OpenBSD ships with the NLnet Labs Name Server Daemon - nsd(8), a fast and secure (DNSSEC-enabled) implementation of an authoritative DNS nameserver.
First we should generate a TSIG (Transaction SIGnature) key. If using hmac-md5:
dd if=/dev/urandom of=/dev/stdout count=1 bs=32 | openssl base64
Or for sha256 (preferred):
dd if=/dev/urandom of=/dev/stdout count=1 bs=64 | openssl base64
Keep the resulting base64-encoded key for later. For demonstration purposes I will be using the following sha256 key:
0i96GKeAPxwGZ2ALxrvM882oL107NuCnXLjv4PRpzCS31oySYILYzbs02Aes0OqCgy5+rA96YGep2xFWmzsKHg==
Open /var/nsd/etc/nsd.conf and create a simple configuration for our example domain:
server:
hide-version: yes
verbosity: 1
database: "" # disable database
remote-control:
control-enable: yes
control-interface: /var/run/nsd.sock
server-key-file: "/var/nsd/etc/nsd_server.key"
server-cert-file: "/var/nsd/etc/nsd_server.pem"
control-key-file: /var/nsd/etc/nsd_control.key"
control-cert-file: "/var/nsd/etc/nsd_control.pem"
key:
name: "sec_key"
algorithm: hmac-sha256 # or hmac-md5
secret: "0i96GKeAPxwGZ2ALxrvM882oL107NuCnXLjv4PRpzCS31oySYILYzbs02Aes0OqCgy5+rA96YGep2xFWmzsKHg=="
zone:
name: "foresthall.org.uk"
zonefile: "master/foresthall.org.uk"
The default base location (OpenBSD users rarely deviate from good defaults!) for zonefiles is /var/nsd/zones so we create the file /var/nsd/zones/master/foresthall.org.uk:
$ORIGIN foresthall.org.uk. ; default zone domain
$TTL 86400 ; default time to live
@ IN SOA ns1.cryogenix.net. foresthall.org.uk. (
2018010203 ; serial number
28800 ; Refresh
7200 ; Retry
864000 ; Expire
86400 ; Min TTL
)
NS ns1.cryogenix.net.
MX 10 mail.foresthall.org.uk.
www IN A 82.35.249.157
mail IN A 82.35.249.157
@ IN A 82.35.249.157
* IN A 82.35.249.157
See RFC 1034 and RFC 1035 if you are unfamiliar with the zone file format.
Next generate the SSL keys for nsd(8):
$ doas nsd-control-setup
setup in directory /var/nsd/etc
generating nsd_server.key
Generating RSA private key, 3072 bit long modulus
.++
...............++
e is 65537 (0x10001)
generating nsd_control.key
Generating RSA private key, 3072 bit long modulus
.........................++
..++
e is 65537 (0x10001)
create nsd_server.pem (self signed certificate)
create nsd_control.pem (signed client certificate)
Signature ok
subject=/CN=nsd-control
Getting CA Private Key
Setup success. Certificates created. Enable in nsd.conf file to use
Run nsd(8) in the foreground to check everything is working:
$ doas nsd -d -V 5
[2018-10-31 15:51:02.541] nsd[12021]: notice: nsd starting (NSD 4.1.25)
[2018-10-31 15:51:02.542] nsd[12021]: info: creating unix socket /var/run/nsd.sock
[2018-10-31 15:51:02.633] nsd[76579]: info: zone foresthall.org.uk read with success
[2018-10-31 15:51:02.711] nsd[76579]: notice: nsd started (NSD 4.1.25), pid 12021
Now use dig(1) to check that it is serving lookup requests for our new domain:
voyager$ dig @ns1.cryogenix.net ANY foresthall.org.uk
;; Truncated, retrying in TCP mode.
; <<>> DiG 9.4.2-P2 <<>> @ns1.cryogenix.net ANY foresthall.org.uk
; (1 server found)
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 48761
;; flags: qr aa rd; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available
;; QUESTION SECTION:
;foresthall.org.uk. IN ANY
;; ANSWER SECTION:
foresthall.org.uk. 86400 IN SOA ns1.cryogenix.net. foresthall.org.uk. 2018010203 28800 7200 864000 86400
foresthall.org.uk. 86400 IN NS ns1.cryogenix.net.
foresthall.org.uk. 86400 IN MX 10 mail.foresthall.org.uk.
foresthall.org.uk. 86400 IN A 82.35.249.157
;; ADDITIONAL SECTION:
mail.foresthall.org.uk. 86400 IN A 82.35.249.157
;; Query time: 44 msec
;; SERVER: 82.35.249.157#53(82.35.249.157)
;; WHEN: Wed Oct 31 15:52:25 2018
;; MSG SIZE rcvd: 155
That's it! We haven't enabled DNSSEC on our domain but this will get your started.