Project

General

Profile

DNS » History » Version 21

Marc Dequènes, 2020-05-02 08:04

1 6 Marc Dequènes
{{toc}}
2
3 1 Marc Dequènes
h1. DNS
4
5
h2. Zone Management
6
7 9 Marc Dequènes
h3. Adding a Zone
8
9 1 Marc Dequènes
On each DNS server, master zone can be created/updated on _/etc/bind/masters/_. The ownership needs to be:
10
* _banya:_ if a user zone which should be updatable via the Banya service
11
* _root:bind_ in all other cases
12
13 15 Marc Dequènes
The zone is declared in _host_vars/<dnsserver>/dns.yml_ and the playbook _playbooks/tenants/duckcorp/dns.yml_ is in charge of updating all configurations. Only the zone content is not Ansible managed.
14 1 Marc Dequènes
15 9 Marc Dequènes
h3. Updating a Zone
16 1 Marc Dequènes
17 15 Marc Dequènes
Edit the file _/etc/bind/masters/<zone-name>.zone_ on the primary master (Orfeo for all zones except DuckLand zones using Elwing).
18
19
Do not forget to update the serial!
20
21
Better to check the file validity before publishing the zone:
22 2 Marc Dequènes
<pre>
23 1 Marc Dequènes
named-checkzone <zone-name> <zone-file>
24 2 Marc Dequènes
</pre>
25
26 15 Marc Dequènes
Then to publish the zone (DNSSEC-signed zones too):
27 2 Marc Dequènes
<pre>
28
rndc reload <zone-name>
29
</pre>
30
31 1 Marc Dequènes
In case the zone is DNSSEC-signed, the publishing of keys in the parent zone is to be done manually (not automated yet); more details below.
32
33 9 Marc Dequènes
h3. Reseting the Zone Serial
34 7 Marc Dequènes
35 15 Marc Dequènes
The serial needs to be increased by steps, as described "in this article":http://www.microhowto.info/howto/reset_the_serial_number_of_a_dns_zone.html.
36 7 Marc Dequènes
37 1 Marc Dequènes
h2. Secure Zone Transfers
38
39
To secure zone transfers, a TSIG key needs to be created and added on both sides. Beware the key name *must* be identical on both side. 
40
41
DNS server groups (servers allowed to request transfer) and keys can be defined in _host_vars/<dnsserver>/dns.yml_ and _host_vars/<dnsserver>/dns.vault.yml_ respectively. If they are to be used on all servers, then you can declare them in _group_vars/dns_servers/dns.yml_ and _group_vars/dns_servers/dns.vault.yml_ respectively.
42
43
You can a new key using:
44
<pre>
45 5 Marc Dequènes
dnssec-keygen -a HMAC-SHA512 -b 512 -n HOST taiste
46
</pre>
47
Take the 'Key' part in 'Ktaiste.*.private' file, to put into the configuration.
48
49
The same playbook (_playbooks/tenants/duckcorp/dns.yml_) is used to update the configuration.
50
51 15 Marc Dequènes
h2. DNSSEC
52 5 Marc Dequènes
53 15 Marc Dequènes
Here are notes about using Bind inline-signing and key management. Important fixes for inline-signing are expected in version 9.13 (so 9.14 stable), and hopefully more DNSSEC tooling improvements (like full KSK rollover scheduling).
54 5 Marc Dequènes
55
All general info above about DNSSEC does not change, expecially the rollover steps are similar even if the tooling change, and testing the zone is identical.
56
57
The Ansible _bind_ role has been updated in a branch to be able to use Bind directly for DNSSEC. Our Ansible repository now tracks this branch (which still supports OpenDNSSEC) and add the necessary parameters to use it. Please look at the role's documentation to understand the inner technical details, this page is about administration of the solution.
58
59
h3. Introduction
60
61
Better read some documentation before fiddling with the controls:
62 17 Marc Dequènes
* "Bind DNSSEC Guide":https://downloads.isc.org/isc/dnssec-guide/html/dnssec-guide.html
63
* "KSK Rollover":https://blog.webernetz.net/dnssec-ksk-key-rollover/ (key is manually created instead of using `dnssec-keymgr` but it's a good example)
64
* "Future KSK Rollover Automation":https://www.dns.cam.ac.uk/news/2019-01-30-rollover.html
65 5 Marc Dequènes
66
Key materials are initially created by the role when a zone is declared in Ansible, so no need to do anything outside Ansible. Cleanup when a zone is removed is not yet done though. As Bind is not using the usual date-based zone serial, it can be less misleading to reset the serial (see dedicated chapter above).
67
68
h3. Zone Status
69
70
General zone info, including the real published serial (after signing, resigning if it happens, rollovers…) and planned signing events:
71
<pre>
72
rndc zonestatus <zone-name>
73 1 Marc Dequènes
</pre>
74 6 Marc Dequènes
75
h4. Zone Keys
76 1 Marc Dequènes
77 21 Marc Dequènes
To know which keys (<key-id>) are currently signing a zone (may be inactive and not deleted yet):
78 7 Marc Dequènes
<pre>
79 21 Marc Dequènes
dig +noall +answer +multi <zone-name> DNSKEY | grep KSK
80 6 Marc Dequènes
</pre>
81 21 Marc Dequènes
(_rndc signing -list <zone-name>_ cannot be used "because of a bug":https://lists.isc.org/pipermail/bind-users/2013-October/091768.html)
82 6 Marc Dequènes
83 1 Marc Dequènes
There is no way yet to know which is the KSK or ZSK without looking at the key materials. Keys are stored in _/etc/bind/keys_ and you can use the key ID to locate the corresponding file this way:
84
<pre>
85
ls /etc/bind/keys/K<zone-name>.+*+*<key-id>.key
86 7 Marc Dequènes
</pre>
87
88
Inside you can read the key type (KSK/ZSK) and the lifetime schedule (so important rollover dates).
89
90 16 Marc Dequènes
_dnssec-keymgr_ is in charge of the key maintenance according to the policy. It is possible to alter the timing using the _dnssec-settime_ tool, for example to schedule an emergency rollover if a key is compromised.
91 15 Marc Dequènes
In this case, after doing the modifications, Bind needs to be notififed using:
92
<pre>
93
rndc loadkeys <zone-name>
94
</pre>
95 6 Marc Dequènes
96
h4. Parent Zone Publishing
97 10 Marc Dequènes
98 18 Marc Dequènes
To see if the zone KSK keys are properly published in the parent zone:
99 6 Marc Dequènes
<pre>
100
dnssec-checkds <zone-name>
101
</pre>
102
(SHA-1 is obsolete, so not published)
103
104
h3. Key Rollover
105
106 10 Marc Dequènes
The ZSK key rollover is handled automatically by Bind (_dnssec-keymgr_ in crontab), so admins have nothing to do.
107
108
The KSK rollover implies contact with the parent zone and a manual step to get the DS entry in their zone is needed. Creating the new keys and planning the change is also done automatically using the same tool.
109
110
To get a view of the schedule (past events for currently involved keys are displayed too) (beware it is using UTC):
111
<pre>
112
dnssec-coverage -K /etc/bind/keys -m 1w -d 1d -k
113 1 Marc Dequènes
</pre>
114
115 18 Marc Dequènes
To have a list of KSK keys that needs publishing on the parent zone:
116
<pre>
117
dnssec-checkds <zone-name>
118
</pre>
119
120 10 Marc Dequènes
h3. KSK Rollover Workflow
121 17 Marc Dequènes
122
We use the Double-Signature method with some overlap of DS publishing.
123 10 Marc Dequènes
124 15 Marc Dequènes
Here are the states and what needs to be done:
125
* *created* state:
126
** new created key (new zone or key replacement), this key is not used yet
127
** action: wait
128
* *publish* state:
129
** the is added to the zone but not used to sign yet
130
** after the zone default TTL has passed, it is considered published
131
** action: wait for propagation
132 1 Marc Dequènes
* *active* state:
133
** the key is used for signing
134 18 Marc Dequènes
** action: export the key either (depending on the registrar):
135
*** DS: in digest format using the *dnssec-dsfromkey -2 <ksk-filename>* command (see previous chapter to get the absolute filename for the current KSK key, any of the _key_ or _private_ file would do)
136
*** full key: in _<ksk-filename>_ the _<key>_ is on a line formated like _<zone-name> <ttl>  IN DNSKEY <flags> <protocol> <algorithm> <key>_ (<flags>, <protocol> and <algorithm> are three numbers, the rest is the <key>; you can copy it with the spaces)
137 15 Marc Dequènes
** action: add the key to the parent zone
138
** after the DS TTL has passed, it is considered published and the zone is secured with the key
139
** action: wait for the next rollover
140
* *inactive* state:
141
** the key is no more used to sign but still published
142
** action: remove the DS key from the parent zone
143
* *deleted* state:
144
** the key is not published anymore
145
** action: when you're sure everything went fine, purge old keys (should be automated some day)
146 11 Marc Dequènes
147
Currently we need to check manually when to do the KSK rollover. The coverage command above and _next key event_ in the zone info should help build a little script to warn us in time.
148 6 Marc Dequènes
149 7 Marc Dequènes
The plan in the long run is to use CDS/CDNSKEY (RFC 7344). Some interesting reading about an implementation:
150
  https://jpmens.net/2017/09/21/parents-children-cds-cdnskey-records-and-dnssec-cds/
151 6 Marc Dequènes
152 12 Marc Dequènes
h3. Checking a Zone
153
154
Test a Zone using a DNSSEC-enabled resolver:
155
<pre>
156
dig <zone-name> +dnssec
157
</pre>
158 13 Marc Dequènes
159 12 Marc Dequènes
You need to get the ad flag. If you get the aa flag, then you're interrogating one of the official NS for the zone, then try on another server to be sure your configuration is OK (remotely with *@<server>* as first command option).
160
161
Test a Zone using an external web tool:
162
* http://dnssec-debugger.verisignlabs.com/
163
* http://dnsviz.net/
164
165 6 Marc Dequènes
h3. Forcing a policy change to be applied at once
166
167
Via Ansible it is possible to change the policy directly, then either wait a few hours or run _dnssec-keymgr_ manually (as _bind_ user).
168
169
h3. Unsecuring a Zone
170
171
First the DS needs to be removed from the parent zone, then we need to wait for the DS TTL to expire before unsigning.
172
173
The Ansible config can then be updated. Key materials need to be removed manually.
174
175 1 Marc Dequènes
h3. Forcing an Early Rollover
176
177
It is possible to do so: https://blog.webernetz.net/dnssec-ksk-emergency-rollover/
178 16 Marc Dequènes
179 1 Marc Dequènes
Summary:
180 16 Marc Dequènes
* create new key: *dnssec-keygen -a RSASHA512 -b 4096 -3 -f KSK <zone-name>* (in _/etc/bind/keys_ and ensuring proper permissions for Bind)
181
* resign the zone: *rndc sign <zone-name>*
182 18 Marc Dequènes
* publish the key in the parent zone (see KSK Rollover Workflow above)
183 16 Marc Dequènes
* schedule removal of the old key: *dnssec-settime -D +24h <ksk-filename>* (the exact time depends on the TTL of the DS record, which is 24h for Gandi)
184 9 Marc Dequènes
185
h2. Checking Servers
186
187
* "ISC EDNS Compliance Tester":https://ednscomp.isc.org/ednscomp/
188 14 Marc Dequènes
189 20 Marc Dequènes
h3. DNSSEC Checks
190
191
Should return a A record and have the *ad* flag set:
192
<pre>
193
dig sigok.verteiltesysteme.net @127.0.0.1
194
</pre>
195
196
197
Should return *SERVFAIL*:
198
<pre>
199
dig sigfail.verteiltesysteme.net @127.0.0.1
200
</pre>
201
202
203 14 Marc Dequènes
h2. Problems
204
205
h3. receive_secure_serial: not exact
206
207
This means the inline-signing journal is corrupted and changes to the zone cannot be applied to the signed zoned.
208
209
Workaround:
210
<pre>
211
rndc sync -clean <zone>
212
rndc stop
213
</pre>
214
then bump the zone's serial and restart Bind, it should have solved the problem.
215 19 Marc Dequènes
216
If this does not work:
217
<pre>
218
systemctl stop bind9
219
rm /var/cache/bind/masters/<zone>.zone.*
220
systemctl start bind9
221
</pre>