Scribd
Upload
123 views2 pages

DNSSEC Reference Card

BIND is software used to configure DNSSEC on a server. It allows generation of keys like KSK and ZSK, signing of zones, and configuration of the server to serve DNSSEC data. Unbound and NSD can also be configured for DNSSEC validation and to serve signed zones. Various tools like dig and drill can be used to query for DNSSEC data and verify signatures.

Uploaded by

foreverbikas
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
123 views2 pages

DNSSEC Reference Card

BIND is software used to configure DNSSEC on a server. It allows generation of keys like KSK and ZSK, signing of zones, and configuration of the server to serve DNSSEC data. Unbound and NSD can also be configured for DNSSEC validation and to serve signed zones. Various tools like dig and drill can be used to query for DNSSEC data and verify signatures.

Uploaded by

foreverbikas
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 2

$ORIGIN a.DNSSEC.reference.card.

@ SOA six53.net. jpmens.six53.net. ( 20110329 )

BIND authoritative

BIND Key generation

BIND smart signing -- needs cronjob

Configure BIND to serve DNSSEC data

Create a KSK (flags == 257). Omit -f to create ZSK (256)

Keys are assumed in current directory. Option -o is


origin; use -f for output file. Add to crontab(5)

options {
dnssec-enable yes;
};

$ dnssec-keygen -a algo \
-b bits \
-f KSK \
example.net

$ dnssec-signzone -S \
-o example.net zone.db
Add the resulting zone.db.signed to NSD or BIND

nsupdate

Secure DDNS updates to BIND

BIND auto-sign -- fully automatic

Update locally on server or using specific SIG(0) key

Create a SIG(0) key pair

$ nsupdate -l
$ nsupdate -k Kmy.name*.private

Keys assumed in mykeydir/ directory. Configure BIND to


maintain signatures

$ dnssec-keygen -C -a algo -b bits \


-n HOST -T KEY my.name.

Some commands

Add content of public .key to DNS

server addr [port]


zone zonename
prereq nxdomain domain
update delete name [ttl] [type [data]]
update add domain ttl type data
show
send
answer

my.name. IN KEY 512 3 3 CLb...gaNM


Add an update policy to zone statement
update-policy {
grant local-ddns zonesub ANY;
grant my.name. zonesub A AAAA MX TXT;
};

zone "example.net" in {
type master;
key-directory "mykeydir";
update-policy local;
auto-dnssec maintain;
sig-validity-interval 30; // days
file "example.net";
};
Launch initial signing of zone
$ rndc signzone example.net

NSD authoritative

URLs

BIND query log flags

NSD requires no specific configuration to serve DNSSEC;


it does so automatically for signed zones. Use BIND's
signing tools

http://dnsviz.net/
http://dnscheck.iis.se/
http://dnssec-debugger.verisignlabs.com/
http://dnssec-or-not.net/
http://test-ipv6.com/
http://www.dnssec-failed.org/
http://www.dnssec-validator.cz/
http://www.zonecheck.fr/

+ S E T D C

zone:
name: "example.net"
zonefile: "zone.db.signed"

net

checking disabled
DNSSEC requested
TCP
EDNS0 enabled
request signed
recursion requested

DNSKEY

de

self

DS
child
DS

DNSKEY

BIND validation

dig

RRs

Configure BIND to perform DNSSEC validation

Useful dig options for DNSSEC queries.

options {
dnssec-enable yes;
dnssec-validation auto;
dnssec-lookaside auto; // DLV
};

$ dig @addr name type options


+dnssec
+multiline
+cd
+sigchase

> sets DO requesting DNSSEC


> verbosely human
> server shouldn't validate
> don't. Use drill(1)

Add KSK DNSKEYs if you have special validatable zones


trusted-keys {
"my-domain" 257 3 7
};

Authenticated data: ;; flags: qr rd ra ad;


"AWEAAQsF...";

Create static stub zone for your zone


zone "example.net" in {
type static-stub;
server-names { "localhost"; };
server-addresses { 127.0.0.1; };
};

drill

Acronyms & flags

This is ldns' answer to dig(1)

DLV
DS
KSK
ZSK
RFC
do
ad
qr
aa
tc
rd
cd
ra

$ drill [opts] name @addr type


Useful options

Unbound validation
Get and maintain root DNSSEC key

-D
-S
-k file

> sets +DO requesting DNSSEC


> chase signatures
> DNSKEY or DS to verify sigs

$ unbound-anchor -a root.key

Examples

Configure Unbound to perform DNSSEC validation

$ drill -D example.net
$ drill -D -S -k root.key example.net

DNS Lookaside Validation


Delegation Signer
Key-Signing Key
Zone-Signing Key
Request for Comments
flag: DNSSEC OK
flag: authenticated data
flag: query
flag: authoritative answer
flag: truncated
flag: recursion desired
flag: checking disabled
flag: recursion available

server:
auto-trust-anchor-file: "root.key"
dlv-anchor-file: "dlv.key"
If you want to add islands of trust, add DNSKEY and/or
DS records in file, and add file to unbound.conf
trust-anchor-file: "my.keys"
Optionally convince Unbound to query your nondelegated zone
stub-zone:
name: "example.net"
stub-host: localhost
stub-addr: 127.0.0.1

Type
decimal
A
1
AAAA
28
AFSDB
18
APL
42
AXFR
252
CERT
37
CNAME
5
DHCID
49
DLV
32769
DNAME
39
DNSKEY
48
DS
43
HIP
55
IPSECKEY
45
IXFR
251
KX
36
LOC
29
MX
15
NAPTR
35
NS
2
NSEC
47
NSEC3
50
NSEC3PARAM 51
OPT
41
PTR
12
RRSIG
46
RP
17
SOA
6
SPF
99
SSHFP
44
TKEY
249
TSIG
250
TXT
16

Algorithm numbers
#
3
5
6
7
8
10
12

Mnemonic
DSA
RSASHA1
DSA-NSEC3-SHA1
RSASHA1-NSEC3-SHA1
RSASHA256
RSASHA512
ECC-GOST

RFC
3755
3755
5155
5155
5702
5702
5933

Digest algos
#
1
2
3

Desc
SHA-1
SHA-2
GOST

Credits
http://six53.net/refcard by @jpmens
IXFR from @miekg, @bortzmeyer

You might also like