วันจันทร์ที่ 24 กรกฎาคม พ.ศ. 2560

Setup DNSSEC on BIND DNS Server

Enable DNSSEC by adding the following configuration directives inside options{ }
# vi /etc/named.conf
dnssec-enable yes;
dnssec-validation yes;
dnssec-lookaside auto;

Create a Zone Signing Key(ZSK)
# dnssec-keygen -r /dev/urandom -a NSEC3RSASHA1 -b 2048 -n ZONE example.tld

Create a Key Signing Key(KSK)
# dnssec-keygen -r /dev/urandom -f KSK -a NSEC3RSASHA1 -b 4096 -n ZONE example.tld

Add the public keys which contain the DNSKEY record to the zone file.
# for key in `ls Kexample.tld*.key`; do echo "\$INCLUDE $key">> db.example.tld; done

Sign the zone with the dnssec-signzone command.
# dnssec-signzone -e +3024000 -N INCREMENT -o example.tld -t db.example.tld

Get DS record
# cat dsset-example.tld
or
# dig @ns.example.com example.tld dnskey | dnssec-dsfromkey -f /dev/stdin example.tld
# dig @ns.example.com example.tld dnskey | dnssec-dsfromkey -f - example.tld


http://dnsviz.net
https://dnssec-debugger.verisignlabs.com
http://viewdns.info/dnssec/