mirror of
https://github.com/isc-projects/bind9.git
synced 2026-02-28 12:31:29 -05:00
Deduplicate Manual Signing between DNSSEC chapter and DNSSEC Guide
The two procedures were essentially the same, but each instance was
missing some details from the other. They are now combined into one text
in the DNSSEC Guide and linked from DNSSEC chapter.
(cherry picked from commit 7d25027898)
This commit is contained in:
Petr Špaček
Matthijs Mekking
parent
99ef4f254f
commit
595eb27b7e
2 changed files with 42 additions and 64 deletions
|
|
@ -338,58 +338,9 @@ There are several tools available to manually sign a zone.
|
|||
compatibility and should be used only by expert users with specific needs.
|
||||
|
||||
To set up a DNSSEC secure zone manually, a series of steps
|
||||
must be followed. BIND 9 ships with several tools that are used in
|
||||
this process, which are explained in more detail below. In all cases,
|
||||
the ``-h`` option prints a full list of parameters. Note that the DNSSEC
|
||||
tools require the keyset files to be in the working directory or the
|
||||
directory specified by the ``-d`` option.
|
||||
|
||||
The :iscman:`dnssec-keygen` program is used to generate keys.
|
||||
|
||||
The following command generates an ECDSAP256SHA256 key for the
|
||||
``child.example`` zone:
|
||||
|
||||
.. code-block:: shell
|
||||
|
||||
dnssec-keygen -a ECDSAP256SHA256 -n ZONE child.example.
|
||||
|
||||
Two output files are produced: ``Kchild.example.+013+12345.key`` and
|
||||
``Kchild.example.+013+12345.private``. Structure of the file names is described
|
||||
in section `Zone Keys`_.
|
||||
|
||||
To generate another key with the same properties but with a different
|
||||
key tag, repeat the above command.
|
||||
|
||||
The :iscman:`dnssec-keyfromlabel` program is used to get a key pair from a
|
||||
crypto hardware device and build the key files. Its usage is similar to
|
||||
:iscman:`dnssec-keygen`.
|
||||
|
||||
The public keys should be inserted into the zone file by including the
|
||||
``.key`` files using ``$INCLUDE`` statements.
|
||||
|
||||
The :iscman:`dnssec-signzone` program is used to sign a zone.
|
||||
|
||||
Any ``keyset`` files corresponding to secure sub-zones should be
|
||||
present. The zone signer generates ``NSEC``, ``NSEC3``, and ``RRSIG``
|
||||
records for the zone, as well as ``DS`` for the child zones if
|
||||
:option:`-g <dnssec-signzone -g>` is specified. If
|
||||
:option:`-g <dnssec-signzone -g>` is not specified, then DS RRsets for the
|
||||
secure child zones need to be added manually.
|
||||
|
||||
By default, all zone keys which have an available private key are used
|
||||
to generate signatures. The following command signs the zone, assuming
|
||||
it is in a file called ``zone.child.example``:
|
||||
|
||||
.. code-block:: shell
|
||||
|
||||
dnssec-signzone -o child.example zone.child.example
|
||||
|
||||
One output file is produced: ``zone.child.example.signed``. This file
|
||||
should be referenced by :iscman:`named.conf` as the input file for the zone.
|
||||
|
||||
:iscman:`dnssec-signzone` also produces keyset and dsset files. These are used
|
||||
to provide the parent zone administrators with the ``DNSKEYs`` (or their
|
||||
corresponding ``DS`` records) that are the secure entry point to the zone.
|
||||
must be followed. Please see chapter
|
||||
:ref:`advanced_discussions_manual_key_management_and_signing` in the
|
||||
:doc:`dnssec-guide` for more information.
|
||||
|
||||
Monitoring with Private Type Records
|
||||
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
||||
|
|
|
|||
|
|
@ -1152,6 +1152,10 @@ about the contents. See chapter :ref:`zone_keys` for more details.
|
|||
Make sure these files are readable by :iscman:`named` and make sure that the
|
||||
``.private`` files are not readable by anyone else.
|
||||
|
||||
Alternativelly, the :iscman:`dnssec-keyfromlabel` program is used to get a key
|
||||
pair from a crypto hardware device and build the key files. Its usage is
|
||||
similar to :iscman:`dnssec-keygen`.
|
||||
|
||||
Setting Key Timing Information
|
||||
++++++++++++++++++++++++++++++
|
||||
|
||||
|
|
@ -1371,12 +1375,31 @@ including interaction with the parent. A user certainly can do all this,
|
|||
but why not use one of the automated methods? Nevertheless, it may
|
||||
be useful for test purposes, so we cover it briefly here.
|
||||
|
||||
The first step is to create the keys as described in :ref:`generate_keys`.
|
||||
Then, edit the zone file to make sure
|
||||
the proper DNSKEY entries are included in your zone file. Finally, use the
|
||||
command :iscman:`dnssec-signzone`:
|
||||
BIND 9 ships with several tools that are used in
|
||||
this process, which are explained in more detail below. In all cases,
|
||||
the ``-h`` option prints a full list of parameters. Note that the DNSSEC
|
||||
tools require the keyset files to be in the working directory or the
|
||||
directory specified by the ``-d`` option.
|
||||
|
||||
::
|
||||
The first step is to create the keys as described in :ref:`generate_keys`.
|
||||
|
||||
Then, edit the zone file to make sure the proper DNSKEY entries are included.
|
||||
The public keys should be inserted into the zone file by
|
||||
including the ``.key`` files using ``$INCLUDE`` statements.
|
||||
|
||||
Finally, use the command :iscman:`dnssec-signzone`.
|
||||
Any ``keyset`` files corresponding to secure sub-zones should be
|
||||
present. The zone signer generates ``NSEC``, ``NSEC3``, and ``RRSIG``
|
||||
records for the zone, as well as ``DS`` for the child zones if
|
||||
:option:`-g <dnssec-signzone -g>` is specified. If
|
||||
:option:`-g <dnssec-signzone -g>` is not specified, then DS RRsets for the
|
||||
secure child zones need to be added manually.
|
||||
|
||||
By default, all zone keys which have an available private key are used
|
||||
to generate signatures. The following command signs the zone, assuming
|
||||
it is in a file called ``zone.child.example``, using manually specified keys:
|
||||
|
||||
.. code-block:: console
|
||||
|
||||
# cd /etc/bind/keys/example.com/
|
||||
# dnssec-signzone -A -t -N INCREMENT -o example.com -f /etc/bind/db/example.com.signed.db \
|
||||
|
|
@ -1395,17 +1418,21 @@ command :iscman:`dnssec-signzone`:
|
|||
Signatures per second: 364.634
|
||||
Runtime in seconds: 0.055
|
||||
|
||||
The -o switch explicitly defines the domain name (``example.com`` in
|
||||
this case), while the -f switch specifies the output file name. The second line
|
||||
has three parameters: the unsigned zone name
|
||||
(``/etc/bind/db/example.com.db``), the ZSK file name, and the KSK file name. This
|
||||
also generates a plain text file ``/etc/bind/db/example.com.signed.db``,
|
||||
which you can verify for correctness.
|
||||
The :option:`-o <dnssec-signzone -o>` switch explicitly defines the domain name
|
||||
(``example.com`` in this case), while the :option:`-f <dnssec-signzone -f>`
|
||||
switch specifies the output file name. The second line has three parameters:
|
||||
the unsigned zone name (``/etc/bind/db/example.com.db``), the ZSK file name,
|
||||
and the KSK file name. This also generates a plain-text file
|
||||
``/etc/bind/db/example.com.signed.db``, which can be manually verified for correctness.
|
||||
|
||||
:iscman:`dnssec-signzone` also produces keyset and dsset files. These are used
|
||||
to provide the parent zone administrators with the ``DNSKEY`` records (or their
|
||||
corresponding ``DS`` records) that are the secure entry point to the zone.
|
||||
|
||||
Finally, you'll need to update :iscman:`named.conf` to load the signed version
|
||||
of the zone, which looks something like this:
|
||||
|
||||
::
|
||||
.. code-block:: none
|
||||
|
||||
zone "example.com" IN {
|
||||
type primary;
|
||||
|
|
|
|||
Loading…
Reference in a new issue