Skip to content

Instantly share code, notes, and snippets.

@notthetup

notthetup/bind-dnssec-osx.md

Last active December 16, 2015 04:59
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save notthetup/5381693 to your computer and use it in GitHub Desktop.
Save notthetup/5381693 to your computer and use it in GitHub Desktop.
Download ZIP
Setting up local bind9 server with dnssec on MacOSX Lion
Raw
bind-dnssec-osx.md

Installing Bind9 with DNSSEC support on OSX Mountain Lion

Based on the instructions from haller.ws

Check bind installation

  1. run named -v to check if you have BIND 9.x (or greater) installed

Get key generation scripts

  1. Download the dns key generation scripts and related files from haller.ws

Generate and verify DNSSEC root key

  1. Run the dns-root-key.sh script and save to output to a txt file. eg dns-root-key.sh >> managed-keys.txt
  2. The script will download the key and verify it for you

Generate and verify DNSSEC DNSSEC Look-aside Validation (DLV) key

  1. Run the dlv-key.sh script and save to output to a txt file. eg dlv-key.sh >> trusted-keys.txt
  2. The script will download the key and verify it for you
  3. If the script fails for whatever reason (appreantly one of the ISC pgp keys has expired), you can get the DLV key by cURLing http://ftp.isc.org/www/dlv/dlv.isc.org.named.conf. eg. curl -s http://ftp.isc.org/www/dlv/dlv.isc.org.named.conf > trusted-keys.txt.
  4. If you've want to, you can also download the pgp signature from http://ftp.isc.org/www/dlv/dlv.isc.org.named.conf.asc and verify the key yourself.

Update the named.conf for DNSSEC

  1. Updated your /etc/named.conf with the following sections
options { 
  
  // only listen on local loopback ports
	listen-on { 127.0.0.1; };
    listen-on-v6 { ::1;};

	dnssec-enable yes;

	// add these for recursors
	dnssec-validation yes;
	dnssec-lookaside "."
	trust-anchor dlv.isc.org.;
};

// output from dns-root-key.sh
include "managed-keys.txt";

// output from dlv-key.sh
include "trusted-keys.txt";
  1. Ensure the trusted-keys.txt and managed-keys.txt files are in the path or define their full path in the include statememt (for eg. include "/etc/managed-keys.txt";).
  2. You might need to comment out the line include "/etc/rndc.key"; if you don't have a rndc key in your /etc folder.
  3. You will also need to comment out the reference to the rndc.key in the control section.
controls {
	// inet 127.0.0.1 port 54 allow {any;}
	// keys { "rndc-key"; };
};

Load and start your named##

  1. Check if the named plist file exists. It should be at /System/Library/LaunchDaemons/org.isc.named.plist
  2. Unload named from launchctl if it has been loaded by something else. eg launchctl unload org.isc-named and sudo launchctl unload org.isc-named. ()This needs to be done with AND without sudo as launchctl has seperate lists of loaded deamons if loaded with and without root access.)
  3. Load the named.plist as a deamon WITH root priviledges using sudo launchctl load -w /System/Library/LaunchDaemons/org.isc.named.plist
  4. Check system.log to see if named threw any errors. eg. sudo tail -n 20 /var/log/system.log

Test

  1. Quick test to see if it works using dig
  2. Run dig haller.ws @127.0.0.1 +dnssec
  3. The header flags should have an ad flag set. This indicates "Authentic Data" - RFC4035.

Profit!!!

You've a bind9 with DNSSEC running on your machine. You can set your DNS in your network settings to localhost (127.0.0.1) and you'll be relying on secure dns records from now on! Enjoy.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment