards” ? any error message ?
this tutorial works fine in el7 and el8
Hi, thanks for the tutorial.
Does this only works if i use CWP as my DNS / Zone Manager?
I use my Domain Registrar site to manage DNS and add the entries there because i don’t wanna open 53 on my server.
Will this still work and i can add the new entries on my Registrars site?
Thanks
Hi, it will not work if you use external dns.