Site icon CentLinux

How to enable DNSSEC for BIND DNS Server

Share on Social Media

Unlock the power of DNSSEC for your BIND DNS Server with our comprehensive tutorial. Learn how to enable DNSSEC and enhance the security and integrity of your DNS infrastructure. #centlinux #linux #dns

What is DNSSEC?

DNSSEC (Domain Name System Security Extensions) is a suite of IETF (Internet Engineering Task Force) specifications for securing certain kinds of information provided by the DNS (Domain Name System) as used on IP (Internet Protocol) networks.

It is a set of extensions to DNS which provide to DNS clients (resolvers) origin authentication of DNS data, authenticated denial of existence, and data integrity, but not availability or confidentiality.

How does DNSSEC Work?

DNSSEC (Domain Name System Security Extensions) works by adding cryptographic signatures to DNS records, ensuring the authenticity and integrity of DNS data. Here’s how it works in simple terms:

  1. Signing Zone Data: The owner of a domain digitally signs their DNS zone data using cryptographic keys. This signature is added to the DNS records.
  2. Chain of Trust: DNSSEC uses a hierarchical “chain of trust” similar to SSL certificates. Each domain’s DNS records are signed with a private key, and the corresponding public key is distributed in a chain up to the root DNS servers.
  3. Validation: When a resolver (like your ISP’s DNS server or your computer’s resolver) requests DNS information, it also requests the DNSSEC signatures. The resolver then verifies the signatures using the public keys in the chain of trust.
  4. Trust Anchors: DNSSEC relies on trust anchors, which are the public keys of the root DNS servers. These keys are pre-configured in resolvers, establishing the starting point for verifying DNS data.
  5. Validation Results: If the DNSSEC signatures are valid all the way up to the root, the resolver knows the DNS data hasn’t been tampered with. It returns the DNS information to the client, indicating that it’s secure.

Overall, DNSSEC helps prevent DNS spoofing, cache poisoning, and other attacks by ensuring that the DNS responses received are authentic and haven’t been modified in transit.

Read Also: How to setup DNSSEC in Linux 7

Should I enable DNSSEC?

Whether to enable DNSSEC depends on your specific needs and circumstances. Here are some factors to consider:

  1. Security: DNSSEC significantly enhances the security and integrity of your DNS infrastructure by preventing various types of DNS attacks, such as DNS spoofing and cache poisoning. If security is a top priority for your organization, enabling DNSSEC is highly recommended.
  2. Compliance Requirements: In some industries or regions, regulatory compliance mandates the use of DNSSEC to protect against DNS-based attacks. Ensure that you understand any compliance requirements that may apply to your organization.
  3. Resource Availability: Enabling DNSSEC requires additional resources, including computational power for signing and verifying DNS records, as well as additional bandwidth for larger DNS responses due to the added cryptographic signatures. Evaluate whether your infrastructure can handle these requirements effectively.
  4. Compatibility: Ensure that your DNS software, resolver software, and DNS clients support DNSSEC. Most modern DNS software and clients do support DNSSEC, but it’s essential to verify compatibility before enabling it.
  5. Management Complexity: Managing DNSSEC involves handling cryptographic keys, signing zones, and maintaining trust anchors. Consider whether your team has the expertise and resources to manage DNSSEC effectively.

In summary, if security is crucial for your organization and you have the resources and expertise to manage DNSSEC effectively, enabling it is a prudent decision. However, ensure that you weigh the benefits against the associated complexities and requirements before making a decision.

Recommended Book: DNS and BIND (5th Edition) (PAID LINK) by Cricket Liu & Paul Albitz
Recommended Online Training: Mastering BIND DNS

Install Haveged on Rocky Linux

You have already configured a master and slave DNS servers by using BIND on Rocky Linux 8. In this article, you will enable DNSSEC on the same BIND DNS Server.

Connect with your Master DNS Server i.e. nameserver-01.centlinux.com as root user by using a ssh client.

The haveged project is an attempt to provide an easy-to-use, unpredictable random number generator based upon an adaptation of the HAVEGE algorithm. Haveged was created to remedy low-entropy conditions in the Linux random device that can occur under some workloads, especially on headless servers.

You should install haveged before you configure DNSSEC BIND to speedup the process of key generation during configuration process.

Haveged software package is provided by third party yum repository, therefore, you need to install EPEL (Extra Packages for Enterprise Linux) yum repository on your Linux operating system.

# dnf install -y epel-release

Build yum cache for newly installed yum repository.

# dnf makecache
Rocky Linux 8 - AppStream                       409  B/s | 4.8 kB     00:11
Rocky Linux 8 - BaseOS                          2.1 kB/s | 4.3 kB     00:02
Rocky Linux 8 - Extras                          1.7 kB/s | 3.5 kB     00:02
Extra Packages for Enterprise Linux 8 - x86_64  331 kB/s |  12 MB     00:37
Extra Packages for Enterprise Linux Modular 8 - 7.3 kB/s | 1.0 MB     02:21
Metadata cache created.

Now you can easily install havaged on your Linux server by executing dnf command.

# dnf install -y haveged
Last metadata expiration check: 0:02:17 ago on Sat 09 Jul 2022 02:06:09 PM PKT.
Dependencies resolved.
================================================================================
 Package           Architecture     Version                Repository      Size
================================================================================
Installing:
 haveged           x86_64           1.9.14-1.el8           epel            78 k

Transaction Summary
================================================================================
Install  1 Package

Total download size: 78 k
Installed size: 205 k
Downloading Packages:
haveged-1.9.14-1.el8.x86_64.rpm                  10 kB/s |  78 kB     00:07
--------------------------------------------------------------------------------
Total                                           9.5 kB/s |  78 kB     00:08
Extra Packages for Enterprise Linux 8 - x86_64  1.6 MB/s | 1.6 kB     00:00
Importing GPG key 0x2F86D6A1:
 Userid     : "Fedora EPEL (8) <epel@fedoraproject.org>"
 Fingerprint: 94E2 79EB 8D8F 25B2 1810 ADF1 21EA 45AB 2F86 D6A1
 From       : /etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-8
Key imported successfully
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
  Preparing        :                                                        1/1
  Installing       : haveged-1.9.14-1.el8.x86_64                            1/1
  Running scriptlet: haveged-1.9.14-1.el8.x86_64                            1/1
  Verifying        : haveged-1.9.14-1.el8.x86_64                            1/1

Installed:
  haveged-1.9.14-1.el8.x86_64

Complete!

Enable and start haveged.service.

# systemctl enable --now haveged.service
Created symlink /etc/systemd/system/sysinit.target.wants/haveged.service → /usr/lib/systemd/system/haveged.service.

Enable DNSSEC on Master DNS Server

To enable DNSSEC, you need to configure following settings on your Primary DNS Server (Master).

Edit named.conf configuration file in vim text editor.

# vi /etc/named.conf

Locate and set following two directives in this file.

dnssec-enable yes;
dnssec-validation yes;

Add following directive just below the above settings.

dnssec-lookaside auto;

Create a Zone Signing Key (ZSK) by executing following commands at Linux Bash.

# cd /var/named
# dnssec-keygen -a NSEC3RSASHA1 -b 2048 -n ZONE centlinux.com
Generating key pair......+++++ ..........................................................+++++
Kcentlinux.com.+007+64074

Create a Key Signing Key (KSK) by executing following command at Linux Bash.

# dnssec-keygen -f KSK -a NSEC3RSASHA1 -b 4096 -n ZONE centlinux.com
Generating key pair....................++++ .........................................................................................................++++
Kcentlinux.com.+007+60889

Include the generated keys in your zone file.

# echo "$include Kcentlinux.com.+007+64074.key" >> /var/named/centlinux.com
# echo "$include Kcentlinux.com.+007+60889.key" >> /var/named/centlinux.com

Sign the zone entries by using dnssec-signzone command.

# dnssec-signzone -A -3 $(head -c 1000 /dev/random | sha1sum | cut -b 1-16) -N INCREMENT -o centlinux.com -t centlinux.com
Verifying the zone using the following algorithms: NSEC3RSASHA1.
Zone fully signed:
Algorithm: NSEC3RSASHA1: KSKs: 1 active, 0 stand-by, 0 revoked
ZSKs: 1 active, 0 stand-by, 0 revoked
centlinux.com.signed
Signatures generated: 19
Signatures retained: 0
Signatures dropped: 0
Signatures successfully verified: 0
Signatures unsuccessfully verified: 0
Signing time in seconds: 0.039
Signatures per second: 476.692
Runtime in seconds: 0.044

Above command created a signed zone file for your centlinux.com zone.

Check zone file for any possible errors.

# named-checkzone centlinux.com /var/named/centlinux.com.signed
zone centlinux.com/IN: loaded serial 2022070402 (DNSSEC signed)
OK

The above output shows that your zone file is now DNSSEC signed.

Edit your zone configuration file by using vim text editor.

# vi /etc/named.conf.local

Update the file path, now it is pointing towards the signed zone file.

Also include DNSSEC related settings therein. (Changes are highlighted in yellow color)

zone "centlinux.com" {
type master;
allow-transfer {192.168.116.129; };
also-notify {192.168.116.129; };
file "/var/named/centlinux.com.signed";

# DNSSEC keys Location
key-directory "/var/named/*.keys";

# Publish and Activate DNSSEC keys
auto-dnssec maintain;

# Use Inline Signing
inline-signing yes;
};

zone "116.168.192.in-addr.arpa" {
type master;
allow-transfer {192.168.116.129; };
also-notify {192.168.116.129; };
file "/var/named/116.168.192.in-addr.arpa";
};

Restart your named.service to apply changes.

# systemctl restart named.service

Enable DNSSEC on Slave DNS Server

Now connect to your Secondary DNS Server (Slave) i.e. nameserver-02.centlinux.com as root user by using a ssh client.

Edit named.conf configuration file in vim text editor.

# vi /etc/named.conf

Locate and set following two directives in this file.

dnssec-enable yes;
dnssec-validation yes;

Add following directive just below the above settings.

dnssec-lookaside auto;

Edit your zone configuration file by using vim text editor.

# vi /etc/named.conf.local

Update the file path, now it is pointing towards the signed zone file.

Also include DNSSEC related settings therein. (Changes are highlighted in yellow color)

zone "centlinux.com" {
type slave;
masters { 192.168.116.128; };
file "/var/named/centlinux.com.signed";

# DNSSEC keys Location
key-directory "/var/named/*.keys";

# Publish and Activate DNSSEC keys
auto-dnssec maintain;

# Use Inline Signing
inline-signing yes;
};

zone "116.168.192.in-addr.arpa" {
type slave;
masters { 192.168.116.128; };
file "/var/named/116.168.192.in-addr.arpa";
};

Restart your named.service to apply changes.

# systemctl restart named.service

After service restart the zone files will be fetched from Master DNS Server.

Check zone file for any possible errors.

# named-checkzone centlinux.com /var/named/centlinux.com.signed
zone centlinux.com/IN: loaded serial 2022070402 (DNSSEC signed)
OK

The above output shows that your Zone file is now DNSSEC signed.

Also Read: 

Configure Authoritative DNS Server in CentOS 7
Configure Caching Only DNS Server in CentOS 7

Final Thoughts

After enabling DNSSEC for your BIND DNS Server, you’ve taken a significant step towards enhancing the security and integrity of your DNS infrastructure. If you need further assistance or want to explore additional DNS security measures, feel free to check out my Fiverr profile. Secure DNS, secure browsing!

Exit mobile version