Atomia DNS

Manual installation

30 views 0

The manual installation of the Atomia DNS Master server.

Overview

This guide will install the Atomia DNS Master server with the Atomia DNS database on a separate server from the Atomia DNS API.

Installation on Ubuntu 10.04 LTS

  1. Do a standard installation of Ubuntu 10.04 LTS on two servers.
  2. Perform the following steps on both servers:
    1. Add the Atomia APT Repository to the server using:
    2. wget -q -O - http://public.apt.atomia.com/setup.sh.shtml | sed s/%distcode/`lsb_release -c | awk '{ print $2 }'`/g | sh
      
    3. Update all packages:
    4. apt-get update
      
  3. Assign one of the servers to be the Atomia DNS database server and execute the following steps on that server:
    1. Install the Atomia DNS database:
    2. apt-get install atomiadns-database
      
  4. Assign one of the servers to be Atomia DNS API server and execute the following steps on that server:
    1. Install the Atomia DNS API:
    2. apt-get install atomiadns-api
      

Creating the initial DNSSEC keyset

If you want all zones to be signed, then after the Atomia DNS API server is installed you need to create the initial DNSSEC key set. In addition you will need to use a nameserver synchronization agent that supports DNSSEC; at the moment this means the PowerDNS agent.

The DNSSEC setup is completed by executing the following steps:

  1. Install the command line client:
  2. apt-get install atomiadns-client
    
  3. Add the active key signing key:
  4. atomiadnsclient --method AddDNSSECKey --arg RSASHA256 --arg 2048 --arg KSK --arg 1
    
  5. Add the active zone signing key:
  6. atomiadnsclient --method AddDNSSECKey --arg RSASHA256 --arg 1024 --arg ZSK --arg 1
    
  7. Add the inactive zone signing key:
  8. atomiadnsclient --method AddDNSSECKey --arg RSASHA256 --arg 1024 --arg ZSK --arg 0
    

Important!

The suggested workaround for random number generation in virtual machines will produce easily predictable and insecure DNSSEC keys. For production purposes, please solve it in a secure way. You have been warned.

Adding DNSSEC keys on a virtual machine where you can’t use keyboard input to generate entropy requires an additional step.

Install rng-tools using apt-get install rng-tools, then open /etc/default/rng-tools and add the following line, or better something equivalent but secure:

# WARNING: This setup is insecure, you should make sure that you have an adequate setup  # for generating cryptographically strong random numbers instead. HRNGDEVICE = /dev/urandom

Now, they key creation should be instant. Notice though that this setup is really insecure. You should instead configure rng-tools to provide sufficient amounts of random numbers in a secure way, e.g. by having better hardware for generating entropy.

Was this helpful?