Sunday, October 14, 2012

DNSSEC - Part 3

So, now we'll look at how to enable DNSSEC on a BIND authoritative DNS server and specifics on the KSK and ZSK this week.

Here are some steps required to get DNSSEC up and running:

1.  Enable DNSSEC -this requires a simple line dnssec-enable yes; be added into the named.conf file.

2.  Generate the KSK and ZSK public/private keypairs - this requires pre-planning as to what algorithm to use, what the key size will be and the names of the generated keys.  NIST recommends the KSK be 2048-bit and the ZSK be 1024-bit. RSASHA1NSEC3 is a very commonly used algorithm along with the NIST recommended key sizes.  The UNIX command for generating keys is dnssec-keygen.  Details on this command can be found in the NIST Secure DNS Deployment guide or a look at the dnssec-keygen man page.

3.  Plan for and Implement Secure Storage for the Private Keys - dnssec-keygen will create both the public and private keys.  Their names will be K"keyname".+xxx+yyyyy where xxx is a number representing the algorithm and yyyyy is a system generated number for the key.  Additionally, the two generated keys end in .key for the public key and .private for the private key.  So if we create a key, bubba using RSASHA1NSEC3, the two keys will be:
Kbubba.+007+12345.key
Kbubba.+007+12345.private
Remember the 12345 will be a system generated number, but the public and private keys will match.

It is a definite best  practice (and good idea) to keep the private keys stored off line.  Be it removable media of some sort, or a secure storage device they should be protected.

4.  Send KSK Public Key to Parent - this will establish the chain-of trust we discussed last week.

5.  Sign the Zones - this is done using the command dnssec-signzone.  In order to do so, your private keys must be pulled out of storage and put on the system since both the public and private keys are required to sign the zones.  Here also, for more details on the dnssec-signzone command, consult the NIST guide or man pages.

So, that will do it for this week.  Next week, we'll look recurring DNSSEC maintenance tasks required once you are up and running, cheers!   


Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)