You are here: Foswiki>Ateliers Web>ProchainsDefisInternet>ProjetSwitchDNSSEC (24 Jun 2011, MarcSCHAEFER)EditAttach
Mettre en place du DNSSEC avec NIC/CH (SWITCH)
Introduction
Ce document est un résumé d'un document interne que je ne peux pas publier in-extenso pour des raisons de licences. Il est partiellement en anglais.Informations techniques
La plupart de Samuel Benz <samuel.benz@switch.ch> sur https://lists.switch.ch/mailman/listinfo/dnssec-pioneersHow to sign your zone
First step: creating DNSKEY(s)
For this simple example we will only use two keys and we will never change them in the future. This is possible because only the signatures have an expire date, not the keys itself.KSK: $ dnssec-keygen -f KSK -n ZONE -a RSASHA1 -b 1024 teleinf.ch ZSK: $ dnssec-keygen -n ZONE -a RSASHA1 -b 1024 teleinf.chThe KSK is the key signing key. The ZSK is the zone signing key. If the commands appear to hang, this means that /dev/random doesn't have enough entropy (
cat /proc/sys/kernel/random/entropy_avail) and thus you need to create some, e.g.
by starting programs, compiling, exchanging network packets etc. Or just generate the key on a busy workstation, not a somewhat idle DNS server.
Of course, it would be a good policy to not create and store the private keys (.private) on a publically accessible server!
These two commands will create 4 files. You only require the .key files on your DNS server (e.g. in /etc/bind/DNSSEC-PUBKEYS).
Kteleinf.ch.+005+00589.key Kteleinf.ch.+005+00589.private Kteleinf.ch.+005+38883.key Kteleinf.ch.+005+38883.privateYou can now include the public keys in your zone file:
for i in /etc/bind/DNSSEC-PUBKEYS/Kteleinf.ch*.key; do echo >> db.teleinf.ch \$INCLUDE $i; done
Second step: Sign the zone
Sign your zone with this command:$ dnssec-signzone -o teleinf.ch db.teleinf.ch Verifying the zone using the following algorithms: RSASHA1. Zone signing complete: Algorithm: RSASHA1: ZSKs: 1, KSKs: 1 active, 0 revoked, 0 stand-by db.teleinf.ch.signedThis will create a new file called teleinf.signed. All keys have to be online on the file system for this step. Obviously you sould do this on a trusted system. The DNSKEY records are now signed with both keys the rest of the zone only with the ZSK. Finally, change your BIND configuration to start with the teleinf.signed and you are done. IMPORTANT: Re-sign your zone at least every week to renew the signatures! NOTE: you can specify a signature expire date with
-e !
Third step: Enable the secure delegation
Generate the DS records from the KSK: (the KSK signs the ZSK which signs the domain)$ dnssec-dsfromkey Kteleinf.ch.+005+00589.keyThis will show you something like:
teleinf.ch. IN DS 589 5 1 D8BE42B35372A8515396D343081CF37505E15FAB teleinf.ch. IN DS 589 5 2 4879EF66A5A101E3CEEF47DB17F10F240AC4F4981CE891C98163CE95 B2E7BE2BUpload this information to your parent server (at NIC/CH, use the Web GUI for the domain: it will also allow you to pre-test your DNS, and show you the above information you should double-check before activating).
Testing manually
The ad flag in the answers tells you you have correct validation (if you do this through a non DNSSEC-enabled DNS server, it won't show up).schaefer@reliant:~$ dig teleinf.ch +dnssec @dnssec3.trash.net ; <<>> DiG 9.4.2-P2.1 <<>> teleinf.ch +dnssec @dnssec3.trash.net ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 25125 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;; QUESTION SECTION: ;teleinf.ch. IN A ;; AUTHORITY SECTION: teleinf.ch. 10800 IN SOA localhost. root.localhost. 2011011202 14400 14400 86400 86400 teleinf.ch. 10800 IN RRSIG SOA 5 2 14400 20110213090358 20110114090358 38883 teleinf.ch. PpY+M/vDYDd6Dr7alTEp22yHNIqdtC4oZ5Wlme8dRfRLMit+cj2XGsyc uZRPczE5t163Vyu1XuUEE4coapN3ID4P8HNTY/MtX5bZkyuQwvHWoW5a 5C9UPTSAjcXZwOX3VuyLRckemf7Zs4xmFxNeMolbeFSDJnWXj1Ap85MU 18I= teleinf.ch. 10800 IN RRSIG NSEC 5 2 86400 20110213090358 20110114090358 38883 teleinf.ch. MdeWUz4rmJGHuZ8eEPl9xohlyiLMWGgUVE5jGL8bO7YIsNl40Y2D2DCD aC19NpUoEcgFhZIzMWHDAaz4F7QTG731z4wyQqQZ0NdSTOFUweDa1ogu u2cLsbaUo4ekodzfy7r1UVbsTpMtRz5Bre8r8PY1wCuBIZC+DB7fwvax qgQ= teleinf.ch. 10800 IN NSEC ns.teleinf.ch. NS SOA RRSIG NSEC DNSKEY ;; Query time: 398 msec ;; SERVER: 213.144.137.36#53(213.144.137.36) ;; WHEN: Thu Jan 20 10:30:08 2011 ;; MSG SIZE rcvd: 465
Conclusion (and work to do!)
This setup should fit your needs for the first steps with DNSSEC. The complicated stuff while running DNSSEC in a production environment are the periodically change of your keys (key rollovers). A good overview of what rollover scheme exists is the RFC-4641.How to use DNSSEC
Creating your domain signed and publish the public key through NIC/CH is not enough, you also need to enforce that security on your company nameserver cache. This may create some problems for badly maintained servers. Therefore it is not currently recommended in production! If you don't, you could use third-party DNS servers, with some security risks. To test, you can use that server:- dnssec3.trash.net (recursive) (e.g. dig +dnssec test1.teleinf.ch @dnssec3.trash.net: you should see the "ad" bit)
options {
dnssec-enable yes;
dnssec-validation yes;
};
and provide the DNS root (".") public key (you can verify it's GPG, SSL or other signatures at: http://www.root-dnssec.org/
// BIND 9.7 allows automatic updating (RFC-5011)
//managed-keys {
// "." initial-key 257 3 8
// "AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF
// FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX
// bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD
// X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz
// W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS
// Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq
// QxA+Uk1ihz0=";
//};
// BIND 9.6.2
// manual update required
trusted-keys {
"." 257 3 8
"AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF
FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX
bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD
X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz
W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS
Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq
QxA+Uk1ihz0=";
};
and possibly more "trusted keys" (from a DNSSEC lookaside Validation Registry), will be soon obsolete
trusted-keys {
// something in the form:
// dlv.isc.org. 257 3 5 "BEA[...]uDB";
// get it from dig +dnssec dlv.isc.org. dnskey
// could be a good idea to verify those, and maybe to add your own keys even if signed already.
};
options {
dnssec-lookaside . trust-anchor dlv.isc.org.;
};
http://www.nlnetlabs.nl/publications/dnssec_howto/#x1-60002
Tools
Standard software
BIND 9.3 (DNSSEC) and BIND 9.6 (NSEC3).Non standard software
| Product | Organisation | DNSSEC | NSEC3 |
|---|---|---|---|
| Unbound | NLnetLabs | yes | yes |
| NSD | NLnetLabs | yes | yes |
| MS DNS | Microsoft | Server 2008 R2 | ? |
| PowerDNS | Bert Hubert | 2.9.21 | no |
| Djbdns | Daniel J. Bernstein | no | no |
| ANS | nominum | yes | 2010 |
| CNS | nominum | yes | ? |
Other tools
Most of the name server ship with their one tools to sign zones. If you look for more general ways have a look at:- http://www.opendnssec.org
- http://www.ripe.net/projects/disi
- http://www.dnssec-tools.org
- http://www.registro.br/dnsshim/index-EN.html
Negative testing
The test.dnssec-tools.org zone contains handy test records.schaefer@reliant:~$ host baddata-a.test.dnssec-tools.org. baddata-a.test.dnssec-tools.org has address 75.119.216.30 schaefer@reliant:~$ host baddata-a.test.dnssec-tools.org. dnssec3.trash.net Using domain server: Name: dnssec3.trash.net Address: 213.144.137.36#53 Aliases: Host baddata-a.test.dnssec-tools.org not found: 2(SERVFAIL)And don't forget to do Positive testing too:
schaefer@reliant:~$ host good-a.test.dnssec-tools.org. dnssec3.trash.netIn the above, once you have setup your own validating DNS server, you need obviously to replace dnssec3.trash.net by localhost or the name / IP address of your validating DNS server.
Firefox plugins
And last but not least, a simple way to show your (hidden) work on DNSSSEC to your colleges:- http://www.nlnetlabs.nl/projects/drill/drill_extension.html
- http://www.trash.net/faq/dnssec_validator/dnssec_validator.shtml (https://addons.mozilla.org/en-US/firefox/addon/64247/)
References
-- MarcSCHAEFER - 20 Jan 2011Edit | Attach | Print version | History: r2 < r1 | Backlinks | View wiki text | Edit wiki text | More topic actions
Topic revision: r2 - 24 Jun 2011, MarcSCHAEFER
Ateliers |
|
Copyright © by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding Foswiki? Send feedback
Ideas, requests, problems regarding Foswiki? Send feedback