co.za DNSSEC How To

DNSSEC: Nkosi Communications
This document is licensed under the Creative Commons Attribution 4.0 International License
Nkosi Communications uses the Cozadomain Registrar for co.za domain names and provides DNSSEC services to Business Clients (Products: A,AA,AAA)
Terms & Conditions: ZACR T&C, Our own T&C and additional T&C as specified and/or included, applies

Cozadomain requires only one file to enable DNSSEC on your co.za domain name and submit your data to the ZACR Registry

* The Complete KSK .key file for each DNSSEC enabled domain*

Here is a short and very basic guide on how to sign your own zone (and to generate the KSK file (as required by Cozadomain and potentially other co.za domain Registrars)

General DNSSEC Information (as it relates to the ZACR, Cozadomain & co.za domains)

DNSSEC uses public key cryptography, one signs your DNS zones with a private key and all clients will verify signatures against your public key.

DNSSEC has some additional record types (In your signed zone file):

The DNSKEY record type: The public key for your zone (can be multiples, as you are able to sign your zone with more than one key)
The RRSIG record type: Each entry in your zone (except RRSIG) is signed and stored in an RRSIG record (in the zone)
The DS record type: DS record is a hash of the public key for your zone and is stored in the parent to establish a chain of trust

How to sign your own zone file:

Assumptions:

  • Installed Bind9 & DNSSEC
  • Replace “yours.co.za” With your own domain name
  • The below example generates Algorithm number 8

DNSSEC Sign your own dns zone file:

Step One:

Generate a key Signing Key (KSK)

Command: dnssec-keygen -f KSK -a RSASHA256 -b 2048 -n ZONE yours.co.za

Result: 2x new files, one ending in .key and one ending in .private)
Kyours.co.za.+008+09544.key
Kyours.co.za.+008+09544.private

(In this example the KSK are renamed to Kyours.co.za.+008+09544.ksk.key AND Kyours.co.za.+008+09544.ksk.private )

Step Two:

Generate a Zone Signing Key (ZSK)

Command: dnssec-keygen -a RSASHA256 -b 2048 -n ZONE yours.co.za
Result: 2x new files, one ending in .key and one ending in .private)
Kyours.co.za.+008+09217.key
Kyours.co.za.+008+09217.private

 

TIP/HINT: Maybe rename the KSK files (.key & .private – you can also view the .key file itself to see which is the KSK and which is the ZSK)
If your KSK file is called yours.co.za.+008+09544.key and yours.co.za.+008+09544.private

Step Three:

Assumption: There are four new files, after Step One & Step 2, starting with Kyours.co.za*

Add two lines to the bottom of your un-signed zone file in this example the file is called: “yours.co.za.zonefilename”

$include /etc/named/Kyours.co.za.+008+09544.ksk.key
$include /etc/named/Kyours.co.za.+008+09217.key

 

Step Four:

Sign your zone file (Generate the RRSIG records for each data in your zone file using the ZSK key)

Command: dnssec-signzone -e20180906120101 -g -A -3 $(head -c 1000 /dev/random | sha1sum | cut -b 1-16) -N INCREMENT -k /path/to/var/chroot/bindkeys/Kyours.co.za.+008+09544.ksk.key -o yours.co.za -t /path/to/var/chroot/bindzones/yours.co.za.zonefilename

If this worked for you, you will now have two new files: yours.co.za.zonefilename.signed
You will also have a file called dsset-yours.co.za. (Which contains DS hashes of your keys) –

Step Five: Edit the named.conf to reflect the new zone file name: yours.co.za.zonefilename.signed

 

TIP/HINT: If you receive errors, check your path, file permissions, file ownership

TIP/HINT: The -e20180906120101 above is the expiry, 6 September 2018 at one minute and one second past 12

TIP/HINT: The $(head -c 1000 /dev/random | sha1sum | cut -b 1-16) is salt, you need not use salt

TIP/HINT: Full description of the dnssec-signzone options, are here

TIP/HINT: Ensure to rotate keys regulary. Please see your DNS support section, in your Secure Business Hosting package.

Step Six:

Submit your KSK .key file to Cozadomain registrar

Step Seven:

display the values of the file on your DNS Server: dsset-yours.co.za.

and compare the values to the result of this:

Command: dig @ns1.coza.net.za DS yours.co.za

If the values match: Congratulations! Your DNSSEC is functional

 

* The KSK file submitted to Cozadomain has to use one of the following Algorithms (reproduced with credit to IANA: http://www.iana.org) :

NumberDescriptionMnemonicZone
Signing
Trans.
Sec.
Reference
0Delete DSDELETENN[RFC4034][RFC4398][RFC8078]
1RSA/MD5 (deprecated, see 5)RSAMD5NY[RFC3110][RFC4034]
2Diffie-HellmanDHNY[RFC2539][proposed standard]
3DSA/SHA1DSAYY[RFC3755][proposed standard][RFC2536][proposed standard][Federal Information Processing Standards Publication (FIPS PUB) 186,
Digital Signature Standard, 18 May 1994.][Federal Information Processing Standards Publication (FIPS PUB) 180-1,
Secure Hash Standard, 17 April 1995.
(Supersedes FIPS PUB 180 dated 11 May 1993.)]
4Reserved[RFC6725]
5RSA/SHA-1RSASHA1YY[RFC3110][RFC4034]
6DSA-NSEC3-SHA1DSA-NSEC3-SHA1YY[RFC5155][proposed standard]
7RSASHA1-NSEC3-SHA1RSASHA1-NSEC3-SHA1YY[RFC5155][proposed standard]
8RSA/SHA-256RSASHA256Y*[RFC5702][proposed standard]
9Reserved[RFC6725]
10RSA/SHA-512RSASHA512Y*[RFC5702][proposed standard]
11Reserved[RFC6725]
12GOST R 34.10-2001ECC-GOSTY*[RFC5933][standards track]
13ECDSA Curve P-256 with SHA-256ECDSAP256SHA256Y*[RFC6605][standards track]
14ECDSA Curve P-384 with SHA-384ECDSAP384SHA384Y*[RFC6605][standards track]
15Ed25519ED25519Y*[RFC8080][standards track]
16Ed448ED448Y*[RFC8080][standards track]
17-122Unassigned
123-251Reserved[RFC4034][RFC6014]
252Reserved for Indirect KeysINDIRECTNN[RFC4034][proposed standard]
253private algorithmPRIVATEDNSYY[RFC4034]
254private algorithm OIDPRIVATEOIDYY[RFC4034]
255Reserved[RFC4034][proposed standard]