Simple complicated DNSSEC with ISPconfig

Discussion in 'Tips/Tricks/Mods' started by frprim, Apr 27, 2014.

  1. frprim

    frprim New Member

    If you are like me you would like to have signed zones for your domains. Its not something you have to do but soon, I think, we all are going to be obliged to sign our zones.
    Read here : http://blog.icann.org/2014/01/dnssec-surpasses-50/
    Anyhow, I visit ISPconfig roadmap and I really like how developers of ISPconfig are doing their job. I mean everyone wants something. Me too. So heres something in return but I do not promise its worth reading.
    How to sign your zones with ISPconfig on Ubuntu 12.04 LTS

    ::Easy Part::
    0. become a root on your sistem by typing : sudo su
    1. Enable DNSSEC in /etc/bind/named.conf.options
    -- you can use vi or nano to do this so :
    Code:
    vi /etc/bind/named.conf.options
    Add lines inside options :
    dnssec-enable yes;
    dnssec-validation yes;
    dnssec-lookaside auto;

    my named.conf.options looks like this:
    Code:
    options {
    	directory "/var/cache/bind";
    
    	// If there is a firewall between you and nameservers you want
    	// to talk to, you may need to fix the firewall to allow multiple
    	// ports to talk.  See http://www.kb.cert.org/vuls/id/800113
    
    	// If your ISP provided one or more IP addresses for stable 
    	// nameservers, you probably want to use them as forwarders.  
    	// Uncomment the following block, and insert the addresses replacing 
    	// the all-0's placeholder.
    
    	// forwarders {
    	// 	0.0.0.0;
    	// };
    
    	//========================================================================
    	// If BIND logs error messages about the root key being expired,
    	// you will need to update your keys.  See https://www.isc.org/bind-keys
    	//========================================================================
    	// dnssec-validation auto;
    	dnssec-enable yes;
    	dnssec-validation yes;
            dnssec-lookaside auto;
    	auth-nxdomain no;    # conform to RFC1035
    	listen-on-v6 { any; };
    };
    2. Go to the folder where your zones are stored. On my sistem they are located in /etc/bind
    so you type: cd /etc/bind

    3. Install haveged. This little thing speeds up generating keys.
    so you type :
    Code:
    apt-get install haveged
    4. Generate a zone signing key ie. zsk by typing:
    Code:
    dnssec-keygen -a NSEC3RSASHA1 -b 2048 -n ZONE example.com
    5.Generate key signing key aka ksk :
    Code:
    dnssec-keygen -f KSK -a NSEC3RSASHA1 -b 4096 -n ZONE example.com
    6. Now u will have 2 pair of keys -- public and private for ZSK and KSK. We need to add public keys that contain the DNSKEY to zone file.
    type:

    Code:
    vi loop.sh
    and add this :

    Code:
    for key in `ls Kexample.com*.key`
    do
    echo "\$INCLUDE $key">> pri.example.com
    done
    Now execute loop.sh by typing:
    Code:
    sh loop.sh
    7. Sign the zone with dnssec-signzone command:
    Code:
    dnssec-signzone -A -3 $(head -c 1000 /dev/random | sha1sum | cut -b 1-16) -N INCREMENT -o example.com -t pri.example.com
    This will create signed zone named : pri.example.com.signed

    8. edit named.conf.local file located in /etc/bind folder

    so type:
    Code:
    vi /etc/bind/named.conf.local
    and add those lines in it:
    Code:
    zone "example.com" {
        type master;
        file "pri.example.com.signed";
        allow-transfer { 2.2.2.2; };
        allow-update { none; };
    };
    9. Reload bind type:
    Code:
    service bind9 reload
    10. check DNSKEY record with this command:
    Code:
    dig DNSKEY example.com. @localhost +multiline
    you must have something like this:
    Code:
    ;; QUESTION SECTION:
    ;example.com.       IN DNSKEY
    
    ;; ANSWER SECTION:
    example.com.        86400 IN DNSKEY   256 3 7 (
                    AwEAActPMYurNEyhUgHjPctbLCI1VuSj3xcjI8QFTpdM
                    8k3cYrfwB/WlNKjnnjt98nPmHv6frnuvs2LKIvvGzz++
                    kVwVc8uMLVyLOxVeKhygDurFQpLNNdPumuc2MMRvV9me
                    fPrdKWtEEtOxq6Pce3DW2qRLjyE1n1oEq44gixn6hjgo
                    sG2FzV4fTQdxdYCzlYjsaZwy0Kww4HpIaozGNjoDQVI/
                    f3JtLpE1MYEb9DiUVMjkwVR5yH2UhJwZH6VVvDOZg6u6
                    YPOSUDVvyofCGcICLqUOG+qITYVucyIWgZtHZUb49dpG
                    aJTAdVKlOTbYV9sbmHNuMuGt+1/rc+StsjTPTHU=
                    ) ; key id = 40400
    example.com.        86400 IN DNSKEY   257 3 7 (
                    AwEAAa2BE0dAvMs0pe2f+D6HaCyiFSHw47BA82YGs7Sj
                    qSqH3MprNra9/4S0aV6SSqHM3iYZt5NRQNTNTRzkE18e
                    3j9AGV8JA+xbEow74n0eu33phoxq7rOpd/N1GpCrxUsG
                    kK4PDkm+R0hhfufe1ZOSoiZUV7y8OVGFB+cmaVb7sYqB
                    RxeWPi1Z6Fj1/5oKwB6Zqbs7s7pmxl/GcjTvdQkMFtOQ
                    AFGqaaSxVrisjq7H3nUj4hJIJ+SStZ59qfW3rO7+Eqgo
                    1aDYaz+jFHZ+nTc/os4Z51eMWsZPYRnPRJG2EjJmkBrJ
                    huZ9x0qnjEjUPAcUgMVqTo3hkRv0D24I10LAVQLETuw/
                    QOuWMG1VjybzLbXi5YScwcBDAgtEpsQA9o7u6VC00DGh
                    +2+4RmgrQ7mQ5A9MwhglVPaNXKuI6sEGlWripgTwm425
                    JFv2tGHROS55Hxx06A416MtxBpSEaPMYUs6jSIyf9cjB
                    BMV24OjkCxdz29zi+OyUyHwirW51BFSaOQuzaRiOsovM
                    NSEgKWLwzwsQ5cVJBEMw89c2V0sHa4yuI5rr79msRgZT
                    KCD7wa1Hyp7s/r+ylHhjpqrZwViOPU7tAGZ3IkkJ2SMI
                    e/h+FGiwXXhr769EHbVE/PqvdbpcsgsDqFu0K2oqY70u
                    SxnsLB8uVKYlzjG+UIoQzefBluQl
                    ) ; key id = 62910
    
    ;; Query time: 0 msec
    ;; SERVER: 127.0.0.1#53(127.0.0.1)
    ;; WHEN: Wed Nov 27 18:18:30 2013
    ;; MSG SIZE  rcvd: 839
    10. When we used dnssec-signzone command a file named dsset-example.com was created containing DS records for our domain that we must enter into DS records on the domain registrar panel. I used Godaddy to do this.

    Important note: every time when you change something in the zone file like adding a subdomain etc etc you will have to recreate a signed zone for the domain. Also, you have to make changes to unsigned zone not the signed one. Once you made the changes you will have to sign a zone ... again.
    So in order to save us some time we will create a script:
    Code:
    vi /usr/sbin/zonesigner.sh
    and add those lines in it:

    Code:
    #!/bin/sh
    PDIR=`pwd`
    ZONEDIR="/var/cache/bind" #location of your zone files
    ZONE=$1
    ZONEFILE=$2
    DNSSERVICE="bind9" #On CentOS/Fedora replace this with "named"
    cd $ZONEDIR
    SERIAL=`/usr/sbin/named-checkzone $ZONE $ZONEFILE | egrep -ho '[0-9]{10}'`
    sed -i 's/'$SERIAL'/'$(($SERIAL+1))'/' $ZONEFILE
    /usr/sbin/dnssec-signzone -A -3 $(head -c 1000 /dev/random | sha1sum | cut -b 1-16) -N increment -o $1 -t $2
    service $DNSSERVICE reload
    cd $PDIR
    make it executible: chmod +x /usr/sbin/zonesigner.sh

    So everytime you change something to your zone file (again dont make any changes in signed zone but to unsigned one) type this:
    Code:
    zonesigner.sh example.com pri.example.com
    this will recreate a file pri.example.com.signed

    Now this one was easy. Now the hard part with ISPconfig.

    Ispconfig is not created to handle signed zones. so every time you make changes to your zone file it will overwrite named.conf.local and put normal aka unsigned zone file instead of one we signed. This is normal. Also it will overwrite the named.conf.local even if we do resync DNS zones with Tools--> resync option.
    I have 5 domains on my VPS but only one is signed, so I copied pri.example.com file to my home folder. Then I deleted the zone from ISPconfig and then put back the pri.example.com file in /etc/bind Now there I have among other zones two of my own : pri.example.com and pri.example.com.signed
    In order to avoid ISPconfig overwirting named.conf.local with resync DNS I created a file : named.conf.signed
    and put this into it:
    then edit named.conf
    Code:
    vi /etc/bind/named.conf
    and put this :
    Code:
    include "/etc/bind/named.conf.signed"
    Thats it for now

    Oh yeah, this is not my wisdom. I documented what I did in a txt file. As soon as I find source for this how-to I will post the link.
     
    Last edited: Apr 27, 2014

Share This Page