Tony Finch - How to set up DNSSEC validation with BIND-9.7

dotatfanf wrote
on 16th July 2010 at 16:41
Previous Entry Share Next Entry

How to set up DNSSEC validation with BIND-9.7

Edited to add: IANA have a tool written in Python called anchors2keys which does most of this automatically (er, for the ITAR not the root anchor). Jakob Schlyter has a Perl program called ta-tool which does a similar job. So does Bjørn Mork, who called his rootanchor2keys.pl. Stephane Bortzmeyer has a Makefile and XSLT script which also does the job.


(Leave a comment)
From:(Anonymous)
Date:2010-07-16 23:39 (UTC)

great doc

(Link)
Great tutorial. The test with dig seems to work but I see plenty of "error (insecurity proof failed)" in my log. Is this normal or am I missing something?
(Reply) (Thread)
From:fanf
Date:2010-07-17 00:32 (UTC)

Re: great doc

(Link)
BIND's changelog says: Clarify logged message when an insecure DNSSEC response arrives from a zone thought to be secure: "insecurity proof failed" instead of "not insecure".
(Reply) (Parent) (Thread)
From:(Anonymous)
Date:2010-07-17 02:11 (UTC)

a bit confused

(Link)
In your link to the anchor2keys tool on the IANA site, it says that this process is all only necessary until the root is signed (which it now is). Am I missing something?
(Reply) (Thread)
From:fanf
Date:2010-07-17 06:54 (UTC)

Re: a bit confused

(Link)
anchors2keys was originally written for use with IANA's interim trust anchor repository, which is/was a list of trust anchors for TLDs, published in the same XML format as the root trust anchor. The ITAR is basically made obsolete by the signed root zone, or will be as soon as the signed TLDs get their DS records into the root zone. The ITAR was a more conservative and less convenient alternative to DNSSEC lookaside validation. Unlike the ITAR, DLV is not made obsolete by the signed root because it can cover any domain outside the chain of trust from the root, not just TLDs.
(Reply) (Parent) (Thread)
From:(Anonymous)
Date:2010-07-17 16:09 (UTC)

Re: a bit confused

(Link)
As I read more I suspected it was something like that, thanks for the explanation.
(Reply) (Parent) (Thread)
From:fanf
Date:2010-07-18 18:06 (UTC)

Re: a bit confused

(Link)
Er actually the XML format is not the same, so you can't use anchors2keys with the root trust anchor. How irritating.

Edited at 2010-07-18 18:07 (UTC)
(Reply) (Parent) (Thread)
From:(Anonymous)
Date:2010-07-21 20:35 (UTC)

A Bash script.

(Link)
Could you try and comment on this Bash script?

http://pastebin.com/2iy72f5C

Thanks.
(Reply) (Thread)
From:fanf
Date:2010-07-22 14:32 (UTC)

Re: A Bash script.

(Link)
It makes a number of assumptions which are likely wrong. For example, there's no need to hard-code the algorithm and key length. The thing that is most likely to cause problems is if they handle KSK rollover by putting more than one DS record in root-anchors.xml - it looks like the XML schema is designed to permit this.
(Reply) (Parent) (Thread)
From:(Anonymous)
Date:2010-07-23 01:27 (UTC)

Re: A Bash script.

(Link)
" The thing that is most likely to cause problems is if they handle KSK rollover by putting more than one DS record in root-anchors.xml - it looks like the XML schema is designed to permit this. "

Yes, that's correct. Do you think it is worth improving the script to cover that case?

Thanks for your feedback.

(Reply) (Parent) (Thread)
From:fanf
Date:2010-07-23 06:42 (UTC)

Re: A Bash script.

(Link)
The other scripts handle this case. On the other hand, KSK rollover should be handled automatically by RFC 5011, and I expect future versions of BIND will ship with root trust anchors built in, so we may never need to run these scripts again!
(Reply) (Parent) (Thread)
From:bortzmeyer.org
Date:2010-07-28 16:06 (UTC)

Reference site for my scripts

(Link)
For my Makefile and XSLT script, it is better to fetch the last version from my article http://www.bortzmeyer.org/valider-racine.html (in French only). Direct link to the Makefile http://www.bortzmeyer.org/files/anchors2ds.make and to the XSLT script http://www.bortzmeyer.org/files/anchors2ds.xsl
(Reply) (Thread)
From:fanf
Date:2010-07-28 16:11 (UTC)

Re: Reference site for my scripts

(Link)
Thanks. I have updated the link (via Google Translate).
(Reply) (Parent) (Thread)

(Leave a comment)

Powered by LiveJournal.com