Authoritative Zone Administrator
From DNSSEC-Tools
This is a brief description of the parts of DNSSEC-Tools a zone administrator could find useful. In general, this is someone who wants to setup and maintain one or more signed DNS zones.
Contents |
DNSSEC Zone Administrator
DNSSEC-Tools has several useful tools for a Zone Administrator. Zonesigner is the workhorse tool for signing zones. A Zone Admin can use it for all the general tasks involved in signing a zone file. Donuts is another useful DNSSEC-Tools. It is used for error checking the signed zone files. Lastly, DNSSEC-Tool's mapper can be used to graphically display the contents of a zone file.
Zonesigner
| DNSSEC-Tools Component | |
| zonesigner | |
| This describes zonesigner, which in the Zone Administration Tools category within the DNSSEC-Tools Components framework of tools. | |
| Tool Name: | zonesigner |
| Tool Type: | Zone Administration Tools |
| Manual: | Manual |
|---|---|
| Example: | Example |
| CLI: | Help |
Zonesigner is used for signing DNS zone files. In fact if you only use one thing from the DNSSEC-Tools package this is the most important one as it will help you Sign Your Zone. This is one of the main tools a Zone Administrator or Authoritative DNS Administrator will find useful when deploying a DNSSEC-enabled zone. It can make signing a zone as easy as typing, 'zonesigner example.com'. Zonesigner is capable of performing a large number of zone manipulations. It can sign a zone file, create and update both Zone Signing Keys (ZSKs) and Key Signing Keys (KSKs) while allowing more detailed configuration from the command line or a configuration file.
Zonesigner was designed to make many of the other signing tools easy to use and to "do the right thing by default" wherever possible. It is highly configurable, but most people will likely be happy running it without any of the extra arguments. Currently, it uses (and requires) the Bind tool kit to handle most of the tasks it performs.
Get started with zonesigner
To get started with zonesigner follow the following steps given a zone example.com, and its zone file 'zonefile'.
- The first time, add the -genkeys argument to generate new DNSSEC keys.
- For future runs, leave that option off since you will already have keys for your zone. See Rollerd for more details about changing keys on a regular basis.
> zonesigner -genkeys -zone example.com ./zonefile
if zonesigner appears hung, strike keys until the program completes
(see the "Entropy" section in the man page for details)
zone signed successfully
example.com:
KSK (cur) 08824 -b 2048 02/12/08 (signing-set-3)
ZSK (cur) 53265 -b 1024 02/12/08 (signing-set-1)
ZSK (pub) 41622 -b 1024 02/12/08 (signing-set-2)
zone will expire in 4 weeks, 2 days, 0 seconds
DO NOT delete the keys until this time has passed.
>
The above:
- creates signed zone file zonefile.signed
- it is ready for use, just configure the DNS to load it. Again, the next time the zone needs to be signed (before 4 weeks 2days has elapsed), run the same command but without the -genkeys argument.
A ready to use signed zone file, 'zonefile.signed', is generated. Created along with it are the associated Zone and Key Signing Keys (ZSKs/KSKs), keyset files, dsset file, and a zonesigner configuration file for example.com. Note that these files are generated in the same directory as the zone file that is signed. The location of these files can be adjusted through command line arguments to zonesigner.
(Even easier, if your zone file name matches the zone itself, e.g. example.com, simply running the command 'zonesigner -genkeys example.com' will generate example.com.signed.)
Zonesigner offers a large number of additional options to affect zone file signing. The key expiration times, file name and locations can all be adjusted from the command line. It will even do the various steps required for key rollovers, although it is much easier to use rollerd to execute the needed key-rolling steps automatically.
Note
To fully use zonesigner and understand zone signing, a good grasp of how DNSSEC works is necessary. A working, signed zone file can be created by just using the default values provided by zonesigner. But it is beneficial for a zone administrator to have a general familiarity with DNSSEC. The following links are good places to start to learn about DNSSEC:
RFC 4033, RFC 4034, RFC 4035, www.dnssec.net, ISOC's DNSSSEC Theory
Donuts: an error/warning checker
| DNSSEC-Tools Component | |
| donuts | |
| This describes donuts, which in the Zone Administration Tools category within the DNSSEC-Tools Components framework of tools. | |
| Tool Name: | donuts |
| Tool Type: | Zone Administration Tools |
| Manual: | Manual |
|---|---|
| Example: | Example |
| CLI: | Help |
Donuts is used for error checking zone files. It checks for general DNS warnings and errors as well as DNSSEC specific issues.
Get started with donuts
To check the above 'zonefile.signed' file:
> donuts zonefile.signed example.com
dyn.example.com:
Error: sub-domain dyn.example.com is not securely
delegated. It is missing a DS record.
pictures.example.com:
Error: RRSIG on name: pictures.example.com type: CNAME
failed to verify: RSA Verification failed
2 errors found in zonefile.signed
>
Donuts will output the number of errors (0+) and list a brief description of the errors found in the signed zone file. It is similar to Bind's named-checkzone except that it checks for some additional operational warnings and errors and is highly extensible so you can write your own rules and check for site-specific policies and requirements.
Mapper: graphically map your zones
| DNSSEC-Tools Component | |
| mapper | |
| This describes mapper, which in the Error Checking Tools category within the DNSSEC-Tools Components framework of tools. | |
| Tool Name: | mapper |
| Tool Type: | Error Checking Tools |
| Manual: | Manual |
|---|---|
| Example: | Example |
| CLI: | Help |
Mapper displays the zone file graphically. It will create a PNG file of the zone file.
Get started with mapper
To generate a picture of the above zone file:
> mapper zonefile.signed example.com
The file map.png will hold a picture of the zone file. Mapper has a number of command line arguments that can change how the map is organized. See the full documentation for more details.
Error Checking tools
Check out the error checking tools section included below. It includes general DNSSEC error checking tools as well as tools that error check for a specific type of use or user. Some of the tools may be useful to you even though we didn't think they applied specifically to DNSSEC Zone Administration.
Software Summary
The following documents the most useful tools that a Authoritative Zone Administrator may wish to use.
Zone Administration Tools | ||
| zonesigner | Manual Example CLI Help | Will generate keys and sign zones with one command. |
| donuts | Manual Example CLI Help | You can extend it by Writing your own rules donuts does general DNS error checking including DNSSEC-specific checks. |
| mapper | Manual Example CLI Help | |
DNS Error Checking Tools | ||
| dnspktflow | Manual Example CLI Help | |
| validate | Manual CLI Help | command line DNS validation checking (similar to dig). This is part of the libval and libsres package. |
| mapper | Manual Example CLI Help | |
| trustman | Manual CLI Help | Detects key changes in trust anchors (TAs), it can update TAs and it can run as a daemon. |
| donuts | Manual Example CLI Help | You can extend it by Writing your own rules donuts does general DNS error checking including DNSSEC-specific checks. |
| logwatch | Example | Included in current versions of logwatch A logwatch plugin for DNSSEC parsing of the BIND server's system logging messages. |