HOW TO CONFIGURE AUTO-SIGNED DYNAMIC ZONES WITH BIND9 By: Eugene Crosser Master: http://www.average.org/dnssec/ This document describes how to configure bind9 to automatically sign zones as they are being modified by a dynamic update mechanism. It is assumed that you already know how to configure manually signed zones [1] and know how to configure zones for dynamic updates [2]. For the purpose of this discussion, we presume that you control the parent zone 'example.com' which is not set up for dynamic updates and is manually signed. The child zone 'dyn.example.com' is set up for dynamic updates. Your 'named' is not run in chroot environment, and executes under effective uid 'bind' and gid 'bind'. Configuration files and manually signed zones are kept in '/etc/bind' which is readable but not writeable by uid 'bind', and dynamically updatable zones are kept in '/var/cache/bind' which is readable and writeable by uid 'bind'. Following are the steps to make zone 'dyn.example.com' automatically signed: 0. Make sure that you are using bind version 9.6 or later. 1. Create a directory to contain zone keys that are "visible" to named and therefore available to auto- signing mechanism: # mkdir /etc/bind/keys # chgrp bind /etc/bind/keys # chmod 0750 /etc/bind/keys Note: It is possible to keep auto-signing keys in /etc/bind directory . However, we suggest to place the keys for auto-signing in a separate directory to ensure that named will not accidentally try to sign a wrong zone. 2. Create key-signing and zone-signing keys for the zone 'dyn.example.com' and make the private key readable by 'bind' uid: # cd /etc/bind/keys # dnssec-keygen -f KSK -a RSASHA256 -b 2048 \ > -n ZONE dyn.example.com # dnssec-keygen -a RSASHA256 -b 2048 \ > -n ZONE dyn.example.com # chgrp bind *.private # chmod 0640 *.private 3. Include DNSKEY into 'dyn.example.com' zone and manually sign it. The file must be made writeable by 'bind' uid: # cd /var/cache/bind # rndc freeze dyn.example.com edit the file 'dyn.example.com' and add two lines: '$include /etc/bind/keys/Kdyn.example.com.[...].key' for ZSK and KSK that where just created. (substitute the actual names of the two key files) # dnssec-signzone -g -d /etc/bind/keys -t \ > -o dyn.example.com dyn.example.com \ > /etc/bind/keys/Kdyn.example.com.[...].private \ > /etc/bind/keys/Kdyn.example.com.[...].private (substitute the actual names of the two key files) This step will create the file dyn.example.com.signed, and in addition to that, the file '/etc/bind/keys/dsset-dyn.example.com.'. # chown bind:bind dyn.example.com.signed 4. Include DS records into the parent zone: # cd /etc/bind edit the file example.com and add this line: '$include keys/dsset-dyn.example.com.' (don't forget to also update the zone's serial.) Manually sign the 'example.com' zone as you usually do. 5. Update bind's configuration: In the definition of 'dyn.example.com' zone, change the line 'file "/var/cache/bind/dyn.example.com";' to 'file "/var/cache/bind/dyn.example.com.signed";' In the 'options' section, add these lines: 'sig-validity-interval 2400;' 'key-directory "/etc/bind/keys";' (substitute whatever period you deem appropriate for '2400'. 2400 is 40 minutes.) 6. Make named re-read the configuration and thaw the dynamic zone: # rndc reload # rndc thaw dyn.example.com 7. Check that things work as expected. References: [1] http://www.nlnetlabs.nl/publications/dnssec_howto/index.html DNSSEC HOWTO, a tutorial in disguise, by Olaf Kolkman [2] http://answers.oreilly.com/topic/192-how-to-allow-dynamic-updates-with-bind/ How to allow dynamic updates with BIND, O'Reilly Answers