1 - Gerar a chave e assinar
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 |
[root@centos7]# cd /var/named [root@centos7]# dnssec-keygen -r /dev/urandom -f KSK -a RSASHA1 -b 1024 -n ZONE labs.eti.br [root@centos7]# dnssec-signzone -S -z -o labs.eti.br db.labs.eti.br Fetching KSK/ZSK 14212/RSASHA1 from key repository. Verifying the zone using the following algorithms: RSASHA1. Zone fully signed: Algorithm: RSASHA1: KSKs: 1 active, 0 stand-by, 0 revoked ZSKs: 0 active, 0 stand-by, 0 revoked db.labs.eti.br.signed [root@centos7 named]# ll *eti.br* -rw-r--r-- 1 root root 543 Feb 19 06:57 db.labs.eti.br -rw-r--r-- 1 root root 7569 Feb 25 10:17 db.labs.eti.br.signed -rw-r--r-- 1 root root 167 Feb 25 10:17 dsset-labs.eti.br. -rw-r--r-- 1 root root 430 Feb 18 21:12 Klabs.eti.br.+005+14212.key -rw------- 1 root root 1010 Feb 18 21:12 Klabs.eti.br.+005+14212.private |
Observação
Toda alteração feita no db.labs.eti.br deve após ser assinada e reiniciar o bind para a alteração entrar em vigor, caso contrário irá notar que toda alteração não irá entrar em vigor
1 2 3 4 5 6 7 8 9 10 |
[root@centos7]# dnssec-signzone -S -z -o labs.eti.br db.labs.eti.br dnssec-signzone: warning: dns_dnssec_findmatchingkeys: error reading key file Klabs.eti.br.+157+38276.private: bad key type Fetching KSK/ZSK 14212/RSASHA1 from key repository. Verifying the zone using the following algorithms: RSASHA1. Zone fully signed: Algorithm: RSASHA1: KSKs: 1 active, 0 stand-by, 0 revoked ZSKs: 0 active, 0 stand-by, 0 revoked db.labs.eti.br.signed [root@centos7]# systemctl restart named |
2 - Adicionar os parametros no named.conf e alterar o file
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 |
[root@centos7]# vim /etc/named.conf /* DNSSEC */ dnssec-enable yes; dnssec-validation yes; dnssec-lookaside auto; zone "labs.eti.br" { type master; # file "db.labs.eti.br"; file "db.labs.eti.br.signed"; allow-update { key rndc-key; }; allow-transfer { 35.196.13.28; 10.142.0.3; }; }; [root@centos7]# systemctl restart named |
3 - Adicionar a chave no REGISTRO.BR
1 2 3 |
[root@centos7]# cat dsset-labs.eti.br. labs.eti.br. IN DS 14212 5 1 EB7B6984519AE99BF11A664D2863A09C4777E283 labs.eti.br. IN DS 14212 5 2 F2B8BE2A85D49CF7AF798B86385D8716F3CF7D5B93818D790F275983 0B285162 |
4 - Validar DNSKEY e RRSIG
1 2 3 |
[root@centos7]# dig DNSKEY labs.eti.br. @localhost +multiline [root@centos7]# dig A labs.eti.br. @localhost +noadditional +dnssec +multiline [root@centos7]# dig +trace +noadditional DS labs.eti.br. @8.8.8.8 | grep DS |
5 - Por padrão a assinatura vence em 30 dias, portanto cabe reassinar a chave, então um script pra rodar a cada 30 dias no crontab
1 2 3 4 5 6 7 |
[root@centos7]# vim signzone.sh #!/bin/bash cd /var/named $(which dnssec-signzone) -n INCREMENT labs.eti.br $(which systemctl) restart named |
6 - Alterar no DNS Secundário
1 2 3 4 5 6 |
root@debina9# vim /etc/bind/named.conf.options # dnssec-validation auto; dnssec-enable yes; dnssec-validation yes; dnssec-lookaside auto; |
1 2 3 4 5 6 7 8 9 10 11 |
root@debina9# vim /etc/bind/named.conf.local zone "labs.eti.br" { type slave; # file "db.labs.eti.br"; file "db.labs.eti.br.signed"; masters { 10.142.0.2; 35.190.128.157; }; allow-notify { 10.142.0.2; 35.190.128.157; }; }; root@debina9# systemctl restart bind9 |
7 - Validação
https://registro.br/cgi-bin/nicbr/dscheck
http://dnsviz.net/d/labs.eti.br/dnssec/
Referências
https://www.crc.id.au/configuring-dnssec-on-el6-and-bind-9
ftp://ftp.registro.br/pub/doc/configuracao_dnssec_dominio.pdf