Tony Finch – blog
- The root zone is now signed! It's time to install the trust anchor on your recursive name servers. Getting it is more fiddly than it should be, since BIND does not recognize the format of the trust anchor as it is published by IANA.
- Get the root DNSKEY RR set which is roughly what BIND requires for trust anchors.
$ dig +multi +noall +answer DNSKEY . >root-dnskey
The resulting file contains two keys, a short-lived zone-signing key (flags = 256) and the key-signing key (flags = 257) which is the one we care about.. 86400 IN DNSKEY 256 3 8 ( AwEAAb1gcDhBlH/9MlgUxS0ik2dwY/JiBIpV+EhKZV7L ccxNc6Qlj467QjHQ3Fgm2i2LE9w6LqPFDSng5qVq1OYF yTBt3DQppqDnAPriTwW5qIQNDNFv34yo63sAdBeU4G9t v7dzT5sPyAgmVh5HDCe+6XM2+Iel1+kUKCel8Icy19hR ) ; key id = 41248 . 86400 IN DNSKEY 257 3 8 ( AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQ bSEW0O8gcCjFFVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh /RStIoO8g0NfnfL2MTJRkxoXbfDaUeVPQuYEhg37NZWA JQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaDX6RS6CXp oY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3 LQpzW5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGO Yl7OyQdXfZ57relSQageu+ipAdTTJ25AsRTAoub8ONGc LmqrAmRLKBP1dfwhYB4N7knNnulqQxA+Uk1ihz0= ) ; key id = 19036 - Turn the DNSKEY into a DS RR set. The dnssec-dsfromkey program ignores the ZSK and only emits DS RRs for the KSK.
$ dnssec-dsfromkey -f root-dnskey . >root-ds
It emits two RRs, one using SHA-1 and one using SHA-256.. IN DS 19036 8 1 B256BD09DC8DD59F0E0F0D8541B8328DD986DF6E . IN DS 19036 8 2 49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5
- Fetch https://data.iana.org/root-anchors/root-anchors.xml
which contains a copy of the SHA-256 DS record in XML format.
<?xml version="1.0" encoding="UTF-8"?> <TrustAnchor id="AD42165F-3B1A-4778-8F42-D34A1D41FD93" source="http://data.iana.org/root-anchors/root-anchors.xml"> <Zone>.</Zone> <KeyDigest id="Kjqmt7v" validFrom="2010-07-15T00:00:00+00:00"> <KeyTag>19036</KeyTag> <Algorithm>8</Algorithm> <DigestType>2</DigestType> <Digest>49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5</Digest> </KeyDigest> </TrustAnchor> - You can also fetch https://data.iana.org/root-anchors/root-anchors.asc and use it to verify the XML trust anchor using PGP.
- Verify that the XML trust anchor matches the DS record you generated from the DNSKEY record.
- Reformat the DNSKEY record into a BIND managed-keys clause. This tells BIND to automatically update the trust anchor according to RFC 5011.
managed-keys { "." initial-key 257 3 8 " AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQ bSEW0O8gcCjFFVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh /RStIoO8g0NfnfL2MTJRkxoXbfDaUeVPQuYEhg37NZWA JQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaDX6RS6CXp oY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3 LQpzW5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGO Yl7OyQdXfZ57relSQageu+ipAdTTJ25AsRTAoub8ONGc LmqrAmRLKBP1dfwhYB4N7knNnulqQxA+Uk1ihz0= "; }; - Add the managed-keys clause to your named.conf
- In the options section of named.conf you should have the directive
dnssec-lookaside auto;
This enables DNSSEC lookaside validation, which is necessary to bridge gaps (such as ac.uk) in the chain of trust between the root and lower-level signed zones (such as cam.ac.uk). BIND comes with a DLV trust anchor built in, which it will also update according to RFC 5011. - $ rndc reconfig
- Check that DNSSEC validation is working. Verify that the "ad" (authenticated data) flag is present in the output of these commands:
$ dig +dnssec www.nic.cat.
$ dig +dnssec www.cam.ac.uk.
The first of these is validated using a chain of trust from the root - DNSSEC as it is ideally intended to work. The second relies on the DLV stop-gap.
Edited to add: IANA have a tool written in Python called anchors2keys which does most of this automatically (er, for the ITAR not the root anchor). Jakob Schlyter has a Perl program called ta-tool which does a similar job. So does Bjørn Mork, who called his rootanchor2keys.pl. Stephane Bortzmeyer has a Makefile and XSLT script which also does the job.