Project

General

Profile

DNS » History » Version 6

Marc Dequènes, 2019-01-01 09:10

1 6 Marc Dequènes
{{toc}}
2
3 1 Marc Dequènes
h1. DNS
4
5
h2. Zone Management
6
7
On each DNS server, master zone can be created/updated on _/etc/bind/masters/_. The ownership needs to be:
8
* _banya:_ if a user zone which should be updatable via the Banya service
9
* _root:bind_ in all other cases
10
11
The zone is declared in _host_vars/_dnsserver_/dns.yml_ and the playbook _playbooks/tenants/duckcorp/dns.yml_ is in charge of updating all configurations. Only the zone content is not Ansible managed.
12
13 2 Marc Dequènes
Better to check the file validity before updating the zone:
14
<pre>
15
named-checkzone <zone-name> <zone-file>
16
</pre>
17 1 Marc Dequènes
18 6 Marc Dequènes
Then to update the zone, if DNSSEC-signed (except on _Elwing_, use the usual reload command below, more info below):
19 2 Marc Dequènes
<pre>
20
ods-signer sign <zone-name>
21
</pre>
22
else:
23
<pre>
24
rndc reload <zone-name>
25
</pre>
26
27
In case the zone is DNSSEC-signed, the publishing of keys in the parent zone is to be done manually (not automated yet); more details below.
28 1 Marc Dequènes
29
h2. Secure Zone Transfers
30
31
To secure zone transfers, a TSIG key needs to be created and added on both sides. Beware the key name *must* be identical on both side. 
32
33
DNS server groups (servers allowed to request transfer) and keys can be defined in _host_vars/<dnsserver>/dns.yml_ and _host_vars/<dnsserver>/dns.vault.yml_ respectively. If they are to be used on all servers, then you can declare them in _group_vars/dns_servers/dns.yml_ and _group_vars/dns_servers/dns.vault.yml_ respectively.
34
35
You can a new key using:
36
<pre>
37
dnssec-keygen -a HMAC-SHA512 -b 512 -n HOST taiste
38
</pre>
39
Take the 'Key' part in 'Ktaiste.*.private' file, to put into the configuration.
40
41
The same playbook (_playbooks/tenants/duckcorp/dns.yml_) is used to update the configuration.
42
43 6 Marc Dequènes
h2. DNSSEC (with OpenDNSSEC, all server except Elwing)
44 1 Marc Dequènes
45 3 Marc Dequènes
h3. Introduction
46
47
Better read some documentation before fiddling with the controls:
48
* "Supported rollover methods with OpenDNSSEC":https://wiki.opendnssec.org/display/DOCS/Key+Rollovers
49
* "Explanation about the OpenDNSSEC key states":https://wiki.opendnssec.org/display/DOCS/Key+States
50
* "Deeper explanation about the OpenDNSSEC key states":https://wiki.opendnssec.org/display/DOCS20/Key+States+Explained
51
52
List of keys with states and IDs:
53
<pre>
54
ods-enforcer key list -v
55
</pre>
56
57
List of planned rollover dates:
58
<pre>
59
ods-enforcer rollover list
60
</pre>
61
62
h3. Key Rollover
63
64
The ZSK key rollover is handled automatically by OpenDNSSEC, so admins have nothing to do.
65
66
The KSK rollover implies contact with the parent zone and a manual step to get the DS entry in their zone is needed. 
67
68
h3. KSK Rollover Workflow
69
70
Here are the states and what needs to be done:
71
* *publish* state:
72
** when a new key is created, either for a new zone of to replace an old key, this key is added to the zone but not used to sign yet
73
** action: wait
74
* *ready* state:
75
** the new zone, containing the key, is considered propagated, but not used to sign yet
76 4 Marc Dequènes
** action: export the key, either using the DNSKEY or DS format depending on the provider (*ods-enforcer key export -z <zone-name> --keytype KSK --keystate ready* for the DNSKEY, or add *--ds* for the DS)
77
** action: add the key to the parent zone
78 1 Marc Dequènes
** action: wait for the key to appear in the parent zone (*host -t DS -r <zone-name> $(host -t NS <tld> | grep "name server" | head -n 1 | cut -d" " -f4)*)
79 4 Marc Dequènes
** action: notify OpenDNSSEC (*ods-enforcer key ds-seen -z <zone-name> --cka_id <key-id>*)
80
* *active* state:
81
** the key is used for signing
82
** action: wait for the next rollover
83
* *retire* state:
84
** the key is no more used to sign but still advertized
85
** action: remove the key from the parent zone
86 5 Marc Dequènes
** action: wait for the key to disappear from the parent zone (*host -t DS -r <zone-name> $(host -t NS <zone-tld> | grep "name server" | head -n 1 | cut -d" " -f4)*)
87 4 Marc Dequènes
** action: notify OpenDNSSEC (*ods-enforcer key ds-gone -z <zone-name> --cka_id <key-id>*)
88 5 Marc Dequènes
** action: when you're sure everything went fine, purge old keys (*ods-enforcer key purge --policy default*)
89 1 Marc Dequènes
90 5 Marc Dequènes
h3. Checking a Zone
91
92
Test a Zone using a DNSSEC-enabled resolver:
93
<pre>
94
dig <zone-name> +dnssec
95
</pre>
96
You need to get the ad flag. If you get the aa flag, then you're interrogating one of the official NS for the zone, then try on another server to be sure your configuration is OK (remotely with *@<server>* as first command option).
97
98
Test a Zone using an external web tool:
99
* http://dnssec-debugger.verisignlabs.com/
100
* http://dnsviz.net/
101
102
h3. Forcing a policy change to be applied at once
103
104
<pre>
105
ods-enforcer enforce
106
</pre>
107
108
h3. Unsecuring a Zone
109
110
If you plan to continue using the zone, better not remove DNSSEC support at once or until all DNSSEC information leaves the caches on the Internet problems are to be expected.
111
112
A special *unsigned* policy has been added to the _opendnssec_ Ansible role. It was created using the specifications in the OpenDNSSEC documentation but has never been tested.
113
114
In Ansible you need to affect this policy to your zone and deploy. Then follow the KSK rollover procedure until all keys have been retired. Then you can unconfigure DNSSEC for the zone.
115
116
To buy some time you might try to force an early rollover (see below).
117
118
h3. Forcing an Early Rollover
119
120
<pre>
121 1 Marc Dequènes
ods-enforcer key rollover --zone <zone-name> --keytype ksk
122
</pre>
123 6 Marc Dequènes
124
h2. DNSSEC (with Bind, only Elwing)
125
126
Here are notes about using Bind inline-signing and key management in place of OpenDNSSEC. Until this is deemed stable enough and well tested, this will only affect DNSSEC-enabled zones on Elwing.
127
128
All general info above about DNSSEC does not change, expecially the rollover steps are similar even if the tooling change, and testing the zone is identical.
129
130
The Ansible _bind_ role has been updated in a branch to be able to use Bind directly for DNSSEC. Our Ansible repository now tracks this branch (which still supports OpenDNSSEC) and add the necessary parameters to use it. Please look at the role's documentation to understand the inner technical details, this page is about administration of the solution.
131
132
h3. Introduction
133
134
Key materials are initially created by the role when a zone is declared in Ansible, so no need to do anything. Cleanup when a zone is removed is not yet done though.
135
136
General zone info, including the real published serial (after signing, resigning if it happens, rollovers…) and planned signing events:
137
<pre>
138
rndc zonestatus <zone-name>
139
</pre>
140
141
To know which keys are currently signing a zone:
142
<pre>
143
rndc signing -list <zone-name>
144
</pre>
145
146
There is no way yet to know which is the KSK or ZSK without looking at the key materials. Keys are stored in _/etc/bind/keys_ and you can use the key ID to locate the corresponding file this way:
147
<pre>
148
ls /etc/bind/keys/K<zone-name>.+*+*<kei-id>.key
149
</pre>
150
151
Inside you can read the key type (KSK/ZSK) and the lifetime schedule (so important rollover dates).
152
153
*DO NOT CHANGE KEY INFORMATION !!!* Do not even use the _dnssec-settime_ tool directly. _dnssec-keymgr_ is in charge of the key maintenance according to the policy. Read more about rollover below.
154
155
h3. Key Rollover
156
157
The ZSK key rollover is handled automatically by Bind (_dnssec-keymgr_ in crontab), so admins have nothing to do.
158
159
The KSK rollover implies contact with the parent zone and a manual step to get the DS entry in their zone is needed. Creating the new keys and planning the change is also done automatically using the same tool.
160
161
To get a view of the schedule (past events for currently involved keys are displayed too) (beware it is using UTC):
162
<pre>
163
dnssec-coverage -K /etc/bind/keys -m 1w -d 1d -k
164
</pre>
165
166
h3. KSK Rollover Workflow
167
168
The workflow is the same except there is no way to notify bind a change occurred, thus we *must* do the rollover in time or update the policy to allow more time (via Ansible parameters).
169
170
Currently we need to check manually when to do the KSK rollover. The command above and _next key event_ in the zone info should help build a little script to warn us in time.
171
172
The plan in the long run is to use 
173
174
h3. Forcing a policy change to be applied at once
175
176
Via Ansible it is possible to change the policy directly, then either wait a few hours or run _dnssec-keymgr_ manually (as _bind_ user).
177
178
h3. Unsecuring a Zone
179
180
First the DS needs to be removed from the parent zone, then we need to wait for the DS TTL to expire before unsigning.
181
182
The Ansible config can then be updated. Key materials need to be removed manually.
183
184
h3. Forcing an Early Rollover
185
186
Currently I'm not sure how it would interact with the _dnssec-keymgr_ operations so I need to test.
187
188
It is possible to do so: https://blog.webernetz.net/dnssec-ksk-emergency-rollover/
189
190
In our case we already do have pre-generated waiting keys scheduled to be injected, so changing the timing of the current key to reduce its lifetime and rerunning _dnssec-keymgr_ manually (as _bind_ user) should do the trick, but I need to test.