DNS » History » Revision 15
Revision 14 (Marc Dequènes, 2019-09-20 17:55) → Revision 15/28 (Marc Dequènes, 2019-09-26 06:42)
{{toc}} h1. DNS h2. Zone Management h3. Adding a Zone On each DNS server, master zone can be created/updated on _/etc/bind/masters/_. The ownership needs to be: * _banya:_ if a user zone which should be updatable via the Banya service * _root:bind_ in all other cases The zone is declared in _host_vars/<dnsserver>/dns.yml_ _host_vars/_dnsserver_/dns.yml_ and the playbook _playbooks/tenants/duckcorp/dns.yml_ is in charge of updating all configurations. Only the zone content is not Ansible managed. h3. Updating a Zone Edit the file _/etc/bind/masters/<zone-name>.zone_ on the primary master (Orfeo for all zones except DuckLand zones using Elwing). Do not forget to update the serial! Better to check the file validity before publishing updating the zone: <pre> named-checkzone <zone-name> <zone-file> </pre> Then to publish update the zone (DNSSEC-signed zones too): zone, if DNSSEC-signed (except on _Elwing_, use the usual reload command below, more info in the DNSSEC chapter): <pre> ods-signer sign <zone-name> </pre> else: <pre> rndc reload <zone-name> </pre> In case the zone is DNSSEC-signed, the publishing of keys in the parent zone is to be done manually (not automated yet); more details below. h3. Reseting the Zone Serial The serial needs to be increased by steps, as described "in this article":http://www.microhowto.info/howto/reset_the_serial_number_of_a_dns_zone.html. See: http://www.microhowto.info/howto/reset_the_serial_number_of_a_dns_zone.html h2. Secure Zone Transfers To secure zone transfers, a TSIG key needs to be created and added on both sides. Beware the key name *must* be identical on both side. DNS server groups (servers allowed to request transfer) and keys can be defined in _host_vars/<dnsserver>/dns.yml_ and _host_vars/<dnsserver>/dns.vault.yml_ respectively. If they are to be used on all servers, then you can declare them in _group_vars/dns_servers/dns.yml_ and _group_vars/dns_servers/dns.vault.yml_ respectively. You can a new key using: <pre> dnssec-keygen -a HMAC-SHA512 -b 512 -n HOST taiste </pre> Take the 'Key' part in 'Ktaiste.*.private' file, to put into the configuration. The same playbook (_playbooks/tenants/duckcorp/dns.yml_) is used to update the configuration. h2. DNSSEC (with OpenDNSSEC, all server except Elwing) h3. Introduction Better read some documentation before fiddling with the controls: * "Supported rollover methods with OpenDNSSEC":https://wiki.opendnssec.org/display/DOCS/Key+Rollovers * "Explanation about the OpenDNSSEC key states":https://wiki.opendnssec.org/display/DOCS/Key+States * "Deeper explanation about the OpenDNSSEC key states":https://wiki.opendnssec.org/display/DOCS20/Key+States+Explained List of keys with states and IDs: <pre> ods-enforcer key list -v </pre> List of planned rollover dates: <pre> ods-enforcer rollover list </pre> h3. Key Rollover The ZSK key rollover is handled automatically by OpenDNSSEC, so admins have nothing to do. The KSK rollover implies contact with the parent zone and a manual step to get the DS entry in their zone is needed. h3. KSK Rollover Workflow Here are the states and what needs to be done: * *publish* state: ** when a new key is created, either for a new zone of to replace an old key, this key is added to the zone but not used to sign yet ** action: wait * *ready* state: ** the new zone, containing the key, is considered propagated, but not used to sign yet ** action: export the key, either using the DNSKEY or DS format depending on the provider (*ods-enforcer key export -z <zone-name> --keytype KSK --keystate ready* for the DNSKEY, or add *--ds* for the DS) ** action: add the key to the parent zone ** action: wait for the key to appear in the parent zone (*host -t DS -r <zone-name> $(host -t NS <tld> | grep "name server" | head -n 1 | cut -d" " -f4)*) ** action: notify OpenDNSSEC (*ods-enforcer key ds-seen -z <zone-name> --cka_id <key-id>*) * *active* state: ** the key is used for signing ** action: wait for the next rollover * *retire* state: ** the key is no more used to sign but still advertized ** action: remove the key from the parent zone ** action: wait for the key to disappear from the parent zone (*host -t DS -r <zone-name> $(host -t NS <zone-tld> | grep "name server" | head -n 1 | cut -d" " -f4)*) ** action: notify OpenDNSSEC (*ods-enforcer key ds-gone -z <zone-name> --cka_id <key-id>*) ** action: when you're sure everything went fine, purge old keys (*ods-enforcer key purge --policy default*) h3. Checking a Zone Test a Zone using a DNSSEC-enabled resolver: <pre> dig <zone-name> +dnssec </pre> You need to get the ad flag. If you get the aa flag, then you're interrogating one of the official NS for the zone, then try on another server to be sure your configuration is OK (remotely with *@<server>* as first command option). Test a Zone using an external web tool: * http://dnssec-debugger.verisignlabs.com/ * http://dnsviz.net/ h3. Forcing a policy change to be applied at once <pre> ods-enforcer enforce </pre> h3. Unsecuring a Zone If you plan to continue using the zone, better not remove DNSSEC support at once or until all DNSSEC information leaves the caches on the Internet problems are to be expected. A special *unsigned* policy has been added to the _opendnssec_ Ansible role. It was created using the specifications in the OpenDNSSEC documentation but has never been tested. In Ansible you need to affect this policy to your zone and deploy. Then follow the KSK rollover procedure until all keys have been retired. Then you can unconfigure DNSSEC for the zone. To buy some time you might try to force an early rollover (see below). h3. Forcing an Early Rollover <pre> ods-enforcer key rollover --zone <zone-name> --keytype ksk </pre> h2. DNSSEC (with Bind, only Elwing) Here are notes about using Bind inline-signing and key management. management in place of OpenDNSSEC. Until this is deemed stable enough and well tested, this will only affect DNSSEC-enabled zones on Elwing. Important fixes for inline-signing are expected in version 9.13 (so 9.14 stable), and hopefully more DNSSEC tooling improvements (like full KSK rollover scheduling). improvements. All general info above about DNSSEC does not change, expecially the rollover steps are similar even if the tooling change, and testing the zone is identical. The Ansible _bind_ role has been updated in a branch to be able to use Bind directly for DNSSEC. Our Ansible repository now tracks this branch (which still supports OpenDNSSEC) and add the necessary parameters to use it. Please look at the role's documentation to understand the inner technical details, this page is about administration of the solution. h3. Introduction Better read some documentation before fiddling with the controls: * https://ftp.isc.org/isc/dnssec-guide/html/dnssec-guide.html * https://kb.isc.org/docs/aa-00711 * https://securityblog.switch.ch/2014/11/13/dnssec-signing-your-domain-with-bind-inline-signing/ Key materials are initially created by the role when a zone is declared in Ansible, so no need to do anything outside Ansible. Cleanup when a zone is removed is not yet done though. As Bind is not using the usual date-based zone serial, it can be less misleading to reset the serial (see dedicated chapter above). h3. Zone Status General zone info, including the real published serial (after signing, resigning if it happens, rollovers…) and planned signing events: <pre> rndc zonestatus <zone-name> </pre> h4. Zone Keys To know which keys are currently signing a zone: <pre> rndc signing -list <zone-name> </pre> There is no way yet to know which is the KSK or ZSK without looking at the key materials. Keys are stored in _/etc/bind/keys_ and you can use the key ID to locate the corresponding file this way: <pre> ls /etc/bind/keys/K<zone-name>.+*+*<key-id>.key </pre> Inside you can read the key type (KSK/ZSK) and the lifetime schedule (so important rollover dates). *DO NOT CHANGE KEY INFORMATION !!!* Do not even use the _dnssec-settime_ tool directly. _dnssec-keymgr_ is in charge of the key maintenance according to the policy. It is possible to alter the timing using the _dnssec-settime_ tool, for example to schedule an emergency Read more about rollover if a key is compromised. In this case, after doing the modifications, Bind needs to be notififed using: <pre> rndc loadkeys <zone-name> </pre> below. h4. Parent Zone Publishing To see if the zone keys are properly published in the parent zone: <pre> dnssec-checkds <zone-name> </pre> (SHA-1 is obsolete, so not published) h3. Key Rollover The ZSK key rollover is handled automatically by Bind (_dnssec-keymgr_ in crontab), so admins have nothing to do. The KSK rollover implies contact with the parent zone and a manual step to get the DS entry in their zone is needed. Creating the new keys and planning the change is also done automatically using the same tool. To get a view of the schedule (past events for currently involved keys are displayed too) (beware it is using UTC): <pre> dnssec-coverage -K /etc/bind/keys -m 1w -d 1d -k </pre> h3. KSK Rollover Workflow Here are the states and what needs to be done: * *created* state: ** new created key (new zone or key replacement), this key The workflow is not used yet ** action: wait * *publish* state: ** the same except there is added no way to notify bind a change occurred, thus we *must* do the zone but not used to sign yet ** after the zone default TTL has passed, it is considered published ** action: wait for propagation * *active* state: ** the key is used for signing ** action: export the key rollover in DS format using the *dnssec-dsfromkey -2 <ksk-filename>* command (see previous chapter to get the absolute filename for the current KSK key, any of the _key_ time or _private_ file would do) ** action: add update the key policy to the parent zone ** after the DS TTL has passed, it is considered published and the zone is secured with the key ** action: wait for the next rollover * *inactive* state: ** the key is no allow more used to sign but still published ** action: remove the DS key from the parent zone * *deleted* state: ** the key is not published anymore ** action: when you're sure everything went fine, purge old keys (should be automated some day) time (via Ansible parameters). Currently we need to check manually when to do the KSK rollover. The coverage command above and _next key event_ in the zone info should help build a little script to warn us in time. To get the DS RR to set in the parent zone, first get the absolute filename for the current KSK key (see previous chapter, any of the _key_ or _private_ file would do), and use this command: <pre> dnssec-dsfromkey -2 <ksk-filename> </pre> The plan in the long run is to use CDS/CDNSKEY (RFC 7344). Some interesting reading about an implementation: https://jpmens.net/2017/09/21/parents-children-cds-cdnskey-records-and-dnssec-cds/ h3. Checking a Zone Test a Zone using a DNSSEC-enabled resolver: <pre> dig <zone-name> +dnssec </pre> You need to get the ad flag. If you get the aa flag, then you're interrogating one of the official NS for the zone, then try on another server to be sure your configuration is OK (remotely with *@<server>* as first command option). Test a Zone using an external web tool: * http://dnssec-debugger.verisignlabs.com/ * http://dnsviz.net/ h3. Forcing a policy change to be applied at once Via Ansible it is possible to change the policy directly, then either wait a few hours or run _dnssec-keymgr_ manually (as _bind_ user). h3. Unsecuring a Zone First the DS needs to be removed from the parent zone, then we need to wait for the DS TTL to expire before unsigning. The Ansible config can then be updated. Key materials need to be removed manually. h3. Forcing an Early Rollover Currently I'm not sure how it would interact with the _dnssec-keymgr_ operations so I need to test. It is possible to do so: https://blog.webernetz.net/dnssec-ksk-emergency-rollover/ In our case we already do have pre-generated waiting keys scheduled to be injected, so changing the timing of the current key to reduce its lifetime and rerunning _dnssec-keymgr_ manually (as _bind_ user) should do the trick, but I need to test. h2. Checking Servers * "ISC EDNS Compliance Tester":https://ednscomp.isc.org/ednscomp/ h2. Problems h3. receive_secure_serial: not exact This means the inline-signing journal is corrupted and changes to the zone cannot be applied to the signed zoned. Workaround: <pre> rndc sync -clean <zone> rndc stop </pre> then bump the zone's serial and restart Bind, it should have solved the problem.