Jump to content

How to add DNSSEC Records in Bind/Named DNS server


Recommended Posts

In this tutorial I’m going to instruct you how you can generate and enable DNSSEC security for DNS. This is most requested instruction by the visitors.

DNSSEC creates a secure domain name system by adding cryptographic signatures to existing DNS records. These digital signatures are stored in DNS name servers alongside common record types like A, AAAA, MX, CNAME, etc. By checking its associated signature, you can verify that a requested DNS record comes from its authoritative name server and wasn’t altered en-route, opposed to a fake record injected in a man-in-the-middle attack.

First install haveged to generate keys :

EL/centos/redhat

yum install -y haveged
systemctl enable haveged


In below command examples replace “domain.tld” with your domain name

Second Change the Directory to /var/named :

cd /var/named/


Third generate ZSK Key :

dnssec-keygen -L 3600 -a RSASHA256 -b 2048 -r /dev/urandom domain.tld


Fourth generate KSK key

dnssec-keygen -L 3600 -r /dev/urandom -f KSK -a RSASHA256 -b 4096 domain.tld


Fifth adding keys to domain zone file

cat /var/named/Kdomain.tld.+008+*.key >> /var/named/domain.tld.db


Sixth sign the zone file :

dnssec-signzone -A -3 $(head -c 1000 /dev/urandom | sha1sum | cut -b 1-16) -N INCREMENT -o domain.tld -t domain.tld.db


Seventh only for el7/centos 7 edit named configuration file /etc/named.conf and add this line (don't add this line on el8/centos 8 stream/almalinux 8 and above as this will not work):

dnssec-lookaside auto;


** find this lines dnssec-enable yes; dnssec-validation yes; add dnssec-lookaside auto; after it

Now you need to edit domain zone file config in /etc/named.conf and rename the zone file to signed :

// zone domain.tld
zone "domain.tld" {type master; file "/var/named/domain.tld.db";};
// zone_end domain.tld


to

// zone domain.tld
zone "domain.tld" {type master; file "/var/named/domain.tld.db.signed";};
// zone_end domain.tld


Centos/el/RHEL Reload/Restart the named service :

service named reload
or
systemctl reload named


and you’re done.

Link to comment
Share on other sites

  • 3 months later...

This does not work on Almalinux 8 anymore as bind cannot be restarted after the modification. Also

dnssec-lookaside auto;

is obsolete nowadays and leads to a syntax error.

Is there any solution for CWP as of today?

We are getting a lot of DNS attacks here and DNSSEC would really help a lot. We have the PRO version so this request is rather basic and trivial.

Link to comment
Share on other sites

On 9/13/2023 at 3:51 PM, Ling said:

This does not work on Almalinux 8 anymore as bind cannot be restarted after the modification. Also

dnssec-lookaside auto;

is obsolete nowadays and leads to a syntax error.

Is there any solution for CWP as of today?

We are getting a lot of DNS attacks here and DNSSEC would really help a lot. We have the PRO version so this request is rather basic and trivial.

Now I can confirm that your recipe still works after removing the line

dnssec-lookaside auto;

from it, as it is not supported any longer.

The main problem was that this recipe only can be applied one single time. After rollback to virgin I tried it again without above line and bind can be started now.

 

Link to comment
Share on other sites

Now I can confirm that your recipe still works after removing the line

dnssec-lookaside auto;

from it, as it is not supported any longer.

The main problem was that this recipe only can be applied one single time. After rollback to virgin I tried it again without above line and bind can be started now.

 

Link to comment
Share on other sites

15 hours ago, Ling said:

Now I can confirm that your recipe still works after removing the line

dnssec-lookaside auto;

from it, as it is not supported any longer.

The main problem was that this recipe only can be applied one single time. After rollback to virgin I tried it again without above line and bind can be started now.

 

great thanks for the information topic updated

Link to comment
Share on other sites

Thanks for updating the recipe. You also should make clear that repeated use of this procedure will most likely lead to errors in the bind file and prevent bind from restart. Even the syntax checker can not find those errors. So this only works with a virgin config not using dnssec yet.

Best practice is to make a backup of all config files and roll back from there, if bind refuses to restart due to a typo in the domain name or something like that.

Or you write a script which does all this.

DNSSEC and mod_evasive helped significantly to reduce overload attacks on our server and is definitely a must for CWP, so you should move this thread over there.

 

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...