Lab 2: DNSSEC and HTTPS
Overview
The goal of this lab is to secure DNS zone from the lab 1 (i.e., enable DNSSEC) and then use the zone to build a micro CDN service. As a side effect, you will also learn how to create a simple HTTP/Apache server instance and serve simple files from there. In addition, the lab will also show you how you can secure web server with HTTPS certificate, a different level protection compared to DNSSEC. We will use tools provided by Let’s Encrypt CA and the process is quite simple, involves just running a few commands (but we will have an expected issue with it, for you to analyze).
Tasks
1. DNSSEC
Lab 1 left us hanging about the DNSSEC. This document gives a quite comprehensive description of the DNSSEC, its internals, and what should happen to enable and maintain DNSSEC for your zone. I assume that you already read it.
Luckily, in order to enable DNSSEC in “regular” circumstances, Bind software since its recent version includes a very simple method to work with DNSSEC. It still requires a little bit of manual work, but only a little bit. Majority of the complex process is done by Bind software itself.
1.1 Reorganize location
First thing is that we need to do a bit of reorganization of our zone database.
Bind will be adding new records to the zone and needs write permission to the same folder as the original zone file.
It can be done in various way, the simplest is simply move the zone file to /var/cache/bind
folder:
sudo mv /etc/bind/full.path.to.the.zone.db /var/cache/bind
and updating the path in /etc/bind/named.conf.local
.
1.2 Enabling the magic DNSSEC option
With Bind version 9.16 and newer (the one installed in Ubuntu 20.04 we are using), enabling DNSSEC zone signing is a simple as adding a single line to the zone configuration:
zone "delegated.domain.name" {
type master;
file "/etc/bind/full.path.to.the.zone.db";
dnssec-policy default; # this is the line you need to add
};
and then reload the zone using
sudo rndc reload
If everything is correct, you should see new files generated in /var/cache/bind
folder, like these (actual names will include your zone name):
/var/cache/bind$ ls -1
Ktcn6430.iu4.ru.+013+45365.key
Ktcn6430.iu4.ru.+013+45365.private
managed-keys.bind
managed-keys.bind.jnl
tcn6430.iu4.ru
tcn6430.iu4.ru.signed
tcn6430.iu4.ru.signed.jnl
If you don’t see these, check for errors in Bind logs:
sudo journalctl -u bind9
You can also check the actual signatures using dig
command:
dig +dnssec your.zone ns @localhost
1.3 Submitting DS record
If you get this far, you got the zone signed, but DNSSEC is not yet fully enabled, as the parent zone does not know about that.
In order for the parent zone be aware that you have enabled DNSSEC and want your zone data to be validated, you need to insert a DS
record to the parent zone.
For our lab, you need to prepare and send the DS
record to the instructor.
To do so, you just need to run the following command and copy paste the output:
dnssec-dsfromkey /var/cache/bind/K<your-zone>.+013+45365.key
This command will convert DNSKEY
record into a DS
and as soon as instructor adds it to your zone, you will be ready to proceed.
2 HTTP Server
Instructions below assume you are working with http-1
instance that uses Ubuntu 20.04 Linux VMs.
If you are using a different environment (for the lab or in other environment), you can follow the official instructions provided on certbot website.
1. Create a new VM
You would need to create 1 VM HTTP server instance named “http-1” (if you choose different name, you will need to adjust the following instructions):
-
Instance type: general-purpose, E2 series, e2-micro in
us-east1-b
zone -
Ubuntu 20.04 LTS image
-
Disk space: you can leave the default 10 GB disk
-
Firewall rules: make sure you have selected “Allow HTTP traffic” and “Allow HTTPS traffic”. This will automatically add proper firewall tags.
2. Configuring VM
You need to install Apache HTTP server and upload some content (cute cat images are highly suggested) to be served from this HTTP instance.
Before you start, note the public IP addresses of the instance. You will need them during configuration of DNS server in the next step.
SSH to the server and start configurations (using Web interface, gcloud command line suite, or just ssh in the command line).
Update/upgrade packages and install apache
HTTP server:
sudo apt update
sudo apt upgrade
sudo apt install apache2
With default configuration, the installed Apache HTTP server will serve content from /var/www/html
folder.
Upload any information (= cats) to this folder and create appropriate index.html
files.
In addition, for Gradescope verification, create the following files:
/var/www/html/instance.txt
with contenthttp-1
as the first line./var/www/html/owner.txt
with your name as the content
To test before going to the next step, you can simply type in your web browser the public IP of the instance and path to the file, such as (use IP of your instance!)
http://your-vm.public.ip.address/instance.txt
3. Create DNS Name for Your Server
You already have a working DNS zone, so use it.
You will need to add a single A record for www sub-domain. For example, it will look like
www IN A your-vm.public.ip.address
Do not forget to increase the serial number for your zone and then reload the zone using
sudo rndc reload
If you did not have a zone delegated, but wanted to have some domain name, you could use free services, for examples Duck DNS. This is just for your information, if you want it for other purposed.
4. Enabling HTTPS
The manual way of enabling HTTPS is as daunting as manual way dealing with DNSSEC (ok, a little bit less daunting, but still). Luckily, we have an automated way of doing this, thanks to Let’s Encrypt CA.
All you need to do is to install a cerbot
app:
sudo snap install --classic certbot
Done.
Now. A deeeeeeeeeep breath, exhale, and continue.
To get a certificate for your domain and automatically configure Apache server, run the following command (use your delegated domain name!):
sudo certbot --apache -d www.your-zone
It will prompt for
- your email
- to agree with terms and conditions
- whether you want your email to be shared with Electronic Frontier Foundation.
After that certbot
will generate public/private key pair, generate certificate request, submit it to Let’s Encrypt, and will perform proper validation that you have control over the website.
The final question that certbot
will ask is how you want HTTPS be activated: just run HTTPS in parallel to HTTP or force traffic be redirected from HTTP to HTTPS.
Either way can work for the lab, forced redirection preferred (option 2
when asked).
Check Certificate and Prepare Submission
As a final check, type a bit updated URL in the browser (note there is https://
now):
https://www.your-zone/instance.txt
After that, open certificate properties (in Chrome, click on “lock” icon and the click on “Certificate”; similar actions in other browsers). Take a note of certificate serial number, you will need this for the submission.
Conclusion / Submission
Submit your report to Canvas quiz, answering the posted question.