This no longer works on my machine now. We are working on this.

How DNSSEC Works

https://www.cloudflare.com/dns/dnssec/how-dnssec-works/

Steps

For DN42, master delegation servers (source code here?) regularly pulls registry and sign the zones (only what you wrote in the registry), as dig AXFR dn42. @172.20.129.1 said (burble’s server), e.g.:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
lantian.dn42.		900	IN	DS	20109 13 1 390386BE8B1112DCF5B476286B5E64FF098200B0
lantian.dn42.		900	IN	DS	20109 13 2 28206D72E41A4F3B19E48EEBA571CB2DA202A80AF19E217BFAD34CE9 76AF0B51
lantian.dn42.		900	IN	DS	20109 13 4 8DC4CB9741A6EB7B40016A1AA8334A4380D55D7D2F2648F486BB12FA D2836D453879DE6FC0B20A8F772DCCBE0C45D82A
lantian.dn42.		900	IN	NS	ns-anycast.lantian.dn42.
lantian.dn42.		900	IN	NS	ns1.lantian.dn42.
lantian.dn42.		900	IN	NS	ns2.lantian.dn42.
lantian.dn42.		900	IN	NS	ns3.lantian.dn42.
lantian.dn42.		900	IN	RRSIG	DS 10 2 900 20200920203556 20200916203556 59291 dn42. (long stuff here)
lantian.dn42.		900	IN	RRSIG	NSEC 10 2 900 20200920203556 20200916203556 59291 dn42. (long stuff here)
ns-anycast.lantian.dn42. 900	IN	A	172.22.76.109
ns-anycast.lantian.dn42. 900	IN	AAAA	fdbc:f9dc:67ad:2547::54
ns1.lantian.dn42.	900	IN	A	172.22.76.186
ns1.lantian.dn42.	900	IN	AAAA	fdbc:f9dc:67ad::8b:c606:ba01
ns2.lantian.dn42.	900	IN	A	172.22.76.185
ns2.lantian.dn42.	900	IN	AAAA	fdbc:f9dc:67ad::dd:c85a:8a93
ns3.lantian.dn42.	900	IN	A	172.22.76.190
ns3.lantian.dn42.	900	IN	AAAA	fdbc:f9dc:67ad::cc:433e:da3b
lalakis.dn42.		900	IN	NSEC	lantian.dn42. NS RRSIG NSEC
lantian.dn42.		900	IN	NSEC	laxu.dn42. NS DS RRSIG NSEC

… and what we see in the registry:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
domain:             lantian.dn42
admin-c:            LANTIAN-DN42
tech-c:             LANTIAN-DN42
mnt-by:             LANTIAN-MNT
nserver:            ns-anycast.lantian.dn42 172.22.76.109
nserver:            ns-anycast.lantian.dn42 fdbc:f9dc:67ad:2547::54
nserver:            ns1.lantian.dn42 172.22.76.186
nserver:            ns1.lantian.dn42 fdbc:f9dc:67ad::8b:c606:ba01
nserver:            ns2.lantian.dn42 172.22.76.185
nserver:            ns2.lantian.dn42 fdbc:f9dc:67ad::dd:c85a:8a93
nserver:            ns3.lantian.dn42 172.22.76.190
nserver:            ns3.lantian.dn42 fdbc:f9dc:67ad::cc:433e:da3b
ds-rdata:           20109 13 1 390386be8b1112dcf5b476286b5e64ff098200b0
ds-rdata:           20109 13 2 28206d72e41a4f3b19e48eeba571cb2da202a80af19e217bfad34ce976af0b51
ds-rdata:           20109 13 4 8dc4cb9741a6eb7b40016a1aa8334a4380d55d7d2f2648f486bb12fad2836d453879de6fc0b20a8f772dccbe0c45d82a
source:             DN42

Yes, the root server just signed DS records for us, so what we need to do is to:

  1. create our own keys;
  2. sign the zones;
  3. add ds-rdata record to the domain objects.

Then do as described here, also this page. Don’t forget to set AppArmor properly to let BIND write to zone directory. Note that keys need to be loaded each time BIND is restarted.

To check if your domain is signed:

1
rndc signing -list example.nil

Valid output should be like:

1
2
Done signing with key 11999/RSASHA256
Done signing with key 57898/RSASHA256

If so, export DS data by:

1
2
$ (d=moecast.dn42; dig @127.0.0.1 +norecurse "$d". DNSKEY | dnssec-dsfromkey -f - "$d")
moecast.dn42. IN DS 11999 8 2 3B960D74068771B034AD6A8B9F454E3B359545812416AEB4EE72BBA6B8036EA4

Then just add 11999 8 2 3B960D74068771B034AD6A8B9F454E3B359545812416AEB4EE72BBA6B8036EA4 to the registry, to the ds-rdata field of your dns/ file or inet(6)num file for rDNS.

Enable DNSSEC on Your BIND

Enable DNSSEC by these lines in your named.conf.options:

1
2
3
4
5
6
options {
  // ...
  dnssec-enable yes;
  dnssec-validation yes;
  // ...
};

When dnssec-validation is set to yes, we need to specify trust anchors ourselves. Example of a trust anchor conf:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
trust-anchors {
        # This key (20326) was published in the root zone in 2017.
        . initial-key 257 3 8 "AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3
                +/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kv
                ArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF
                0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+e
                oZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfd
                RUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwN
                R1AkUTV74bU=";
        # Key for DN42
        dn42. static-key 257 3 10 "AwEAAb0nBgLT9Fk7UJsNK2HbymM6PU4mDaC60l8w1vtz
                R83b+mMs3t2Uk7ITrIyiEQU8/EufmfJSHABfhaOVX3XW
                kLYIJmcJJm6TbbDZt9fVrxPJyiK0E8qtv13Myto5ogqV
                n6U4B4i8roS5yxoh6yV4xS8sqfaLeAyNyzTrwONeX1HX
                GOtI8QinW927mIFvEZWqSITzL8yd0mWmypq0IicjsFlp
                j4/4bVhyDP7M5c2sdv1l9IarsTi93V5ops5PDOIdFx+R
                s5v8TQDGiQToYVDqzYq4rrr5X5LoxHGdij8WpS4x4scH
                MHie2qD52zharboMGb6jZx35CLFB2ftgnhrE4sM="; # KSK; alg = RSASHA512 ; key id = 64441
        dn42. static-key 256 3 10 "AwEAAe1x3/HbZa1EbzhJUsDwQlUifLl3aqTkLkgopyq5
                P1M2TV26pb9uqsQPtd1WMjU7w1e9k4WgO73dji/VpVLW
                0Zlw8pv6HuCysSfl5uFl77pt16GcEE3B7Dv05DHk/7Bj
                MZ1B/FgWfJCN17SAclsOje9ccPHiA8iiYl5jc5TtiRdQ
                8MTuQIpKz0FhC+lzzLyNWXNFi3oPa26zmvKus3ijvv1F
                sxX4CwXLIVXMwQrG1Mu7b1Ska7Rklx7uo2QJpGmUOqxK
                AJGCbcl7y9AA/cyq7UChI5qKEPs/1Lb59FFCPQS5vJ2f
                JMT2VWfSkXiHbce5kBOGnDjEfIl6VAIc9+U2m1k="; # ZSK; alg = RSASHA512 ; key id = 59291
        dn42. static-key 256 3 10 "AwEAAavmLAF3Z3InHb5Q25HFzITcM/zC1q/LLNT1Qo8W
                hzK01q2rqV6a+koIEBvIV3EokKbm4Rv7oQGxUAdAYhi9
                vpVJsVozsJ7anWnlHxhqUJ1LAs5y+cb13+DOZFfdBGAj
                Xmt5Bi7znxsH3i77b7Rwx9WdLM+kS0GZew2eXIpjkfbG
                0TwyHbp1AUgPotY122YcOE/X9ki5N4wTIXK4/o323yx6
                xs/Wy7onmf4Mo50dTDsiRCcHvCUPO2CkrAEHeF11WZjr
                CmSzDte3p4LM2ZKnDIou0X2PAsh8isC8yNk1EG2a1XX/
                THziFaGPUpzQrbHP6Gty8p1HesCiKT4bgnISYGU="; # ZSK; alg = RSASHA512 ; key id = 791
        dn42. static-key 257 3 10 "AwEAAcpo6XPgOwyyEeHOuAQNrj+CRZM9YW7oFbf1qhyo
                SaogUzIXvnCsKrOT8TSBXYmw2g1BbhJUOy+S3hBxIWLq
                AAceUr+F4NA928sZ3C6AjHcDvogQ0crX+rvH4ZX/d1ER
                TPHfXIl2mtTrRcoMtf27b5h/Zi4o2FDkedJHNKhZC3Vh
                w4TNEWmE8pgG8CFU5d/3J60fBcuH+q4nErowGFjxHkxX
                qBKw7XXCmxtCQJo2EUPdLmLgEhurbknaJ5G8qrI46t3r
                NksRlSvqkwhoYd1MXGKS3qJ4tuKgvvhvlLYGVCGhQWVq
                a2H+J+IH7/PTOIcAML83fQh3BqG+PAuq9/hvqmM="; # KSK; alg = RSASHA512 ; key id = 3096
};

Test If It Works

We use tool delv which is shipped with BIND.

1
delv -a trust-anchors.key +root=dn42 +mtrace +vtrace +rtrace +yaml www.moecast.dn42

or a shorter version:

1
delv -a trust-anchors.key +root=dn42 www.moecast.dn42

We load our trust anchor file for BIND named (described above), and tell delv not to ignore the dn42 zone. For the dn42 zone delv does query for the clearnet root zone, and use the key we specified only if the dn42 zone does not exist on clearnet root servers. A success output (of the short version) would be like:

1
2
3
4
5
; fully validated
www.moecast.dn42.	60	IN	CNAME	moecast.dn42.
www.moecast.dn42.	60	IN	RRSIG	(a pretty lone line here)
moecast.dn42.		60	IN	A	172.23.89.1
moecast.dn42.		60	IN	RRSIG	(a pretty long line here)

Also, to test if your name server does DNSSEC for other domains, see DiG answer flags: AD = Authenticated Data, “indicates the resolver believes the responses to be authentic - that is, validated by DNSSEC”.

Further Reading

  1. DNSSEC Analyzer