Already some time ago that Dan Kaminsky published his exploit on DNS, by far this was one of the most shocking events for DNS admins in a long time. For those who like to understand the exploit found by Dan Kaminsky, there is a excelent guide on unixwiz.net which is a very good introduction about the DNS exploit.
To tighten the security the administrators of a .gov domain are now told to implement DNSsec to make sure the .gov domain servers will be more secure. Besides that tightening your security is always a good plan this will also be a boost for the DNSsec project. To get a good view on DNSsec you can review the video below which is a very fast introduction on DNSsec.
In very very short, the steps to create keys for DNSsec on a Linux BIND server are noted below. However, this is a very very short guide and it has a lot of open spots. You might want to look arround to find more details. I might even write a more detailed guide on this, however, for now you will have to do with this.
- Make sure you are running at least BIND 9.3, version 9.3 is the first version where you can sign your zones.
- Review your named.conf file and make sure that dnssec-enable is set to yes.
- Next, create a key for your zone, a ZSK key, (Zone Sign Key): dnssec-keygen -a RSASHA1 -b 1024 -n ZONE somedomain.com
- Create a key to sign your ZSK key: dnssec-keygen -a RSASHA1 -b 2048 -n ZONE -f KSK somedomain.com
To get all up and running you have to take some more steps, however, in this post I only want to show you how to create your keys needed for DNSsec.