DNSSEC - DNS Security

Securing DNS - image borrowed from 'dnssec.nl'

Howto setup a secure resolver

Please note that this website was last updated in August 2017. At that time, there is a Root Key roll-over happening.

The root of the DNS was signed on the 15th July, 2010.
Why do we need DNSSEC - well - read this report on is SSL Secure
This HowTo explains:-

How to retrieve the current DNSKEY (Getting the Root key)
How to set up BIND on a recursive Resolver, using RFC5011 so that Keys are updated automatically
Testing your configuration
Everyday use of DNSSEC - Firefox

Assumptions here are - you are running a Unix/Linux/BSD type server running a recent version of BIND. The version of BIND at time of writing (Jan, 2011) was BIND 9.7.2-P3. You need at least BIND 9.7.0 in order to benefit from Managed keys with RFC5011. You need BIND 9.7.1 for the managed-keys-directory option. It is also assumed you have 'root' privilages on your server.
Conventions:
Code to run will have a pink background
Code output will have a yellow background

Getting the Root Key

Initially - you should experiment in a new, clean directory. Run the command:-

 dig . dnskey | grep -w 257 > root.key

(The grep 257 is to pick out the Key Signing Key or KSK)
The file "root.key" should contain:-

(old DNSKEY - generated in 2010)
.  170528  IN   DNSKEY  257 3 8
        AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF
        FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX
        bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD
        X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz
        W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS
        Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq
        QxA+Uk1ihz0=

(New DNSKEY - generated in 2017)
.  170528  IN   DNSKEY  257 3 8
	AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3
	+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kv
	ArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF
	0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+e
	oZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfd
	RUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwN
	R1AkUTV74bU=

The format may be different and the TTL for this will almost certainly be different too (thats the second field on the first line "170528"). The base-64 encoded data has been split on the white space for clarity. The above was correct in August 2017. It will change from time to time. The correct key should be easy to find and verify. You should be able to find it in various locations

You could also use the utility unbound-anchor, a part of the unbound suite of programs - that has the PGP Key for ICANN built in to its software. It will fetch the Key for you.

Configuring BIND

First - lets find out the directory that BIND uses as its base directory. Most newish versions of bind tend to use /etc/bind/named.conf for BIND's configuration. Another location is /etc/named.conf.

Moving back to the file we created earlier on, edit the contents of the "root.key" file into the following format...
or cut'n'paste the following - if you trust me

managed-keys {
.     initial-key 257 3 8
        "AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF
        FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX
        bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD
        X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz
        W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS
        Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq
        QxA+Uk1ihz0=";
};

or for new installations, use:


managed-keys {
.     initial-key 257 3 8
	"AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3
	+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kv
	ArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF
	0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+e
	oZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfd
	RUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwN
	R1AkUTV74bU=";
};

Stick the above inside your "named.conf" file - just after the closing brace of the "options" section.

Then inside your options section - add the following options:-


    dnssec-enable            yes;
    dnssec-validation        yes;
    dnssec-lookaside         auto;

If you already had some DNSSEC options - then simply update them. Also - if you already had either the root(.) and/or dlv.isc.org in any trusted-keys sections - then remove them too. The dlv.isc.org will be automagically managed because of the dnssec-lookaside auto option. Another option is to set dnssec-validation auto which means use automatically managed "managed-keys", that is - you don't need to add the "managed-keys" section at all. That is, your options section could be as simple as:-


    dnssec-enable            yes;
    dnssec-validation        auto;

This skips the dnssec-lookaside auto option but as the ISC DLV Lookaside system is lightly to be decommissioned by the end of 2017, its a lot less useful than it used to be.

Save the 'named.conf' file.

The 'dnssec-enable' and 'dnssec-validation' basically switched DNSSEC on (strictly speaking dnssec-enable is not required), The 'dnssec-lookaside' set to 'auto' allows lookups of secure data using ISC's DLV system.

Note: The ISC DLV Look-aside system is almost redundant and will be "emptied" (alive - but no one home) sometime in 2017.

Restart BIND from scratch (rndc reconfig) - you should be done.

Testing BIND

You should now be running a Secure DNS Resolver.
Try doing a 'dig' asking for 'dnssec' on something like the nameservers for the South African ccTLD...

 dig @localhost za ns

Look at the 'flags' section in the header at the top of the output - you should see the 'ad' bit set...

;; flags: qr rd ra ad; QUERY: 1, ANSWER: 6, AUTHORITY: 0, ADDITIONAL: 12

...then DNSSEC is running.

You could also look at the DNS for the site 'dnssec.co.za' (dig @localhost dnssec.co.za ns)

Everyday use of DNSSEC

You can install a Firefox 'plugin' that will display a Green Key for sites that have a validatable DNS Signature, an Orange Key if DNSSEC is setup but unable to validate it and a greyed out key for unsigned sites. Search for dnssec validator. This plugin is available for a number of other browsers. It also shows the DANE status of any TLSA record for the site - if the site is also an HTTPS site.

Disclaimer

DNSSEC is not new - its been around for quite a while. In 2017, the root key is being rolled over to a new key.
Regardless, you should carefully check the root signature - make sure you have the right one!

Author: Mark Elkins - mje (at) posix.co.za