DNSSEC for tonkersten.com and pa1ton.nl


Last night (Aug. 22 2010 at 00:25:47) SIDN signed the Dutch .nl zone and made it public. This is, of course, reason for a party and calls for the signing of my own zones. Unfortunately it’s not possible to use secure delegation, but that’s something for the future.

I do have two domains up and running and I signed them both.

This is what I did:

First you need a Zone Signing Key (ZSK) and a Key Signing Key (KSK) and these can be made with

dnssec-keygen -e -a RSASHA1 -b 2048 -n ZONE        tonkersten.com
dnssec-keygen    -a RSASHA1 -b 2048 -n ZONE -f KSK tonkersten.com

This results in two sets of two files (after a very long time)

Ktonkersten.com.+005+42559.key
Ktonkersten.com.+005+42559.private
Ktonkersten.com.+005+61598.key
Ktonkersten.com.+005+61598.private

The key-generating process can be sped up using the -u /dev/urandom option, but that results in a lower entropy and thus in lower security.

Now include the two public keys in the zone file

$include keys/Ktonkersten.com.+005+42559.key
$include keys/Ktonkersten.com.+005+61598.key

and sign the zone:

dnssec-signzone         \
    -d keys             \
    -K keys             \
    -N increment        \
    -o tonkersten.com   \
    -S tonkersten.com

giving me a file called db.tonkersten.fwd.signed.

This file should now be used in /etc/named.conf as the zone file for the signed zone.

So, when I do a query for the tonkersten.com domain, I get

$ dig +dnssec +multiline DNSKEY home.tonkersten.com

; <<>> DiG 9.7.1-P2 <<>> +dnssec +multiline DNSKEY home.tonkersten.com
;; global options:  +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 34594
;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;home.tonkersten.com.   IN DNSKEY

;; AUTHORITY SECTION:
tonkersten.com.     3600 IN SOA home.tonkersten.com. tonk.tonkersten.com. (
2010082303 ; serial
21600      ; refresh (6 hours)
7200       ; retry (2 hours)
604800     ; expire (1 week)
3600       ; minimum (1 hour)
)
tonkersten.com.     3600 IN RRSIG SOA 5 2 3600 20100922081850 (
20100823081850 61598 tonkersten.com.
W9qamKcSdTfCwOJk+m+tRZsRwdvZVzHzONGCehfX41/I
...
FJ0uZPzfaujQAcKa1NnB89Ccd7m18XL0Gw== )
home.tonkersten.com.    3600 IN NSEC mail.tonkersten.com. A AAAA RRSIG NSEC
home.tonkersten.com.    3600 IN RRSIG NSEC 5 3 3600 20100922081850 (
20100823081850 61598 tonkersten.com.
ZdeRhW5RxqFZguFMOtZhnes/OGA/E2K2CgLLVW3Z00T0
...
PQn52goXz8nXMovgDuB8HNWbzKwSCs07Ug== )

;; Query time: 52 msec
;; SERVER: 80.126.204.63#53(80.126.204.63)
;; WHEN: Mon Aug 23 12:30:43 2010
;; MSG SIZE  rcvd: 734

Now it’s your turn.

Good luck ;-)

See also