2010/04/03

Configure BIND as a recursive validator with Domain Lookaside Validator

I made pretty good progress in DNSSEC. I have changed BIND from a plain resolver to a recursive validator with the aid of domain lookaside validator (DLV) of ISC. DLV is an interim solution for providing an entry point (besides the root zone) from which to obtain DNSSEC validation information. Without DLV, in the absence of a fully signed path from the root to a zone, zone administrators must configure and maintain all trusted keys into their configurations.

The following lines are the additional requirements in named.conf to enable DLV :

----------------------------------------
[enable dnssec in BIND ]

dnssec-enable yes;
dnssec-validation yes;

[use dlv.isc.org as secure entry point ]

dnssec-lookaside "." trust-anchor "dlv.isc.org.";

[Permit detail logging ]
logging {
channel dnssec_log {
file "/var/log/dnssec.log" size 20m;
print-time yes;
print-category yes;
print-severity yes;
severity debug 3; };
category dnssec { dnssec_log; };
};

[add the KSK of dlv.isc.org]

trusted-keys {
dlv.isc.org. 257 3 5
"BEAAA..........................."};

---------------------------------------------
After these entries, tests need to be conducted to verify AD (authenticated data) flag is set when querying resource records that are signed.

[root@i3way etc]# dig +dnssec www.dnssec.se a
; <<>> DiG 9.5.2-RedHat-9.5.2-1.fc10 <<>> +dnssec www.dnssec.se mx
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 16411
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 4, ADDITIONAL: 1

Now that I have an recursive validator in place, the next tasks are to sign my zones and publish the keys to dlv.isc.org.

No comments: