Configurar DNSSEC en BIND DNS Server en CentOS 7

Posted on | By cesar.vazquez | No comments
¿En qué podemos ayudarte?
< Regresar
Estás aquí:
Imprimir
Created Onnoviembre 28, 2019
Last Updated Onnoviembre 28, 2019
bycesar.vazquez
  1. yum install -y epel-release
  2. yum makecache fast
  3. yum install -y haveged (en openvs no jala, generar las llaves en otra maquina o esperar a que se generen en openvs pero tarda mucho)
  4. systemctl enable –now haveged.service

Configure DNSSEC on Master DNS Server

  1. nano /etc/named.conf (agregar o validar que exista en la seccion de option)
    • dnssec-enable yes;
    • dnssec-validation yes;
    • dnssec-lookaside auto;
  2. cd /var/named
  3. dnssec-keygen -a NSEC3RSASHA1 -b 2048 -n ZONE example.com (se genera llave usa el haveged,tarda si no esta corriendo)
  4. dnssec-keygen -f KSK -a NSEC3RSASHA1 -b 4096 -n ZONE example.com
  5. echo “\$include Kexample.com.+007+28013.key” >> /var/named/example.com (archivo de la zona)
  6. echo “\$include Kexample.com.+007+65445.key” >> /var/named/example.com (archivo de la zona)
  7. dnssec-signzone -A -3 $(head -c 1000 /dev/random | sha1sum | cut -b 1-16) -N INCREMENT -o example.com -t example.com (-o=dominio -t=archivo de zona)
  8. /etc/named.conf.local
  9. zone “example.com” {
    • type master;
    • file “/var/named/example.com.signed”;
    • allow-transfer {192.168.116.5;fd15:4ba5:5a2b:1008::2; };
    • also-notify {192.168.116.5;fd15:4ba5:5a2b:1008::2; };
    • # DNSSEC keys Location key-directory “/var/named/*.keys”;
    • # Publish and Activate DNSSEC keys auto-dnssec maintain;
    • # Use Inline Signing inline-signing yes; };
  10. systemctl reload named.service
  11. dig DNSKEY example.com. +multiline (checa la configuracion)

Configure DNSSEC on Slave DNS Server

  1. nano /etc/named.conf (agregar en option)
    • dnssec-enable yes;
    • dnssec-validation yes;
    • dnssec-lookaside auto;
  2. nano /etc/named.conf.local
  3. zone “example.com” {
    • type slave;
    • masters { 192.168.116.4; };
    • file “/var/named/example.com.signed”;
    • # DNSSEC keys Location
    • key-directory “/var/named/*.keys”;
    • # Publish and Activate DNSSEC keys
    • auto-dnssec maintain;
    • # Use Inline Signing
    • inline-signing yes; };
  4. systemctl reload named.service
  5. ls /var/named (valida que se hayan transferido la zona)

¿Que es?

The original purpose of DNSSEC was to protect Internet clients from counterfeit DNS data by verifying digital signatures embedded in the data.
When a visitor enters the domain name in a browser, the resolver verifies the digital signature.
If the digital signatures in the data match those that are stored in the master DNS servers, then the data is allowed to access the client computer making the request.
The DNSSEC digital signature ensures that you’re communicating with the site or Internet location you intended to visit.
DNSSEC uses a system of public keys and digital signatures to verify data. It simply adds new records to DNS alongside existing records. These new record types, such as RRSIG and DNSKEY, can be retrieved in the same way as common records such as A, CNAME and MX.
These new records are used to digitally “sign” a domain, using a method known as public key cryptography.
A signed nameserver has a public and private key for each zone. When someone makes a request, it sends information signed with its private key; the recipient then unlocks it with the public key. If a third party tries to send untrustworthy information, it won’t unlock properly with the public key, so the recipient will know the information is bogus.

Etiquetas:
Table of Contents
Category: Configuración e Instalación

Deja un comentario