DNSSEC: Nkosi Communications
This document is licensed under the Creative Commons Attribution 4.0 International License
Nkosi Communications uses the Cozadomain Registrar for co.za domain names and provides DNSSEC services to Business Clients (Products: A,AA,AAA)
Terms & Conditions: ZACR T&C, Our own T&C and additional T&C as specified and/or included, applies
Cozadomain requires only one file to enable DNSSEC on your co.za domain name and submit your data to the ZACR Registry
* The Complete KSK .key file for each DNSSEC enabled domain*
Here is a short and very basic guide on how to sign your own zone (and to generate the KSK file (as required by Cozadomain and potentially other co.za domain Registrars)
General DNSSEC Information (as it relates to the ZACR, Cozadomain & co.za domains)
DNSSEC uses public key cryptography, one signs your DNS zones with a private key and all clients will verify signatures against your public key.
DNSSEC has some additional record types (In your signed zone file):
The DNSKEY record type: The public key for your zone (can be multiples, as you are able to sign your zone with more than one key)
The RRSIG record type: Each entry in your zone (except RRSIG) is signed and stored in an RRSIG record (in the zone)
The DS record type: DS record is a hash of the public key for your zone and is stored in the parent to establish a chain of trust
How to sign your own zone file:
Assumptions:
- Installed Bind9 & DNSSEC
- Replace “yours.co.za” With your own domain name
- The below example generates Algorithm number 8
DNSSEC Sign your own dns zone file:
Step One:
Generate a key Signing Key (KSK)
Command: dnssec-keygen -f KSK -a RSASHA256 -b 2048 -n ZONE yours.co.za
Result: 2x new files, one ending in .key and one ending in .private)
Kyours.co.za.+008+09544.key
Kyours.co.za.+008+09544.private
(In this example the KSK are renamed to Kyours.co.za.+008+09544.ksk.key AND Kyours.co.za.+008+09544.ksk.private )
Step Two:
Generate a Zone Signing Key (ZSK)
Command: dnssec-keygen -a RSASHA256 -b 2048 -n ZONE yours.co.za
Result: 2x new files, one ending in .key and one ending in .private)
Kyours.co.za.+008+09217.key
Kyours.co.za.+008+09217.private
TIP/HINT: Maybe rename the KSK files (.key & .private – you can also view the .key file itself to see which is the KSK and which is the ZSK)
If your KSK file is called yours.co.za.+008+09544.key and yours.co.za.+008+09544.private
Step Three:
Assumption: There are four new files, after Step One & Step 2, starting with Kyours.co.za*
Add two lines to the bottom of your un-signed zone file in this example the file is called: “yours.co.za.zonefilename”
$include /etc/named/Kyours.co.za.+008+09544.ksk.key
$include /etc/named/Kyours.co.za.+008+09217.key
Step Four:
Sign your zone file (Generate the RRSIG records for each data in your zone file using the ZSK key)
Command: dnssec-signzone -e20180906120101 -g -A -3 $(head -c 1000 /dev/random | sha1sum | cut -b 1-16) -N INCREMENT -k /path/to/var/chroot/bindkeys/Kyours.co.za.+008+09544.ksk.key -o yours.co.za -t /path/to/var/chroot/bindzones/yours.co.za.zonefilename
If this worked for you, you will now have two new files: yours.co.za.zonefilename.signed
You will also have a file called dsset-yours.co.za. (Which contains DS hashes of your keys) –
Step Five: Edit the named.conf to reflect the new zone file name: yours.co.za.zonefilename.signed
TIP/HINT: If you receive errors, check your path, file permissions, file ownership
TIP/HINT: The -e20180906120101 above is the expiry, 6 September 2018 at one minute and one second past 12
TIP/HINT: The $(head -c 1000 /dev/random | sha1sum | cut -b 1-16) is salt, you need not use salt
TIP/HINT: Full description of the dnssec-signzone options, are here
TIP/HINT: Ensure to rotate keys regulary. Please see your DNS support section, in your Secure Business Hosting package.
Step Six:
Submit your KSK .key file to Cozadomain registrar
Step Seven:
display the values of the file on your DNS Server: dsset-yours.co.za.
and compare the values to the result of this:
Command: dig @ns1.coza.net.za DS yours.co.za
If the values match: Congratulations! Your DNSSEC is functional
* The KSK file submitted to Cozadomain has to use one of the following Algorithms (reproduced with credit to IANA: http://www.iana.org) :
| Number | Description | Mnemonic | Zone Signing |
Trans. Sec. |
Reference |
|---|---|---|---|---|---|
| 0 | Delete DS | DELETE | N | N | [RFC4034][RFC4398][RFC8078] |
| 1 | RSA/MD5 (deprecated, see 5) | RSAMD5 | N | Y | [RFC3110][RFC4034] |
| 2 | Diffie-Hellman | DH | N | Y | [RFC2539][proposed standard] |
| 3 | DSA/SHA1 | DSA | Y | Y | [RFC3755][proposed standard][RFC2536][proposed standard][Federal Information Processing Standards Publication (FIPS PUB) 186, Digital Signature Standard, 18 May 1994.][Federal Information Processing Standards Publication (FIPS PUB) 180-1, Secure Hash Standard, 17 April 1995. (Supersedes FIPS PUB 180 dated 11 May 1993.)] |
| 4 | Reserved | [RFC6725] | |||
| 5 | RSA/SHA-1 | RSASHA1 | Y | Y | [RFC3110][RFC4034] |
| 6 | DSA-NSEC3-SHA1 | DSA-NSEC3-SHA1 | Y | Y | [RFC5155][proposed standard] |
| 7 | RSASHA1-NSEC3-SHA1 | RSASHA1-NSEC3-SHA1 | Y | Y | [RFC5155][proposed standard] |
| 8 | RSA/SHA-256 | RSASHA256 | Y | * | [RFC5702][proposed standard] |
| 9 | Reserved | [RFC6725] | |||
| 10 | RSA/SHA-512 | RSASHA512 | Y | * | [RFC5702][proposed standard] |
| 11 | Reserved | [RFC6725] | |||
| 12 | GOST R 34.10-2001 | ECC-GOST | Y | * | [RFC5933][standards track] |
| 13 | ECDSA Curve P-256 with SHA-256 | ECDSAP256SHA256 | Y | * | [RFC6605][standards track] |
| 14 | ECDSA Curve P-384 with SHA-384 | ECDSAP384SHA384 | Y | * | [RFC6605][standards track] |
| 15 | Ed25519 | ED25519 | Y | * | [RFC8080][standards track] |
| 16 | Ed448 | ED448 | Y | * | [RFC8080][standards track] |
| 17-122 | Unassigned | ||||
| 123-251 | Reserved | [RFC4034][RFC6014] | |||
| 252 | Reserved for Indirect Keys | INDIRECT | N | N | [RFC4034][proposed standard] |
| 253 | private algorithm | PRIVATEDNS | Y | Y | [RFC4034] |
| 254 | private algorithm OID | PRIVATEOID | Y | Y | [RFC4034] |
| 255 | Reserved | [RFC4034][proposed standard] |