Skip to content

Instantly share code, notes, and snippets.

Last active February 1, 2016 22:08
What would you like to do?
DNSSEC for ENUM zone

DNSSEC for ENUM zone

This is a basic installation/configuration "how-to" to provide DNSSEC using OpenDNSSEC and BIND. ENUM is involved since it uses NAPTR records.

Install dependencies/packages
apt-get update && apt-get upgrade
apt-get install softhsm opendnssec opendnssec-enforcer opendnssec-enforcer-sqlite3
Copy your zone to your opendnssec unsigned zones directory

cp /path/to/your/zone/file /var/lib/opendnssec/unsigned/

Initialize a token

softhsm --init-token --slot 0 --label "OpenDNSSEC"

This is going to ask you for a PIN code and you must remember it.

Edit you conf file

:~# vim /etc/opendnssec/conf.xml

<?xml version="1.0" encoding="UTF-8"?>
    <Repository name="SoftHSM">
      <PIN> ---> YOUR PIN CODE GOES HERE<---  </PIN>
Edit your zonelist file like this

:~# vim /etc/opendnssec/zonelist.xml

<?xml version="1.0" encoding="UTF-8"?>
  <Zone name="">
Update your zonelist

ods-ksmutil update zonelist

Add your zone to the zonelist

ods-ksmutil zone add -zone

Sign your zone

ods-signer sign

List your key states

ods-ksmutil key list -v

You should see something like this

Zone:         Keytype:  State:    Date of next transition:  CKA_ID:   Repository:     Keytag:   ZSK       active    2010-10-15 06:59:28       ...       OpenDNSSEC      XXXX   KSK       ready     waiting for ds-seen       ...       OpenDNSSEC      KEYTAG
Notify the Enforcer when you can see the DS RR in your parent zone

ods-ksmutil key ds-seen --zone --keytag KEYTAG

You should see this

Found key with Keytag KEYTAG
Key KEYTAG made active

And then if you list your zones again now is active :~# ods-ksmutil key list -v

Zone:                           Keytype:      State:    Date of next transition:                     ZSK           active    2010-10-15 07:20:53                     KSK           active    2010-10-15 07:31:03
Ensure that your zone has been signed

ls -lta /var/lib/opendnssec/signed/

You should see your zone file with a lot of RRSIG and DNSKEY records inside

Point to your new signed zone

:~# vim /etc/bind/named.conf.enum

  zone "" {
    type master;
    file "/var/lib/opendnssec/signed/";
Now you can query your zone using dig tool

dig @ -t NAPTR +dnssec

References links

OpenDNSSEC Documentation Uploading a Trust Anchor (Publishing DS record to the parent)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment