?

Log in

fanf

How to set up DNSSEC validation with BIND-9.7

« previous entry | next entry »
16th Jul 2010 | 16:41

  • The root zone is now signed! It's time to install the trust anchor on your recursive name servers. Getting it is more fiddly than it should be, since BIND does not recognize the format of the trust anchor as it is published by IANA.
  • Get the root DNSKEY RR set which is roughly what BIND requires for trust anchors.
        $ dig +multi +noall +answer DNSKEY . >root-dnskey
    The resulting file contains two keys, a short-lived zone-signing key (flags = 256) and the key-signing key (flags = 257) which is the one we care about.
    . 86400 IN DNSKEY 256 3 8 (
                AwEAAb1gcDhBlH/9MlgUxS0ik2dwY/JiBIpV+EhKZV7L
                ccxNc6Qlj467QjHQ3Fgm2i2LE9w6LqPFDSng5qVq1OYF
                yTBt3DQppqDnAPriTwW5qIQNDNFv34yo63sAdBeU4G9t
                v7dzT5sPyAgmVh5HDCe+6XM2+Iel1+kUKCel8Icy19hR
                ) ; key id = 41248
    . 86400 IN DNSKEY 257 3 8 (
                AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQ
                bSEW0O8gcCjFFVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh
                /RStIoO8g0NfnfL2MTJRkxoXbfDaUeVPQuYEhg37NZWA
                JQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaDX6RS6CXp
                oY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3
                LQpzW5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGO
                Yl7OyQdXfZ57relSQageu+ipAdTTJ25AsRTAoub8ONGc
                LmqrAmRLKBP1dfwhYB4N7knNnulqQxA+Uk1ihz0=
                ) ; key id = 19036
    
  • Turn the DNSKEY into a DS RR set. The dnssec-dsfromkey program ignores the ZSK and only emits DS RRs for the KSK.
        $ dnssec-dsfromkey -f root-dnskey . >root-ds
    It emits two RRs, one using SHA-1 and one using SHA-256.
    . IN DS 19036 8 1 B256BD09DC8DD59F0E0F0D8541B8328DD986DF6E
    . IN DS 19036 8 2 49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5
    
  • Fetch https://data.iana.org/root-anchors/root-anchors.xml which contains a copy of the SHA-256 DS record in XML format.
    <?xml version="1.0" encoding="UTF-8"?>
      <TrustAnchor id="AD42165F-3B1A-4778-8F42-D34A1D41FD93"
        source="http://data.iana.org/root-anchors/root-anchors.xml">
      <Zone>.</Zone>
      <KeyDigest id="Kjqmt7v" validFrom="2010-07-15T00:00:00+00:00">
        <KeyTag>19036</KeyTag>
        <Algorithm>8</Algorithm>
        <DigestType>2</DigestType>
        <Digest>49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5</Digest>
      </KeyDigest>
    </TrustAnchor>
    
  • You can also fetch https://data.iana.org/root-anchors/root-anchors.asc and use it to verify the XML trust anchor using PGP.
  • Verify that the XML trust anchor matches the DS record you generated from the DNSKEY record.
  • Reformat the DNSKEY record into a BIND managed-keys clause. This tells BIND to automatically update the trust anchor according to RFC 5011.
    managed-keys {
        "." initial-key 257 3 8 "
                AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQ
                bSEW0O8gcCjFFVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh
                /RStIoO8g0NfnfL2MTJRkxoXbfDaUeVPQuYEhg37NZWA
                JQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaDX6RS6CXp
                oY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3
                LQpzW5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGO
                Yl7OyQdXfZ57relSQageu+ipAdTTJ25AsRTAoub8ONGc
                LmqrAmRLKBP1dfwhYB4N7knNnulqQxA+Uk1ihz0= ";
    };
    
  • Add the managed-keys clause to your named.conf
  • In the options section of named.conf you should have the directive
        dnssec-lookaside auto;
    This enables DNSSEC lookaside validation, which is necessary to bridge gaps (such as ac.uk) in the chain of trust between the root and lower-level signed zones (such as cam.ac.uk). BIND comes with a DLV trust anchor built in, which it will also update according to RFC 5011.
  • $ rndc reconfig
  • Check that DNSSEC validation is working. Verify that the "ad" (authenticated data) flag is present in the output of these commands:
        $ dig +dnssec www.nic.cat.
        $ dig +dnssec www.cam.ac.uk.
    The first of these is validated using a chain of trust from the root - DNSSEC as it is ideally intended to work. The second relies on the DLV stop-gap.

Edited to add: IANA have a tool written in Python called anchors2keys which does most of this automatically (er, for the ITAR not the root anchor). Jakob Schlyter has a Perl program called ta-tool which does a similar job. So does Bjørn Mork, who called his rootanchor2keys.pl. Stephane Bortzmeyer has a Makefile and XSLT script which also does the job.

| Leave a comment | Share

Comments {12}

great doc

from: anonymous
date: 16th Jul 2010 23:39 (UTC)

Great tutorial. The test with dig seems to work but I see plenty of "error (insecurity proof failed)" in my log. Is this normal or am I missing something?

Reply | Thread

Tony Finch

Re: great doc

from: fanf
date: 17th Jul 2010 00:32 (UTC)

BIND's changelog says: Clarify logged message when an insecure DNSSEC response arrives from a zone thought to be secure: "insecurity proof failed" instead of "not insecure".

Reply | Parent | Thread

a bit confused

from: anonymous
date: 17th Jul 2010 02:11 (UTC)

In your link to the anchor2keys tool on the IANA site, it says that this process is all only necessary until the root is signed (which it now is). Am I missing something?

Reply | Thread

Tony Finch

Re: a bit confused

from: fanf
date: 17th Jul 2010 06:54 (UTC)

anchors2keys was originally written for use with IANA's interim trust anchor repository, which is/was a list of trust anchors for TLDs, published in the same XML format as the root trust anchor. The ITAR is basically made obsolete by the signed root zone, or will be as soon as the signed TLDs get their DS records into the root zone. The ITAR was a more conservative and less convenient alternative to DNSSEC lookaside validation. Unlike the ITAR, DLV is not made obsolete by the signed root because it can cover any domain outside the chain of trust from the root, not just TLDs.

Reply | Parent | Thread

Re: a bit confused

from: anonymous
date: 17th Jul 2010 16:09 (UTC)

As I read more I suspected it was something like that, thanks for the explanation.

Reply | Parent | Thread

Tony Finch

Re: a bit confused

from: fanf
date: 18th Jul 2010 18:06 (UTC)

Er actually the XML format is not the same, so you can't use anchors2keys with the root trust anchor. How irritating.

Edited at 2010-07-18 06:07 pm (UTC)

Reply | Parent | Thread

A Bash script.

from: anonymous
date: 21st Jul 2010 20:35 (UTC)

Could you try and comment on this Bash script?

http://pastebin.com/2iy72f5C

Thanks.

Reply | Thread

Tony Finch

Re: A Bash script.

from: fanf
date: 22nd Jul 2010 14:32 (UTC)

It makes a number of assumptions which are likely wrong. For example, there's no need to hard-code the algorithm and key length. The thing that is most likely to cause problems is if they handle KSK rollover by putting more than one DS record in root-anchors.xml - it looks like the XML schema is designed to permit this.

Reply | Parent | Thread

Re: A Bash script.

from: anonymous
date: 23rd Jul 2010 01:27 (UTC)

" The thing that is most likely to cause problems is if they handle KSK rollover by putting more than one DS record in root-anchors.xml - it looks like the XML schema is designed to permit this. "

Yes, that's correct. Do you think it is worth improving the script to cover that case?

Thanks for your feedback.

Reply | Parent | Thread

Tony Finch

Re: A Bash script.

from: fanf
date: 23rd Jul 2010 06:42 (UTC)

The other scripts handle this case. On the other hand, KSK rollover should be handled automatically by RFC 5011, and I expect future versions of BIND will ship with root trust anchors built in, so we may never need to run these scripts again!

Reply | Parent | Thread

Reference site for my scripts

from: bortzmeyer.org
date: 28th Jul 2010 16:06 (UTC)

For my Makefile and XSLT script, it is better to fetch the last version from my article http://www.bortzmeyer.org/valider-racine.html (in French only). Direct link to the Makefile http://www.bortzmeyer.org/files/anchors2ds.make and to the XSLT script http://www.bortzmeyer.org/files/anchors2ds.xsl

Reply | Thread

Tony Finch

Re: Reference site for my scripts

from: fanf
date: 28th Jul 2010 16:11 (UTC)

Thanks. I have updated the link (via Google Translate).

Reply | Parent | Thread