dnssec-tools and bind authoritative name server in Fedora

Some time ago, I wrote a post about using dnssec-tools for managing an authoritative name server in CentOS, now I’m going to extend it to cover their usage in a Fedora system.

First of all, I’m going to use the latest versions which currently is not in the repositories. Download the source rpm, recompile and install the rpms: $ mock -r fedora-19-x86_64 dnssec-tools-2.0-1.fc18.src.rpm # yum install /var/lib/mock/fedora-19-x86_64/result/*rpm

The configuration of bind as authoritative name server /etc/named.conf:

acl dns-slaves {
  1.2.3.4;
  2001:2b8::1;
};

acl trusted {
  localhost;
};

options {
  listen-on port 53 { any; };
  listen-on-v6 port 53 { any; };
  directory       "/var/named";
  dump-file       "/var/named/data/cache_dump.db";
  statistics-file "/var/named/data/named_stats.txt";
  memstatistics-file "/var/named/data/named_mem_stats.txt";
  allow-query     { any; };
  allow-query-cache { trusted; };
  allow-recursion { trusted; };
  allow-transfer { dns-slaves; };

  hostname "ns1.example.com";

  dnssec-enable yes;
  dnssec-validation yes;
  dnssec-lookaside auto;

  /* Path to ISC DLV key */
  bindkeys-file "/etc/named.iscdlv.key";

  managed-keys-directory "/var/named/dynamic";

  pid-file "/run/named/named.pid";
};

logging {
  channel default_debug {
    file "data/named.run";
    severity dynamic;
  };
  channel null {
    null;
  };
  channel default_syslog {
    syslog daemon;
    severity info;
  };
  category queries { "default_syslog"; };
  category default { "default_syslog"; };
  category lame-servers { "default_syslog"; };
};

zone "." IN {
  type hint;
  file "named.ca";
};

include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";

zone "example.com" IN {
  type master;
  file "masters/example.com.zone";
};

And this is my configuration of /etc/dnssec-tools/dnssec-tools.conf. Note that I have changed the random device to /dev/random, so it can take a while to generate the keys:

#
# DNSSEC-Tools Configuration
#

#
# Settings for DNSSEC-Tools administration.
#
admin-email     hostmaster@example.com
mailer-type     smtp
mailer-server   localhost

#
# Paths to needed programs.  These may need adjusting for individual hosts.
#
genkrf          /usr/bin/genkrf
keyarch         /usr/bin/keyarch
rollchk         /usr/bin/rollchk
rollctl         /usr/bin/rollctl
zonesigner      /usr/bin/zonesigner

keygen          /usr/sbin/dnssec-keygen
rndc            /usr/sbin/rndc
zonecheck       /usr/sbin/named-checkzone
zonesign        /usr/sbin/dnssec-signzone

zonecheck-opts  -i local

#
# The name of the Perl module that will be used to parse zone files.
# Net::DNS::ZoneFile::Fast is the default and isn't required to be set.
#
# zonefile-parser       Net::DNS::ZoneFile::Fast

#
# Settings for dnssec-keygen.
#
algorithm       rsasha256
ksklength       2048
zsklength       1024
random          /dev/random

;
; Settings for dnssec-signzone.
;
endtime         +2592000                # RRSIGs good for thirty days.

#
# Life-times for keys.  These defaults indicate how long a key has
# between roll-overs.  The values are measured in seconds.
#
# Sample values:
#       3600            1 hour
#       86400           1 day
#       604800          1 week
#       2592000         30-day month
#       7884000         13 weeks, 6 hours
#       15768000        1 half-year
#       31536000        1 year
#       94608000        3 years, 3 days
#
ksklife         31536000
zsklife         7884000
lifespan-max    94608000
lifespan-min    3600

#
# Settings that will be noticed by zonesigner.
#
# default_keyrec        output.krf
archivedir      /var/lib/dnssec-tools/KEY-SAFE
entropy_msg     1
savekeys        1
kskcount        1
zskcount        1

# To fix a problem with NSEC3
# https://bugs.launchpad.net/ubuntu/+source/dnssec-tools/+bug/1215093
zonesign-opts -u -O full

#
# Settings for rollover-manager.
#
autosign        1
roll_loadzone   1
roll_logfile    /var/log/dnssec-tools/log-rollerd
roll_loglevel   info
roll_phasemsg   long
roll_sleeptime  60
# roll_username some_user
zone_errors     3

log_tz          local

#
# GUI-usage flag.
#
usegui          0

I’m going to use the directory /var/lib/dnssec-tools to store the keys. To generate the keys and sign our zone we use the zonesigner command:

# mkdir /var/lib/dnssec-tools # chmod 0700 /var/lib/dnssec-tools # cd /var/lib/dnssec-tools # /usr/bin/zonesigner -verbose -genkeys -dtconfig /etc/dnssec-tools/dnssec-tools.conf  -usensec3 -szopts "-u -O full" -zone example.com /var/named/masters/example.com.zone

This will generate a example.com.zone.signed file, with the signed data of your zone. You have to point named to load that zone:

zone "example.com" IN {
  type master;
  file "masters/example.com.zone.signed";
};

and reload (note that zonesigner increases the SOA serial automatically): # rndc reload

It’s very important to set the DS record in your registrar, you can get it from /var/lib/dnssec-tools/dsset-example.com.

Now our signed zone is fully functional, but to ease the management there are some handy tools in the dnssec-tools package which automates the key management process:

Rollerd is responsible of the key rollover process when the keys are about to expire, and donutsd periodically checks the zone for errors. To launch them, I have created these systemd unit files:

/etc/systemd/system/rollerd.service:

[Unit]
Description=Rollerd daemon
After=network.target named.service

[Service]
WorkingDirectory=/var/lib/dnssec-tools
Type=forking
ExecStart=/usr/bin/rollerd -rrfile /etc/dnssec-tools/all.rollrec -zsargs "=usensec3 =szopts '-u -O full'"
PrivateTmp=true

[Install]
WantedBy=multi-user.target

/etc/systemd/system/donutsd.service:

[Unit]
Description=Donutsd daemon
After=network.target named.service

[Service]
Type=simple
ExecStart=/usr/bin/donutsd -a "-v --level=8 -features=live,nsec_check --rules=/usr/share/dnssec-tools/donuts/rules/*.txt" -f hostmaster@example.com -e my_mail@example.com -i /etc/dnssec-tools/checkzones.txt -z 3600 -v
PrivateTmp=true

[Install]
WantedBy=multi-user.target

To create the configuration of rollerd:

# rollinit -directory /var/lib/dnssec-tools -zonefile /var/named/masters/example.com.zone.signed -keyrec ./example.com.krf -admin hostmaster@example.com example.com >> /etc/dnssec-tools/all.rollrec

And for the list of domains donutsd has to check, create the file /etc/dnssec-tools/checkzones.txt:

/var/named/masters/example.com.zone.signed     example.com    hostmaster@example.com

Reload the systemd config and start the services:

# systemctl daemon-reload --system # systemctl enable rollerd.service donutsd.service # systemctl start rollerd.service donutsd.service

When you want to modify the zone file, make your changes to the unsigned zone file /var/named/masters/example.com.zone and then run a script like this:

#!/bin/bash
cd /var/lib/dnssec-tools
/usr/bin/zonesigner -rollmgr rollerd -dtconfig /etc/dnssec-tools/dnssec-tools.conf  -usensec3 -szopts "-u -O full"  -zone example.com -krf ./example.com.krf -signonly /var/named/masters/example.com.zone /var/named/masters/example.com.zone.signed
/usr/sbin/rndc reload

To manually check the correctness of the zone, here is another script to launch donuts:

#!/bin/bash
/usr/bin/donuts -v -v --level=8 -features=live,nsec_check --rules=/usr/share/dnssec-tools/donuts/rules/*.txt  /var/named/masters/example.com.zone.signed example.com
bind  dns  dnssec  dnssec-tools  fedora 

See also