Project

General

Profile

DNS » History » Version 5

Marc Dequènes, 2018-05-04 17:22

1 1 Marc Dequènes
h1. DNS
2
3
h2. Zone Management
4
5
On each DNS server, master zone can be created/updated on _/etc/bind/masters/_. The ownership needs to be:
6
* _banya:_ if a user zone which should be updatable via the Banya service
7
* _root:bind_ in all other cases
8
9
The zone is declared in _host_vars/_dnsserver_/dns.yml_ and the playbook _playbooks/tenants/duckcorp/dns.yml_ is in charge of updating all configurations. Only the zone content is not Ansible managed.
10
11 2 Marc Dequènes
Better to check the file validity before updating the zone:
12
<pre>
13
named-checkzone <zone-name> <zone-file>
14
</pre>
15
16
Then to update the zone, if DNSSEC-signed:
17
<pre>
18
ods-signer sign <zone-name>
19
</pre>
20
else:
21
<pre>
22
rndc reload <zone-name>
23
</pre>
24
25
In case the zone is DNSSEC-signed, the publishing of keys in the parent zone is to be done manually (not automated yet); more details below.
26 1 Marc Dequènes
27
h2. Secure Zone Transfers
28
29
To secure zone transfers, a TSIG key needs to be created and added on both sides. Beware the key name *must* be identical on both side. 
30
31
DNS server groups (servers allowed to request transfer) and keys can be defined in _host_vars/<dnsserver>/dns.yml_ and _host_vars/<dnsserver>/dns.vault.yml_ respectively. If they are to be used on all servers, then you can declare them in _group_vars/dns_servers/dns.yml_ and _group_vars/dns_servers/dns.vault.yml_ respectively.
32
33
You can a new key using:
34
<pre>
35
dnssec-keygen -a HMAC-SHA512 -b 512 -n HOST taiste
36
</pre>
37
Take the 'Key' part in 'Ktaiste.*.private' file, to put into the configuration.
38
39
The same playbook (_playbooks/tenants/duckcorp/dns.yml_) is used to update the configuration.
40
41
h2. DNSSEC
42
43 3 Marc Dequènes
h3. Introduction
44
45
Better read some documentation before fiddling with the controls:
46
* "Supported rollover methods with OpenDNSSEC":https://wiki.opendnssec.org/display/DOCS/Key+Rollovers
47
* "Explanation about the OpenDNSSEC key states":https://wiki.opendnssec.org/display/DOCS/Key+States
48
* "Deeper explanation about the OpenDNSSEC key states":https://wiki.opendnssec.org/display/DOCS20/Key+States+Explained
49
50
List of keys with states and IDs:
51
<pre>
52
ods-enforcer key list -v
53
</pre>
54
55
List of planned rollover dates:
56
<pre>
57
ods-enforcer rollover list
58
</pre>
59
60
h3. Key Rollover
61
62
The ZSK key rollover is handled automatically by OpenDNSSEC, so admins have nothing to do.
63
64
The KSK rollover implies contact with the parent zone and a manual step to get the DS entry in their zone is needed. 
65
66
h3. KSK Rollover Workflow
67
68
Here are the states and what needs to be done:
69
* *publish* state:
70
** when a new key is created, either for a new zone of to replace an old key, this key is added to the zone but not used to sign yet
71
** action: wait
72
* *ready* state:
73
** the new zone, containing the key, is considered propagated, but not used to sign yet
74 4 Marc Dequènes
** action: export the key, either using the DNSKEY or DS format depending on the provider (*ods-enforcer key export -z <zone-name> --keytype KSK --keystate ready* for the DNSKEY, or add *--ds* for the DS)
75
** action: add the key to the parent zone
76 1 Marc Dequènes
** action: wait for the key to appear in the parent zone (*host -t DS -r <zone-name> $(host -t NS <tld> | grep "name server" | head -n 1 | cut -d" " -f4)*)
77 4 Marc Dequènes
** action: notify OpenDNSSEC (*ods-enforcer key ds-seen -z <zone-name> --cka_id <key-id>*)
78
* *active* state:
79
** the key is used for signing
80
** action: wait for the next rollover
81
* *retire* state:
82
** the key is no more used to sign but still advertized
83
** action: remove the key from the parent zone
84 5 Marc Dequènes
** action: wait for the key to disappear from the parent zone (*host -t DS -r <zone-name> $(host -t NS <zone-tld> | grep "name server" | head -n 1 | cut -d" " -f4)*)
85 4 Marc Dequènes
** action: notify OpenDNSSEC (*ods-enforcer key ds-gone -z <zone-name> --cka_id <key-id>*)
86 5 Marc Dequènes
** action: when you're sure everything went fine, purge old keys (*ods-enforcer key purge --policy default*)
87 1 Marc Dequènes
88 5 Marc Dequènes
h3. Checking a Zone
89
90
Test a Zone using a DNSSEC-enabled resolver:
91
<pre>
92
dig <zone-name> +dnssec
93
</pre>
94
You need to get the ad flag. If you get the aa flag, then you're interrogating one of the official NS for the zone, then try on another server to be sure your configuration is OK (remotely with *@<server>* as first command option).
95
96
Test a Zone using an external web tool:
97
* http://dnssec-debugger.verisignlabs.com/
98
* http://dnsviz.net/
99
100
h3. Forcing a policy change to be applied at once
101
102
<pre>
103
ods-enforcer enforce
104
</pre>
105
106
h3. Unsecuring a Zone
107
108
If you plan to continue using the zone, better not remove DNSSEC support at once or until all DNSSEC information leaves the caches on the Internet problems are to be expected.
109
110
A special *unsigned* policy has been added to the _opendnssec_ Ansible role. It was created using the specifications in the OpenDNSSEC documentation but has never been tested.
111
112
In Ansible you need to affect this policy to your zone and deploy. Then follow the KSK rollover procedure until all keys have been retired. Then you can unconfigure DNSSEC for the zone.
113
114
To buy some time you might try to force an early rollover (see below).
115
116
h3. Forcing an Early Rollover
117
118
<pre>
119
ods-enforcer key rollover --zone <zone-name> --keytype ksk
120
</pre>