In previous two blogs (1st part & 2nd part) I explain how to setup NSD as primary DNS server and BIND as secondary. Now let’s see how can we implement DNSEC with it.
1. You can put all the key in single folder; but for better understanding I put necessary information in 4 folders:
ZONES
: All zone files, SIGNED
: All signed zone files, ZSK
: All ZSK keys, KSK
: All KSK Keys
sudo mkdir /etc/nsd/SIGNED /etc/nsd/KSK /etc/nsd/ZSK
2. Time to install ldns, a NLnet Labs’ project:
sudo apt-get install ldnsutils
3. Create ZSK /etc/nsd/ZSK
cd /etc/nsd/ZSK
sudo ldns-keygen -a RSASHA1_NSEC3 -b 1024 ssh.com.bd
Create KSK
cd /etc/nsd/KSK
sudo ldns-keygen -a RSASHA1_NSEC3 -b 2048 -k ssh.com.bd
ldns-keygen
will create 3 files: a .key file with the public DNSKEY, a .private file with the private keydata and a .ds with the DS record of the DNSKEY record.
4. Edit /etc/nsd/nsd.conf
to change the path for the signed zones:
zonesdir: "/etc/nsd/SIGNED"
more changes:
zone:
name: “ssh.com.bd”
zonefile: “ssh.com.bd.zone.signed”
5. Now use the ldns-signzone
command to sign ssh.com.bd
and to create a new file ready for DNSSEC queries.
sudo ldns-signzone /etc/nsd/ZONES/ssh.com.bd.zone \
/etc/nsd/KSK/Kssh.com.bd.+007+22704 \
/etc/nsd/ZSK/Kssh.com.bd.+007+04664 \
-f /etc/nsd/SIGNED/ssh.com.bd.zone.signed
This will create a signed zone file under /etc/nsd/SIGNED
folder.