Unlock the power of DNSSEC for your BIND DNS Server with our comprehensive tutorial. Learn how to enable DNSSEC and enhance the security and integrity of your DNS infrastructure. #centlinux #linux #dns
DNSSEC (Domain Name System Security Extensions) is a suite of IETF (Internet Engineering Task Force) specifications for securing certain kinds of information provided by the DNS (Domain Name System) as used on IP (Internet Protocol) networks.
It is a set of extensions to DNS which provide to DNS clients (resolvers) origin authentication of DNS data, authenticated denial of existence, and data integrity, but not availability or confidentiality.
DNSSEC (Domain Name System Security Extensions) works by adding cryptographic signatures to DNS records, ensuring the authenticity and integrity of DNS data. Here’s how it works in simple terms:
Overall, DNSSEC helps prevent DNS spoofing, cache poisoning, and other attacks by ensuring that the DNS responses received are authentic and haven’t been modified in transit.
Read Also: How to setup DNSSEC in Linux 7
Whether to enable DNSSEC depends on your specific needs and circumstances. Here are some factors to consider:
In summary, if security is crucial for your organization and you have the resources and expertise to manage DNSSEC effectively, enabling it is a prudent decision. However, ensure that you weigh the benefits against the associated complexities and requirements before making a decision.
Recommended Book: DNS and BIND (5th Edition) (PAID LINK) by Cricket Liu & Paul Albitz
Recommended Online Training: Mastering BIND DNS
You have already configured a master and slave DNS servers by using BIND on Rocky Linux 8. In this article, you will enable DNSSEC on the same BIND DNS Server.
Connect with your Master DNS Server i.e. nameserver-01.centlinux.com as root user by using a ssh client.
The haveged project is an attempt to provide an easy-to-use, unpredictable random number generator based upon an adaptation of the HAVEGE algorithm. Haveged was created to remedy low-entropy conditions in the Linux random device that can occur under some workloads, especially on headless servers.
You should install haveged before you configure DNSSEC BIND to speedup the process of key generation during configuration process.
Haveged software package is provided by third party yum repository, therefore, you need to install EPEL (Extra Packages for Enterprise Linux) yum repository on your Linux operating system.
# dnf install -y epel-release
Build yum cache for newly installed yum repository.
# dnf makecache Rocky Linux 8 - AppStream 409 B/s | 4.8 kB 00:11 Rocky Linux 8 - BaseOS 2.1 kB/s | 4.3 kB 00:02 Rocky Linux 8 - Extras 1.7 kB/s | 3.5 kB 00:02 Extra Packages for Enterprise Linux 8 - x86_64 331 kB/s | 12 MB 00:37 Extra Packages for Enterprise Linux Modular 8 - 7.3 kB/s | 1.0 MB 02:21 Metadata cache created.
Now you can easily install havaged on your Linux server by executing dnf command.
# dnf install -y haveged Last metadata expiration check: 0:02:17 ago on Sat 09 Jul 2022 02:06:09 PM PKT. Dependencies resolved. ================================================================================ Package Architecture Version Repository Size ================================================================================ Installing: haveged x86_64 1.9.14-1.el8 epel 78 k Transaction Summary ================================================================================ Install 1 Package Total download size: 78 k Installed size: 205 k Downloading Packages: haveged-1.9.14-1.el8.x86_64.rpm 10 kB/s | 78 kB 00:07 -------------------------------------------------------------------------------- Total 9.5 kB/s | 78 kB 00:08 Extra Packages for Enterprise Linux 8 - x86_64 1.6 MB/s | 1.6 kB 00:00 Importing GPG key 0x2F86D6A1: Userid : "Fedora EPEL (8) <epel@fedoraproject.org>" Fingerprint: 94E2 79EB 8D8F 25B2 1810 ADF1 21EA 45AB 2F86 D6A1 From : /etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-8 Key imported successfully Running transaction check Transaction check succeeded. Running transaction test Transaction test succeeded. Running transaction Preparing : 1/1 Installing : haveged-1.9.14-1.el8.x86_64 1/1 Running scriptlet: haveged-1.9.14-1.el8.x86_64 1/1 Verifying : haveged-1.9.14-1.el8.x86_64 1/1 Installed: haveged-1.9.14-1.el8.x86_64 Complete!
Enable and start haveged.service.
# systemctl enable --now haveged.service Created symlink /etc/systemd/system/sysinit.target.wants/haveged.service → /usr/lib/systemd/system/haveged.service.
To enable DNSSEC, you need to configure following settings on your Primary DNS Server (Master).
Edit named.conf configuration file in vim text editor.
# vi /etc/named.conf
Locate and set following two directives in this file.
dnssec-enable yes; dnssec-validation yes;
Add following directive just below the above settings.
dnssec-lookaside auto;
Create a Zone Signing Key (ZSK) by executing following commands at Linux Bash.
# cd /var/named
# dnssec-keygen -a NSEC3RSASHA1 -b 2048 -n ZONE centlinux.com
Generating key pair......+++++ ..........................................................+++++
Kcentlinux.com.+007+64074
Create a Key Signing Key (KSK) by executing following command at Linux Bash.
# dnssec-keygen -f KSK -a NSEC3RSASHA1 -b 4096 -n ZONE centlinux.com
Generating key pair....................++++ .........................................................................................................++++
Kcentlinux.com.+007+60889
Include the generated keys in your zone file.
# echo "$include Kcentlinux.com.+007+64074.key" >> /var/named/centlinux.com
# echo "$include Kcentlinux.com.+007+60889.key" >> /var/named/centlinux.com
Sign the zone entries by using dnssec-signzone command.
# dnssec-signzone -A -3 $(head -c 1000 /dev/random | sha1sum | cut -b 1-16) -N INCREMENT -o centlinux.com -t centlinux.com
Verifying the zone using the following algorithms: NSEC3RSASHA1.
Zone fully signed:
Algorithm: NSEC3RSASHA1: KSKs: 1 active, 0 stand-by, 0 revoked
ZSKs: 1 active, 0 stand-by, 0 revoked
centlinux.com.signed
Signatures generated: 19
Signatures retained: 0
Signatures dropped: 0
Signatures successfully verified: 0
Signatures unsuccessfully verified: 0
Signing time in seconds: 0.039
Signatures per second: 476.692
Runtime in seconds: 0.044
Above command created a signed zone file for your centlinux.com zone.
Check zone file for any possible errors.
# named-checkzone centlinux.com /var/named/centlinux.com.signed
zone centlinux.com/IN: loaded serial 2022070402 (DNSSEC signed)
OK
The above output shows that your zone file is now DNSSEC signed.
Edit your zone configuration file by using vim text editor.
# vi /etc/named.conf.local
Update the file path, now it is pointing towards the signed zone file.
Also include DNSSEC related settings therein. (Changes are highlighted in yellow color)
zone "centlinux.com" {
type master;
allow-transfer {192.168.116.129; };
also-notify {192.168.116.129; };
file "/var/named/centlinux.com.signed";
# DNSSEC keys Location
key-directory "/var/named/*.keys";
# Publish and Activate DNSSEC keys
auto-dnssec maintain;
# Use Inline Signing
inline-signing yes;
};
zone "116.168.192.in-addr.arpa" {
type master;
allow-transfer {192.168.116.129; };
also-notify {192.168.116.129; };
file "/var/named/116.168.192.in-addr.arpa";
};
Restart your named.service to apply changes.
# systemctl restart named.service
Now connect to your Secondary DNS Server (Slave) i.e. nameserver-02.centlinux.com as root user by using a ssh client.
Edit named.conf configuration file in vim text editor.
# vi /etc/named.conf
Locate and set following two directives in this file.
dnssec-enable yes; dnssec-validation yes;
Add following directive just below the above settings.
dnssec-lookaside auto;
Edit your zone configuration file by using vim text editor.
# vi /etc/named.conf.local
Update the file path, now it is pointing towards the signed zone file.
Also include DNSSEC related settings therein. (Changes are highlighted in yellow color)
zone "centlinux.com" {
type slave;
masters { 192.168.116.128; };
file "/var/named/centlinux.com.signed";
# DNSSEC keys Location
key-directory "/var/named/*.keys";
# Publish and Activate DNSSEC keys
auto-dnssec maintain;
# Use Inline Signing
inline-signing yes;
};
zone "116.168.192.in-addr.arpa" {
type slave;
masters { 192.168.116.128; };
file "/var/named/116.168.192.in-addr.arpa";
};
Restart your named.service to apply changes.
# systemctl restart named.service
After service restart the zone files will be fetched from Master DNS Server.
Check zone file for any possible errors.
# named-checkzone centlinux.com /var/named/centlinux.com.signed
zone centlinux.com/IN: loaded serial 2022070402 (DNSSEC signed)
OK
The above output shows that your Zone file is now DNSSEC signed.
Also Read:
Configure Authoritative DNS Server in CentOS 7
Configure Caching Only DNS Server in CentOS 7
After enabling DNSSEC for your BIND DNS Server, you’ve taken a significant step towards enhancing the security and integrity of your DNS infrastructure. If you need further assistance or want to explore additional DNS security measures, feel free to check out my Fiverr profile. Secure DNS, secure browsing!
Puppy Linux is a fast, lightweight OS designed for speed and simplicity, perfect for old…
Learn how to change Apache document root in Linux by following this step-by-step guide. Adjust…
Discover how to change Apache port in Linux easily. Follow our simple guide to modify…
Learn how to create a virtual host in Apache Server with this comprehensive guide. Set…
Discover 10 practical tasks for the RHCSA exam with step-by-step solutions. Boost your Linux skills…
Discover the ultimate Fail2ban configuration guide. Learn how to set up, customize, and optimize Fail2ban…
This website uses cookies.