There are many ways to create a customer nameserver. Below presents a very quick step-by-step method for doing this with a Gandi Server (Ubuntu 12.04 LTS 64 bits) so that you can use your own, personalized DNS with your domain, as well as use DNSSEC as added security.
It is necessary to start by creating your server, as this will provide you with the IP address of your nameserver, as well as the machine onto which you will install the service. We will be installing BIND as the nameserver. For the sake of this guide, we will pretend that the IP address of our Gandi server is 203.0.113.0. For help on this particular topic, see our wiki page at http://wiki.gandi.net/en/iaas/basics/create_a_server
Decide what domain name you want your nameserver to be on. For the sake of this guide, we will pretend that it is example.com, and that we want to make a personal nameserver called ns1.example.com.
Once you know what domain you will use, you can already create the nameserver's “Glue” at the registry from our “Glue Record” management page for your domain name. For instructions on using that page see http://wiki.gandi.net/en/domains/management/change-glue
You will now need to log into your Gandi Server via SSH (see how) and install BIND:
apt-get install bind9 dnsutils
Using your favorite command-line editor, add a “zone” entry for the domain that will serve as the basis of your nameserver.
zone "example.com" { type master; file "/etc/bind/db.example.com"; allow-transfer { 217.70.177.40; }; };
To help understand, and therefore personalize the above, know that:
Using your favorite console-based text editor, you will now need to create the zone file.
Below is an example of one that is for our fictitious domain, and IP address. It also includes the records needed for GandiMail to work, as I intend on using this domain name with GandiMail as well:
$TTL 10800 @ IN SOA ns1.example.com. root.example.com. ( 1 ; Serial 10800 ; Refresh 86400 ; Retry 2419200 ; Expire 604800 ) ; Negative Cache TTL ; @ IN NS ns1.example.com. ns1 IN A 203.0.113.0 @ IN MX 10 spool.mail.gandi.net. @ IN MX 50 fb.mail.gandi.net. pop IN CNAME access.mail.gandi.net. imap IN CNAME access.mail.gandi.net. smtp IN CNAME relay.mail.gandi.net. webmail IN CNAME agent.mail.gandi.net.
Please be sure that, if you use the above as an example for your zone, that you update the IP address, the domain, and the nameserver's name (ns1) to be the ones that you will be using.
You now need to reboot BIND in order for your changes to take effect:
init.d/bind9 restart
If it is unsuccessful, and you see [FAIL], you can use the following command line to see where the error is:
tail /var/log/daemon.log | grep named
Once you are sure that your nameserver is running, in order to use it, you will now need to change the DNS of your domain name so that it uses the newly created nameserver (see how).
Since this example was made for my personal nameserver (ns1.example.com) and Gandi's secondary nameserver (NS6.GANDI.NET) I will need to replace whatever nameservers are currently being used for this domain name by those two.
Please wait 12-24 hours for propagation following your DNS update before testing the resolution via your domain name.
You will want to start by enabling your nameserver to handle DNSSEC. To do this, add the following three lines bewteen the { and } that follows “options” in the named.conf.options file:
dnssec-enable yes; dnssec-validation yes; dnssec-lookaside auto;
dnssec-keygen -a NSEC3RSASHA1 -b 2048 -n ZONE example.com
and
dnssec-keygen -f KSK -a NSEC3RSASHA1 -b 4096 -n ZONE example.com
Once you have done that, you will see 4 new files in the directory, like this:
Kexample.com.+007+02885.key Kexample.com.+007+02885.private Kexample.com.+007+38526.key Kexample.com.+007+38526.private
In the .key files that you generated, you will see a line that looks something like:
example.com. IN DNSKEY 256 3 7 AwEAAdiTdNNzO/2fcdF7PiUO5WA33AQZ5dmpgXaKq8TLjnNbZlQNEFDK aZTTPG2myhspl4MRNlrLDfTsONStV519+iSiEDk9NyJ4gzNLBCUit9Vf EFg+qiChjeiknIGLbDO0YkJ5YaIojRkgXPjf8Od5QUKGKzhAEnjfRkeT vllE70uTeoP8uWA3R9gaJO5vs1E3Jn+tP7YgLQ+zGcMfbL3EiSvx3Fd3 LVnIs/A6HzmnkoFf0BdYtP2PUgecTBhf4SNwnjefQw52A/newph97vxF C7urmFcfcJ4OirUv/sAhSvTeHXvOKIDibSy9C/kZ7m4J8Dkp3bONcKLx 6emsy/qJ30TnxD3+Bhzm0ASTQSk7ByR9Ef8QnJRgWIPnmxuHKWkk1X2q DiZN6amI0D0yfuJAtpHCqTrJ4YwRLTqlNyRd4ITFm5aUmalcFO5VDtfY C7AOP+c1SjzrDDO6gsqoptsT+8s4vRRZGa8E2kwr20r8cfTsAkWxsOH5 UOy4u1zaj+9hghqLUXY2LtT9P0/4+dPqn9VfIvPV8lsQjXp89Nn1RW6W jA9XEh1D/PEZTJXbH1ZWoSiesV7vzRV+eSx0IZcTEX8zCWXKQlkRaxep cognCMv8sAe+WKTIQl5etl0+0QuDcgOPXT0CjbWRbIXKa3xeVfhMGBra uEn7X8LnyEJVCJKJ
These are the DNSKEY records that you need to add to your zonefile. Copy them carefully and paste them into your zonefile. You can see what this looks like in the example below (don't forget to increment your zone file serial number):
$TTL 10800 @ IN SOA ns1.example.com. root.example.com. ( 2 ; Serial 10800 ; Refresh 86400 ; Retry 2419200 ; Expire 604800 ) ; Negative Cache TTL ; @ IN NS ns1.example.com. ns1 IN A 203.0.113.0 @ IN MX 10 spool.mail.gandi.net. @ IN MX 50 fb.mail.gandi.net. pop IN CNAME access.mail.gandi.net. imap IN CNAME access.mail.gandi.net. smtp IN CNAME relay.mail.gandi.net. webmail IN CNAME agent.mail.gandi.net. example.com. IN DNSKEY 256 3 7 AwEAAZt0RlA3cfU/z4IUYcUu7rKK0JYuy8Uy28+4j0WJ6UQZsFdifVr9 j1xnJqfyR24IDlp6TPFc9NjVb2uusdEDh2Iz19e6oQFTjlDsWn46WAxO PZcaydLzyBl7Cx40WMRX00ohgXxZLXNh5LrKg26TrFNgjbt5bM4vMNpg AcPk7aRPfv9xKyH0aW9FkQRoJM6eGkclpjpTzr+Gug1Oltl8tvb5FhZB GNWZr/A3M8LSdTpXgtbGcqbakHpFJL7CsvYmhTKXm/OknpPetfu6m5JR fdAga/vgOBmWu+0WbvHpkiPNhJrV4jKSWbsS85DefGCHlRkwwIjh28Gb lS5iFGD8/38= example.com. IN DNSKEY 257 3 7 AwEAAdiTdNNzO/2fcdF7PiUO5FA33AQZ5dmpgXaKq8TLjnNbZlQNEFDK aZTTPG2myhspl4MRNlrLDfTsONStV519+iSiEDk9NyJ4gzNLBCUit9Vf EFg+qiChjehknIGLbDO0YkJ5YaIojRkgXPjf8Od5QUKGKzhAEnjfRkeT vllE70uTeoP8uWA3R9gaJO5vs1E3Jn+tP7YgLQ+zGcMfbL3EiSvx3Fd3 LVnIs/A6HzmnuoFf0BdYtP2PUgecTBhf4SNwnjefQw52A/newph97vxF C7urmFcfcJ4OirUv/sAhSvTeHXvOKIDibSy3C/kZ7m4J8Dkp3bONcKLx 6emsy/qJ30TnxDv+Bhzm0ASTQSk7ByR9Ef8QnJRgWIPnmxuHKWkk1X2q DiZN6amI0D0yfuJAtkHCqTrJ4YwRLTqlNyRd4ITFm5aUmalcFO5VDtfY C7AOP+c1SjzrDDO6gQqoptsT+8s4vRRZGa8E2kwr20r8cfTsAkWxsOH5 UOy4u1zaj+9hghqLUXY2LtT9P0/4+dPqn9VfIvPV8lsQjXp89Nn1RW6W jA9XEh1D/PEZTJXbHAZWoSiesV7vzRV+eSx0IZcTEX8zCWXKQlkRaxep cognCMv8sAe+WKTIQl5etl0+0QuDcgOPXT0CjbWRbIXKa3xeVfhMGBra uEn7X8LnyEJVCJKJ
You now need to sign your zone file using the dnssec-signzone command.
dnssec-signzone -3 'random' -A -N INCREMENT -o example.com -t db.example.com
Be sure to replace “random” with at least 16 random letters and numbers (I used a result from https://www.random.org/bytes/ for this), and be sure to adapt “example.com” and “db.example.com” to the name of your zone, and the name of your zone file.
Unless you made an error in your zone file, you should now see a result like this:
Verifying the zone using the following algorithms: NSEC3RSASHA1. Zone signing complete: Algorithm: NSEC3RSASHA1: KSKs: 1 active, 0 stand-by, 0 revoked ZSKs: 1 active, 0 stand-by, 0 revoked db.sauvaginier.fr.signed Signatures generated: 20 Signatures retained: 0 Signatures dropped: 0 Signatures successfully verified: 0 Signatures unsuccessfully verified: 0 Signing time in seconds: 0.066 Signatures per second: 302.805 Runtime in seconds: 0.123
When you signed your zone file, it made a new file called db.example.com.signed. This is where the RRSIG records are for each of your DNS records. In order for your server to know this, you need to update the named.conf.local file again.
This time, you will need to update the zone's file location from what it was:
file "/etc/bind/db.example.com";
To the new, signed one:
file "/etc/bind/db.example.com.signed";
You may now reload the nameserver (by reloading you don't stop the DNS service, which would happen during a restart):
service bind9 reload
After this, you should be done. You can test the server to see how it works with:
dig DNSKEY example.com @localhost
and
dig A example.com. @localhost +noadditional +dnssec
If successful, you should see the DNSKEY and RRSIG keys respectively.
Now that you are sure that your Nameserver is configured for DNSSEC, you need to use Gandi's DNSSEC interface to declare the keys at the registry.
In this example we used the algorithm 7 (RSASHA1-NSEC3-SHA1) when choosing via the Gandi interface, so you will chose that one on the form, if you used that one as well. For more information on this, see the DNSSEC interface wiki page at: http://wiki.gandi.net/en/domains/dnssec
After this has been done, please Wait a bit to assure proper zone propagation before testing. If the test returns errors, but you feel they should be there, wait a bit longer and try again. Verisign labs has a good tool for testing: http://dnssec-debugger.verisignlabs.com/