HOWTO: configure the name server locally and enable DNSSEC

Source: Internet
Author: User
Tags dnssec

Note: If you have any questions about the content described in this article, contact Jimmy Xu.

DNSSEC has been released for a short time, and the root server has been supported. The. org domain and some ccTLD have been fully deployed. However, it is a pity that the DNS system provided by the domain name registrar rarely supports this security extension, so you have to do it yourself.

This article mainly describes the operation steps, which are hardly involved in knowledge-based things. Please Google or read relevant documents on your own.

You have to have a server that can be accessed through SSH or equivalent channels, and you have to or know the root of the server. You must have a domain name. The following content is tested on Ubuntu 10.04.1 LTS. In other systems, the package management and configuration file paths are generally different.

1. Configure Name Server
First, install BIND from the software source:

# Apt-get install bind9 switch the working directory to/etc/bind /. Many of these default files are not required. First, edit the named. conf file so that it has only the following content:

Include "/etc/bind/named. conf. options ";
Include "/etc/bind/named. conf. local ";

Recursion no;
To turn off recursive queries. Then, delete the files we do not need:

# Rm db. * named. conf. default-zones. rfc1918 is complete.

Note: The following uses the domain name as an example.

It is not enough for a domain name to have a name server. We still need some backups. If you are a Linode user, several name servers of Linode can be treated as slave. Or free services (problems may occur, not recommended ). Register the domain on these sites, select the slave type, fill in the IP address of your server for the corresponding Master, and remember the addresses that the service provider requires you to allow AXFR.

Linode DNS configuration example

Then switch back to the server. First, edit the named. conf. local file and add it to the end of the file:

Zone " "{
Type master;
File "/etc/bind/ ";
Allow-transfer {;;;; ;};
// These are the AXFR addresses. If you are using the service,
// Replace this line with allow-transfer { ;};
Create the file and fill in the following content (Please modify it according to your own configuration ):

; BIND data file for
$ TTL 300
@ In soa .(
Replace @ with your own email address.
; Serial number. This number should be added to 1 each time this file is edited
@ 3600 in ns
Ns in a
; Replace the IP address of your server
@ 3600 in ns
@ 3600 in ns
@ 3600 in ns
@ 3600 in ns
@ 3600 in ns
; Replace it with the slave server just mentioned
@ In a
@ In aaaa 2001: 470: 1f04: d93: 2
If the server does not support IPv6, delete this line.
Www in cname
Mail in cname
Here and below assume that you are using the mail service of Google Apps
@ 3600 in mx 10
@ 3600 in mx 20
@ 3600 in mx 20
@ 3600 in mx 30
@ 3600 in mx 30
@ 3600 in mx 30
@ 3600 in mx 30
@ 3600 in txt "v = spf1 a include:"
After editing, run:

# Named-checkzone to check for syntax errors. Then restart BIND:

#/Etc/init. d/named restart if there is no problem, the server should be able to provide the query service normally now. Runable:

# Dig @ localhost check whether the correct address can be parsed. If there is any problem, check whether the configuration is correct.

The server configuration is complete. Go to the domain name registrar (Godaddy for example), open the domain name settings, click "add" at "Host Summary", enter "Host name" ns and the IP address of the server, and confirm. Wait a moment, and then replace the name server of the domain name with and in the "Nameservers" section above (please be consistent with the NS record configured above ). Confirm and wait for the change to take effect. You can run the following command:

$ Whois check the Name servers in the returned record: Project to confirm.

Godaddy Configuration

Ii. Enable DNSSEC
At the time of writing this article, the. org top-level domain already fully supports DNSSEC. The configuration method of other TLD instances to be supported should be no different.

First, run:

# Dnssec-keygen-r/dev/random-aRSASHA1-b1024-nZONE to generate ZSK (if the command runs slowly, change/dev/random to/dev/urandom, but it will lose some security ). Remember the obtained file name (such as + 005 + 23640.key), and then run:

# Dnssec-keygen-r/dev/random-fKSK-aRSASHA1-b2048-nZONE to generate KSK (if the command runs slowly, use the same method as above ). Remember the obtained file name (such as + 005 + 55006.key ).

Edit and add the following two lines at the end:

$ INCLUDE " + 005 + 23640.key"
$ INCLUDE " + 005 + 55006.key"
; Change it to the correct file name mentioned above.
Add the serial number to 1. Then run (you can attach this command to the top comment of the file ):

# Dnssec-signzone-r/dev/random-e + 31104000 + 005 + 55006 + 005 + 23640.key
Sign the entire domain (replace the file name with the correct one, for example, the method is the same as above). This command will generate a signed file. Now edit the named. conf. local file and replace the file line:

File "/etc/bind/ signed ";

# Named-checkzone signed to check whether the syntax error and signature are successful. Then reload the BIND:

#/Etc/init. d/named reload is now configured on the server. Runable:

# Dig + dnssec @ localhost

There is now a file in the working directory, which we will provide to the Registrar. Still take Godaddy as an example, open the domain name settings, select "Manage DNSSEC", "Add new DS record", "Switch to advanced mode", and adjusted to the following format: 31104000 DS; 55006 5 1 2257B8982183546E34D17212BC221A72ADAD8201; 31104000 DS; 55006 5 2 cores;
Check and confirm, and wait for it to take effect. Executable:

$ Whois check whether a DNSSEC: Signed row exists in the returned record, or you can access the verification.

Godaddy DNSSEC Configuration

At this point, the configuration is complete.
Iii. Notes
The DNS zone file format is similar to the online management format, which can be illustrated by cats or Google;
Each time you change the file, you must add 1 to the serial number. Otherwise, the new data will not be visible until the server times out. Be sure to run the dnssec-signzone command to re-sign and run the reload command;
Perform the operations described in section 2 again every 360 days, or you can change all the 31104000 values to a larger number;
Backup, backup, backup ......
4. Others
If you find any errors in the text, please let me know. Note: I shall not be liable for the general, special, external or indirect losses caused by your operations in accordance with this document (including but not limited to, the loss of information and inaccurate information execution, or losses to you or a third party ).

This document uses the Knowledge Sharing signature-share the 3.0 Unported license agreement in the same way.

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.