Skip to content

Automatic Zone Signing

Jump to bottom
Eduardo Riveros Roca edited this page Nov 24, 2020 · 1 revision

The following tutorial explains how to set up a server to resign and update automatically a zone, with crontab and dns-tools

Preparing zone and config file

Suppose we have a DNS server using BIND and a correctly installed DTC Library located in /etc/dtc/dtc.so with nodes up and configured. Our zone is exampledomain.cl and its definition is read from /var/named/master/exampledomain.cl.db. We also assume that dns-tools is correctly installed and located in /usr/local/bin/dns-tools.

and there is a file named exampledomain.cl.db in /home/signer:

$ORIGIN cl.
$TTL 86400	; 1 day
exampledomain                 IN SOA  ns.exampledomain.cl. hostmaster.exampledomain.cl. (
                                2020042405 ; serial
                                3600	   ; refresh (1 hour)
                                3600	   ; retry (1 hour)
                                3600	   ; expire (1 hour)
                                3600	   ; minimum (1 hour)
                                )
                        NS	ns.dnsprovider.cl.
                        NS	ns.exampledomain.cl.
                        A	9.8.7.6
                        A	9.8.7.7
                        A	9.8.7.8
                        A	9.8.7.9
$TTL 3600	; 1 hour
                        MX	1 ASPMX.L.GOOGLE.COM.
                        MX	5 ALT1.ASPMX.L.GOOGLE.COM.
                        MX	5 ALT2.ASPMX.L.GOOGLE.COM.
                        MX	10 ASPMX2.L.GOOGLE.COM.
                        MX	10 ASPMX3.L.GOOGLE.COM.
$ORIGIN exampledomain.cl.
sub1                     A	200.7.6.130
sub2                     A	200.7.6.133
sub3                     CNAME  ghs.google.com.
sub4                     CNAME  ghs.google.com.
sub5                     CNAME  ghs.google.com.
sub6                     CNAME  ghs.google.com.
$TTL 86400	; 1 day
ns                       A	9.8.7.10

We can define the configuration file for dns-tools in /etc/dns-tools/dns-tools-config.json as follows:

{
    "p11lib": "/etc/dtc/dtc.so",
    "user-key": "1234",
    "key-label": "DTC-HSM",
    "file": "/home/signer/exampledomain.cl.db",
    "output": "/var/named/master/exampledomain.cl.db",
    "create-keys": false,
    "sign-algorithm": "ecdsa",
    "nsec3": false,
    "opt-out": false,
    "digest": false,
    "zone": "exampledomain.cl.",
    "info": true,
    "lazy": true,
    "rrsig-duration": "6 months",
    "verify-threshold-duration": "7 days"
  }

(You need to change user-key and user-label according to your DTC configuration)

First zone signing

First, we need to sign the complete zone creating keys in DTC HSM:

dns-tools sign pkcs11 -c

The -c flag allows us to override the configuration file, creating keys for signing.

Assuming the signed zone file did not exist earlier, this will create the keys and later sign the zone.

Future zone signings

Now, we can create a bash script (in a location like /usr/local/bin/update_zone.sh) with the following content, and link it to our crontab (in an account with write privileges on BIND folders and capable of restart that service)

#! /bin/sh
set -e
/usr/local/bin/dns-tools sign pkcs11
systemctl restart named

The line set -e allows the script to finish if any line throws an error code. dns-tools will stop with an error code if it does not need to resign a zone. This could happen if:

  • The modification date for the signed file is after the modification time of the original zone.
  • The signed zone does not validate (it is not well formed or their signatures will expire in 3 days or less, based on configuration showed before).

If the zone is successfully signed, the named service is restarted, reloading the new signed zone.

You could set this script to execute in your crontab each hour or each few minutes, depending on your needs:

0       *       *       *       *       /usr/local/bin/update_zone.sh (Every hour)
Clone this wiki locally