Wednesday, December 18, 2013

zone signing knot-server DNSSEC

In this post we will look at  the creation of the zone signing keys and enabling zone signing per zone for a knot dns server.

You will need the dnssec-keygen tool for creating your keys and then apply the zone modifications in the conf file for  knot name-server daemon.

1st let 's look at  signing zone keys for my < zone>.

To create  our zone signing keys, the dnssec-keygen tool will assist with this requirement.

Okay what we did was to create  2 key-pairs for the zone and the  KeySigningKey ( AKA KSK ). Dnssec-keygen will label these as key and private and prepend the uppercase "K" to the name. I used a 2048but key for both key-pairs.

To learn more about KSK keys, look here;

Now moving on to the knot configuration file

You will need to craft  the correct entries for the zone and specify the key dir. I personally like to create the keydir to be ./key/<name-of-zone>

Next we transfer the keys to this key serving directory since my zone signing utility is on another host. These key-pairs should be kept secret and  secured for the private key

Now the fun begin, we will modify our knotd conf file for signing the zone

note: Just like with bind , we can enable  per zone-signing the knotc command will validate that dnssec is enable for the zone

Ken Felix
Freelance Network / Security Engineer
kfelix  ----a---t---socpuppets ---d---o---t---com

     ^      ^
=(   *   *  )=
       /     \

No comments:

Post a Comment