Last night (Aug. 22 2010 at 00:25:47) SIDN signed the Dutch .nl zone and made it public. This is, of course, reason for a party and calls for the signing of my own zones. Unfortunately it’s not possible to use secure delegation, but that’s something for the future.
I do have two domains up and running and I signed them both.
This is what I did:
First you need a Zone Signing Key (ZSK) and a Key Signing Key (KSK) and these can be made with
dnssec-keygen -e -a RSASHA1 -b 2048 -n ZONE tonkersten.com dnssec-keygen -a RSASHA1 -b 2048 -n ZONE -f KSK tonkersten.com
This results in two sets of two files (after a very long time)
Ktonkersten.com.+005+42559.key Ktonkersten.com.+005+42559.private Ktonkersten.com.+005+61598.key Ktonkersten.com.+005+61598.private
The key-generating process can be sped up using the -u /dev/urandom
option, but that results in a lower entropy and thus in lower security.
Now include the two public keys in the zone file
$include keys/Ktonkersten.com.+005+42559.key $include keys/Ktonkersten.com.+005+61598.key
and sign the zone:
dnssec-signzone \ -d keys \ -K keys \ -N increment \ -o tonkersten.com \ -S tonkersten.com
giving me a file called db.tonkersten.fwd.signed
.
This file should now be used in /etc/named.conf
as the zone file for
the signed zone.
So, when I do a query for the tonkersten.com
domain, I get
$ dig +dnssec +multiline DNSKEY home.tonkersten.com ; <<>> DiG 9.7.1-P2 <<>> +dnssec +multiline DNSKEY home.tonkersten.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 34594 ;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;; QUESTION SECTION: ;home.tonkersten.com. IN DNSKEY ;; AUTHORITY SECTION: tonkersten.com. 3600 IN SOA home.tonkersten.com. tonk.tonkersten.com. ( 2010082303 ; serial 21600 ; refresh (6 hours) 7200 ; retry (2 hours) 604800 ; expire (1 week) 3600 ; minimum (1 hour) ) tonkersten.com. 3600 IN RRSIG SOA 5 2 3600 20100922081850 ( 20100823081850 61598 tonkersten.com. W9qamKcSdTfCwOJk+m+tRZsRwdvZVzHzONGCehfX41/I ... FJ0uZPzfaujQAcKa1NnB89Ccd7m18XL0Gw== ) home.tonkersten.com. 3600 IN NSEC mail.tonkersten.com. A AAAA RRSIG NSEC home.tonkersten.com. 3600 IN RRSIG NSEC 5 3 3600 20100922081850 ( 20100823081850 61598 tonkersten.com. ZdeRhW5RxqFZguFMOtZhnes/OGA/E2K2CgLLVW3Z00T0 ... PQn52goXz8nXMovgDuB8HNWbzKwSCs07Ug== ) ;; Query time: 52 msec ;; SERVER: 80.126.204.63#53(80.126.204.63) ;; WHEN: Mon Aug 23 12:30:43 2010 ;; MSG SIZE rcvd: 734
Now it’s your turn.
Good luck ;-)