Last night (Aug. 22 2010 at 00:25:47) SIDN signed the Dutch .nl zone and made it public. This is, of course, reason for a party and calls for the signing of my own zones. Unfortunately it’s not possible to use secure delegation, but that’s something for the future.
I do have two domains up and running and I signed them both.
This is what I did:
First you need a Zone Signing Key (ZSK) and a Key Signing Key (KSK) and these can be made with
dnssec-keygen -e -a RSASHA1 -b 2048 -n ZONE tonkersten.com
dnssec-keygen -a RSASHA1 -b 2048 -n ZONE -f KSK tonkersten.com
This results in two sets of two files (after a very long time)
Ktonkersten.com.+005+42559.key
Ktonkersten.com.+005+42559.private
Ktonkersten.com.+005+61598.key
Ktonkersten.com.+005+61598.private
The key-generating process can be sped up using the -u /dev/urandom
option, but that results in a lower entropy and thus in lower security.
Now include the two public keys in the zone file
$include keys/Ktonkersten.com.+005+42559.key
$include keys/Ktonkersten.com.+005+61598.key
and sign the zone:
dnssec-signzone \
-d keys \
-K keys \
-N increment \
-o tonkersten.com \
-S tonkersten.com
giving me a file called db.tonkersten.fwd.signed
.
This file should now be used in /etc/named.conf
as the zone file for the
signed zone.
So, when I do a query for the tonkersten.com
domain, I get
$ dig +dnssec +multiline DNSKEY home.tonkersten.com
; <<>> DiG 9.7.1-P2 <<>> +dnssec +multiline DNSKEY home.tonkersten.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 34594
;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;home.tonkersten.com. IN DNSKEY
;; AUTHORITY SECTION:
tonkersten.com. 3600 IN SOA home.tonkersten.com. tonk.tonkersten.com. (
2010082303 ; serial
21600 ; refresh (6 hours)
7200 ; retry (2 hours)
604800 ; expire (1 week)
3600 ; minimum (1 hour)
)
tonkersten.com. 3600 IN RRSIG SOA 5 2 3600 20100922081850 (
20100823081850 61598 tonkersten.com.
W9qamKcSdTfCwOJk+m+tRZsRwdvZVzHzONGCehfX41/I
...
FJ0uZPzfaujQAcKa1NnB89Ccd7m18XL0Gw== )
home.tonkersten.com. 3600 IN NSEC mail.tonkersten.com. A AAAA RRSIG NSEC
home.tonkersten.com. 3600 IN RRSIG NSEC 5 3 3600 20100922081850 (
20100823081850 61598 tonkersten.com.
ZdeRhW5RxqFZguFMOtZhnes/OGA/E2K2CgLLVW3Z00T0
...
PQn52goXz8nXMovgDuB8HNWbzKwSCs07Ug== )
;; Query time: 52 msec
;; SERVER: 80.126.204.63#53(80.126.204.63)
;; WHEN: Mon Aug 23 12:30:43 2010
;; MSG SIZE rcvd: 734
Now it’s your turn.
Good luck ;-)