Sometimes you play with DNS, sometimes you want to see how much DNSSEC breaks your game..
I've seen both sides of that one, where I wasn't entirely sure that I'd actually got it up and running, because everything just worked, and the other one, where I was dead certain I got DNSSEC up and running because everything broke...
There's also been quite a few evenings/mornings/days/nights where suddenly, mail stopped flowing and I couldn't reach my webserver.. because DNSSEC suddenly broke.
So far, all this seems to now be more or less a thing of the past, it's been running quite nicely, for quite some time, so now is a good time to make a few notes about how it's setup and how it works, for future reference :-)
This is all running on a BIND (by ISC) nameserver, at the time of writing I was using version 9.9.4-p1.
First of all, get a domain, perhaps you allready got one, and create a zonefile.
example.com. 43200 IN SOA ns4.example.net. hostmaster.example.net. (
2013121901 ; serial
10800 ; refresh (3 hours)
3600 ; retry (1 hour)
3600000 ; expire (5 weeks 6 days 16 hours)
43200 ; minimum (12 hours)
)
43200 NS ns2.example.com.
43200 NS ns3.example.com.
43200 NS ns4.example.net.
localhost 43200 IN A 127.0.0.1
43200 IN AAAA ::1
People, quicker than I usually am, will notice that the nameservers aren't in the zone that's being served. That makes sense. Do get at least one nameserver that's outside your own zone. I'd suggest either pairing up with someone you know outside your "domain" or using one of the many domain sellers for secondary domain service. Sometimes it's a hidden feature, sometimes it's an easy find.
Here's a thing we'll be referring to in the next blocks, it's a list of servers allowed to to zone-transfer (that's how the nameservers distribute the domain data between themselves). It's actually just a list of who's allowed to do zone-transfer of the zone. In the old days you really didn't need to do this, but it was realized that zone-transfers is a very good way of finding out what important targets there are for attacking a domain.
There are, except for localhost, not the correct IPs :-)
acl "axfrhosts" {
# Me and mine, for tests
127.0.0.1; // localhost
::1; // localhost
# myservers
192.0.2.2; // master ns1
192.0.2.6; // slave ns2
192.0.2.12; // slave ns3
198.51.100.24; // example.net ns4
};
Now add an entry to the named.conf file, something like this, that references the zonefile you just made. (Yeah, I have a master/ directory where I keep all the zonefiles that are mastered on the server, and a slave/ directory for all those that are "slaved")
zone "example.com" {
type master;
file "master/example.com";
inline-signing yes;
auto-dnssec maintain;
allow-update { none; };
allow-query { any; };
allow-transfer { axfrhosts; };
};
Once that's done, you might want to check the config using
named-checkconf
, unless you're kinda dumb like me and just reload the
server and hope everything still works ;-)
Now you should be able to query your nameserver for the zone and see it appear.
$ rndc reload
This instruct named to reloads it's config and zones and start serving it. It will also make a few files appear along with the zone.
$ cd /etc/namedb/master
$ ls -lart | grep example.com
-rw-r--r-- 1 named named 851 Dec 19 21:08 example.com
-rw-r--r-- 1 named named 512 Dec 19 21:09 example.com.jbk
-rw-r--r-- 1 named named 708 Dec 19 21:09 example.com.signed
-rw-r--r-- 1 named named 7623 Dec 19 22:29 example.com.signed.jnl
The file can be viewed using [code light="true"]named-journalprint[/code] and the output goes a little something like.
$ sudo -u named named-journalprint example.com.signed.jnl
Now it's ready to be a master for the zone, so time to do something equivalent to this on the slaves.
zone "example.com" {
type slave;
file "slave/example.com";
masters { MASTSERSERVERIP; };
allow-update { none; };
allow-query { any; };
allow-transfer { axfrhosts; };
};
You'll notice the slave servers gets the masterservers ip address so they don't depend on DNS for DNS to work. This is a situation where absolute (well, as absolute as it feasible) controll is better than hoping and guessing.
Secondly, the slave servers allow zone transfer (the allow-transfer thing) so I can actually daisy-chain slave servers, or more importantly, hide the actual master server behind all kinda of security if I want to.
Now it's just a matter of reloading the slave servers, wait for then to transfer the zone.. and now you're ready to buy the domain and tell the domain sellers where your nameservers are... (I'm slightly impatient and always end up buying it first and then later switching the nameservers from the seller to my own)
And that's it, now all you have to do is create something amazing with the new stable domain :-)
Comments
comments powered by Disqus