samedi 25 janvier 2020

How to run a standalone DNSSEC root zone?

I got this white lab. It has its own top-level domain (TLD) name whitelab. and ISC Bind9 9.15 is used.

This makes it possible to rollout many network testing scenarios in-house.

How does one DNSSEC-sign this custom-made TLD such that it not only works in providing secured DNS lookup from within Bind whitelab view/network, but reverts to the ISC Root Key when DNSSEC-resolving domain name(s) outside the white lab? Obviously ICANN won't add this whitelab TLD for the entire world to use as well (nor would we want to).

Some basic ISC Bind9 v9.15 settings:

options {
    ...
    dnssec-enable yes;
    dnssec-validation yes; //// not 'auto', nor 'no'.
    ...
    };

view whitelab {
    ...
    trusted-keys {
        whitelab. 257 3 14 "<key-value>";
        };
    ...
    };

Rolling out the above configuration in a non-Internet (local/whitelab) Bind view resulted in breaking the DNSSEC for Internet-wide Bind view.

Keys were created by doing:

dnssec-keygen -v3 -G  -n ZONE  -a ECDSAP384SHA384 whitelab.
dnssec-keygen -v3 -G  -n ZONE  -a ECDSAP384SHA384 168.192.in-addr.arpa.

Is this 'trusted-keys' approach the correct one?

Aucun commentaire:

Enregistrer un commentaire