DNSSEC - How-to & Sub-Domains

Greetings, I wish to share a tutorial on enabling/using DNSSEC in your CWP install. Now, this assumes that you are running your own dns server in CWP, I do not know how it would work with FreeDNS.

For those that would like more information on DNSSEC, please look https://www.icann.org/resources/pages/dnssec-what-is-it-why-important-2019-03-05-en

This builds on a previous thread from here: https://forum.centos-webpanel.com/index.php?topic=9052.msg41413#msg41413

I will add the steps from the above link here just for posterity's sake, in case the external link goes stale.

The following steps are for EL/centos/redhat

Note: In the examples below,  replace “domain.tld” with your domain name

Step 1:  First install haveged to generate keys

Code: [Select]

yum install -y haveged
systemctl enable haveged
Step 2: Change the Directory to /var/named

Code: [Select]

cd /var/named/
Step 3: Third generate ZSK Key

Code: [Select]

dnssec-keygen -L 3600 -a RSASHA256 -b 2048 -r /dev/urandom domain.tld
Step 4: Fourth generate KSK key

Code: [Select]

dnssec-keygen -L 3600 -r /dev/urandom -f KSK -a RSASHA256 -b 4096 domain.tld
Step 5: add keys to domain zone file

Code: [Select]

cat /var/named/Kdomain.tld.+008+*.key >> /var/named/domain.tld.db
Step 6: sign the zone file

Code: [Select]

dnssec-signzone -A -3 $(head -c 1000 /dev/urandom | sha1sum | cut -b 1-16) -N INCREMENT -o domain.tld -t domain.tld.db
Step 7: edit named configuration file /etc/named.conf and add this line

Code: [Select]

dnssec-lookaside auto;** find this line, "dnssec-enable yes; dnssec-validation yes;" add "dnssec-lookaside auto;" after it

Step 8: In the same file as the previous step, /etc/named.conf, rename the zone file for the domain being enabled
From

Code: [Select]

// zone domain.tld
zone "domain.tld" {type master; file "/var/named/domain.tld.db";};
// zone_end domain.tld
To

Code: [Select]

// zone domain.tld
zone "domain.tld" {type master; file "/var/named/domain.tld.db.signed";};
// zone_end domain.tld

Step 9: Centos/el/RHEL Reload/Restart the named service

Code: [Select]

service named reload
or
systemctl reload named
In Step 5, this created a file in /var/named called dsset-domain.tld. and in this file you will find the keys that you will add to your domain registrar.

Code: [Select]

domain.tld. IN DS 54216 8 1 927FCC021E55B89F279C9D8580CC6615398630747
domain.tld. IN DS 54216 8 2 D564958A48549F123B1E38AhhhE0CF9C73F5E8F4F2CE2A2442C1893C 7878666F
line 1 Description: 54216=Key Tag, 8=Algorithm, 1=Digest Type, long string=Digest
Online 2, the SHA-256 key will generate a space just before the end, when adding it to your registrar, you may have to remove that space.

Now, there is an issue with the current implementation of DNSSEC in CWP, once it is enabled, adding a subdomain will not work. The subdomain will be created in the /var/named/domain.tld.db but not in  in /var/named/domain.tld.db.signed record, so the sub-domain will never propagate.
The workaround is to run Step 5 and Step 9 after a subdomain is created and after it is deleted.


Hope this helps,

Joao

******PLEASE NOTE: The workaround is supposed to be Steps 6 and Steps 9! ******

I can't it the post any now.