When using these steps to secure the root zone, assume that other
name servers on the internet are not using BIND 9, and you want to secure
your zone data and allow other servers to verify your zone data.
You want to state that your zone (in our case aus.century.com)
is a secure root, and will validate any secure zone data below it.
- Generate the keys using the dnssec-keygen command:
dnssec-keygen -a RSA -b 512 -r /usr/sbin/named -n ZONE aus.century.com.
Note: RSA
encryption can be used as the algorithm to generate the key if OpenSSL is
installed, although you must first relink the DNS library to a secured DNS
library by running the following command:
ln -fs /usr/lib/libdns_secure.a /usr/lib/libdns.a
- ZONE: ZONE is the DNSSEC keyword used to generate zone keys for private/public
key encryption
- The
r flag specifies a random device
- Add the public key entry similar to the named.conf file.
The entry used in our case follows. Below are the contents of key file Kaus.century.com.+001+03254.key.
abc.aus.century.com. IN KEY 256 3 1
AQOnfGEAg0xpzSdNRe7KePq3Dl4NqQiq7HkwKl6TygUfaw6vz6ldmauB4UQFcGKOyL68/
Zv5ZnEvyB1fMTAaDLYz
The public key is contained in the file
Kzonename.+algor.+fingerprint.key,
or in our case
Kaus.century.com.+001+03254.key. You have
to remove the class IN and type KEY as well as quote the key. Once you add
this entry to the
/etc/named.conf file and refresh the
name server, the zone
aus.century.com is a secure root.
trusted-keys {
aus.century.com. 256 3 1 "AQOnfGEAg0xpzSdNRe7KePq3Dl4NqQiq7HkwKl6Tyg
Ufaw6vz6ldmauB 4UQFcGKOyL68/Zv5ZnEvyB1fMTAaDLYz";
};
options {
directory "/usr/local/domain";
};
zone "abc.aus.century.com" in {
type master;
file "named.abc.data.signed";
allow-update{192.9.201.1;};
};