In this post, I'm going to write about configuring bind to check DNSSEC when I make DNS queries. In later posts, I'll write about the other side of things: securing my own zones with DNS.
I mentioned the root zone being signed above. That's one way of checking DNSSEC signatures (and in the long term, the main way). Another way is DLV (DNSSEC Lookaside Validation) which acts as a certificate authority, providing a way for a DNS zone to be signed without having to have a path all the way from the root. A third way is by listing the keys for known domains, which allows everything under those domains to be validated without needing a signature from a higher level in DNS. (This third way is how IANA's Interim Trust Anchor Repository worked, before being superseded by the signing of the root zone).
I want to configure both validation from the root, and DLV.
I very roughly followed along with this page, though different versions of bind, and differences in what I want to do, lead to differences.
First I need the root key-signing (public) key. This is the single well-known value that must be securely obtained. So I use insecure DNS to obtain it:
$ dig . dnskey | grep "257 " > root.dnskey $ cat root.dnskey . 172363 IN DNSKEY 257 3 8 AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq QxA+Uk1ihz0=
Now at this point I should carefully check that this is right against various out-of-band sources. I didn't bother.
I also want a trusted key for DLV. That is available here.
Next I need to tell bind about these keys. I'm going to use bind's managed-key mechanism for this.
I put the key material into a file called
benc-managed-keys
, like this:managed-keys { dlv.isc.org. initial-key 257 3 5 "BEAAAAPHMu/5onzrEE7z1egmhg/WPO0+juoZrW3euWEn4MxDCE1+lLy2 brhQv5rN32RKtMzX6Mj70jdzeND4XknW58dnJNPCxn8+jAGl2FZLK8t+ 1uq4W+nnA3qO2+DL+k6BD4mewMLbIYFwe0PG73Te9fZ2kJb56dhgMde5 ymX4BI/oQ+cAK50/xvJv00Frf8kw6ucMTwFlgPe+jnGxPPEmHAte/URk Y62ZfkLoBAADLHQ9IrS2tryAe7mbBZVcOwIeU/Rw/mRx/vwwMCTgNboM QKtUdvNXDrYJDSHZws3xiRXF1Rf+al9UmZfSav/4NWLKjHzpT59k/VSt TDN0YUuWrBNh"; . initial-key 257 3 8 "AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq QxA+Uk1ihz0="; };
Note that the format is different from the key files obtained - the
IN DNSKEY
keywords go away and initial-key
goes in instead, and the key material is now quoted with "
and with a ;
at the end of the line.Then I told bind to import this into its configuration:
$ grep benc-managed-keys * named.conf:include "/etc/bind/benc-managed-keys";
I need to tell bind to start using dnssec by adding these to named.conf.options:
dnssec-enable yes; dnssec-validation yes; dnssec-lookaside auto;
Now restart bind and hope that it all works.
How can I test my setup? I can use
dig
with the +dnssec
parameter. This adds a flag to the query saying that DNSSEC is desired. For example:$ dig @192.168.1.254 +dnssec hawaga.org.uk
dig
will give a flag line in its output, like this:;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 1
If DNSSEC was able to check the results (which means that the result was signed, and that the resolver that you just queried was able to validate the results, then there will be another flag in there:
ad
. If not, then something didn't work correctly.You can get more DNSSEC logging by adding this to named.conf:
logging { channel dnssec_log { // a DNSSEC log channel file "/var/log/bind/dnssec.log" size 200m; print-time yes; // timestamp the entries print-category yes; // add category name to entries print-severity yes; // add severity level to entries severity debug 3; // print debug message <= 3 }; category dnssec { dnssec_log; }; };
So that's DNSSEC configured for resolving. Next, I want to sign my own zones so that others can verify them with DNSSEC on their own resolvers - I'll write about that in another post.
No comments:
Post a Comment