Asumptions and Clarifications

We are going to configure an existing two nsd server, one in powerpc mac mini and the other one in a vm with openbsd . We need to have one domain registered by us , in this case im using namecheap. I am not using nsd-control to administrate nsd, it is another option.

Configuring Zones with dnssec

You need to have a previous one without dnssec.

1. Preparing the dnssec in the master node

First you need to create those keys. Im using this key encription because it is supported by namecheap.

dalmine# export ZSK=`ldns-keygen -a ECDSAP256SHA256 -b 1024 restauradordeleyes.cloud`
dalmine# export KSK=`ldns-keygen -k -a ECDSAP256SHA256 -b 2048 restauradordeleyes.cloud`
dalmine# ls -ltrh
-rw-------  1 root  wheel   114B Apr 19 22:24 Krestauradordeleyes.cloud.+013+55265.private
-rw-r--r--  1 root  wheel   167B Apr 19 22:24 Krestauradordeleyes.cloud.+013+55265.key
-rw-------  1 root  wheel   114B Apr 19 22:24 Krestauradordeleyes.cloud.+013+63270.private
-rw-r--r--  1 root  wheel   167B Apr 19 22:24 Krestauradordeleyes.cloud.+013+63270.key
-rw-r--r--  1 root  wheel   108B Apr 19 22:24 Krestauradordeleyes.cloud.+013+63270.ds
dalmine#

Then you need to create the signed file in top the original one.

dalmine# cp restauradordeleyes.cloud.zone restauradordeleyes.cloud.zone.bkp
dalmine# ldns-signzone -n -p -s $(head -n 1000 /dev/random | sha1   | cut -b 1-16) restauradordeleyes.cloud.zone $ZSK $KSK
dalmine# ls -ltrh restauradordeleyes.cloud.zone.signed
-rw-r--r--  1 root  wheel   3.7K Apr 19 22:30 restauradordeleyes.cloud.zone.signed
dalmine#

then you need to update the nsd.conf


zone:
        name: "restauradordeleyes.cloud"
        zonefile: "master/restauradordeleyes.cloud.zone.signed"
        notify: SLAVE_IP restauradordeleyes.cloud
        provide-xfr: SLAVE_IP restauradordeleyes.cloud

and reload config

dalmine# nsd-control reconfig
reconfig start, read /etc/nsd.conf
ok
dalmine# nsd-control reload restauradordeleyes.cloud
ok
dalmine#

Check if the DS is there.


dalmine# dig DNSKEY restauradordeleyes.cloud. @172.16.1.23 +multiline +norec

; <<>> DiG 9.4.2-P2 <<>> DNSKEY restauradordeleyes.cloud. @172.16.1.23 +multiline +norec
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 58624
;; flags: qr aa; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;restauradordeleyes.cloud. IN DNSKEY

;; ANSWER SECTION:
restauradordeleyes.cloud. 3600 IN DNSKEY 251 1 11 (
                                xxx
                                xxxx
                                ) ; key id = xxxx
restauradordeleyes.cloud. 3600 IN DNSKEY 252 1 11 (
                                xxxxi
                                xxxx
                                ) ; key id = xxx

;; Query time: 5 msec
;; SERVER: 172.16.1.23#53(172.16.1.23)
;; WHEN: Mon Apr 19 22:35:42 2021
;; MSG SIZE  rcvd: 202

dalmine#

2. Preparing the dnssec in the slave node

Now you need to configure the slave zone in the slave nsd.conf.

zone:
        name: "restauradordeleyes.cloud"
        zonefile: "restauradordeleyes.cloud.zone.signed"
        #zonefile: "slave/restauradordeleyes.cloud.zone"
        allow-notify: MASTER_IP restauradordeleyes.cloud
        request-xfr: MASTER_IP restauradordeleyes.cloud

now update the config and force it.

mail# nsd-control force_transfer restauradordeleyes.cloud
ok
mail#

from master server
[2021-04-19 22:51:37.320] nsd[19697]: info: axfr for restauradordeleyes.cloud. from MASTER_IP

test it

mail# dig DNSKEY restauradordeleyes.cloud @SLAVE_IP +multili

; <<>> dig 9.10.8-P1 <<>> DNSKEY restauradordeleyes.cloud @SLAVE_IP +multiline +norec
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 46724
;; flags: qr aa; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;restauradordeleyes.cloud. IN DNSKEY

;; ANSWER SECTION:
restauradordeleyes.cloud. 3600 IN DNSKEY 251 1 11 (
                                111
                                1111
                                ) ; ZSK; alg = ECDSAP256SHA256 ; key id = xxxx
restauradordeleyes.cloud. 3600 IN DNSKEY 251 3 11 (
                                1111
                                111
                                ) ; KSK; alg = ECDSAP256SHA256 ; key id = xxxx

;; Query time: 0 msec
;; SERVER: SLAVE_IP#53(SLAVE_IP)
;; WHEN: Mon Apr 19 22:52:41 CEST 2021
;; MSG SIZE  rcvd: 213

mail#

3.1 Generate DS record

Now configure the DS record for the next step, it must be performed in the master node. In this particular case im using one DS registry key.

dalmine# ldns-key2ds -n -2 restauradordeleyes.cloud.zone.signed
restauradordeleyes.cloud.       3600    IN      DS      63270 13 2 xxxxxxxx
dalmine#

3. Configure DNSSEC in your provider

It is necessary to check your provider to understand which encryption are supported. In my case i used this info –> https://www.namecheap.com/support/knowledgebase/article.aspx/9722/2232/managing-dnssec-for-domains-pointed-to-custom-dns/

4. Test it

You need to wait a while before start testing.

dalmine# dig DS restauradordeleyes.cloud +short
63270 13 2 6A41590D8B02B856B994A737C88E65ED967DCB7BFB7B68862D829582 2FF50DDE
dalmine#

another way to validate

dalmine# dig +dnssec www.restauradordeleyes.cloud

; <<>> DiG 9.4.2-P2 <<>> +dnssec www.restauradordeleyes.cloud
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 38119
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1232
;; QUESTION SECTION:
;www.restauradordeleyes.cloud.  IN      A

;; ANSWER SECTION:
www.restauradordeleyes.cloud. 300 IN    A       45.138.230.237
www.restauradordeleyes.cloud. 300 IN    RRSIG   A 13 3 300 20210517203036 20210419203036 55265 restauradordeleyes.cloud. sGcxR5P6PSMjhV
1s0W9FfM73sORFSzboIwSr+sLg8fu4FXduM2S+gSF9 gN83Wa4pjiFctQVmk5SX6D3WBtcm7w==

;; Query time: 19 msec
;; SERVER: 1.1.1.1#53(1.1.1.1)
;; WHEN: Mon Apr 19 23:13:11 2021
;; MSG SIZE  rcvd: 193

dalmine#

last one

dalmine# dig DS restauradordeleyes.cloud +trace @8.8.8.8

; <<>> DiG 9.4.2-P2 <<>> DS restauradordeleyes.cloud +trace @8.8.8.8
;; global options:  printcmd
.                       5952    IN      NS      e.root-servers.net.
.                       5952    IN      NS      l.root-servers.net.
.                       5952    IN      NS      g.root-servers.net.
.                       5952    IN      NS      k.root-servers.net.
.                       5952    IN      NS      i.root-servers.net.
.                       5952    IN      NS      d.root-servers.net.
.                       5952    IN      NS      j.root-servers.net.
.                       5952    IN      NS      a.root-servers.net.
.                       5952    IN      NS      h.root-servers.net.
.                       5952    IN      NS      m.root-servers.net.
.                       5952    IN      NS      c.root-servers.net.
.                       5952    IN      NS      f.root-servers.net.
.                       5952    IN      NS      b.root-servers.net.
;; Received 228 bytes from 8.8.8.8#53(8.8.8.8) in 11 ms

cloud.                  172800  IN      NS      a.nic.cloud.
cloud.                  172800  IN      NS      b.nic.cloud.
cloud.                  172800  IN      NS      c.nic.cloud.
cloud.                  172800  IN      NS      d.nic.cloud.
;; Received 286 bytes from 199.7.91.13#53(d.root-servers.net) in 95 ms

restauradordeleyes.cloud. 3600  IN      DS      63270 13 2 6A41590D8B02B856B994A737C88E65ED967DCB7BFB7B68862D829582 2FF50DDE
;; Received 90 bytes from 37.209.192.10#53(a.nic.cloud) in 18 ms

dalmine#

I recomend you read this link to understand more deeper how works dnssec.

https://www.cyberciti.biz/faq/unix-linux-test-and-validate-dnssec-using-dig-command-line/