Howto get bind to validate dnssec keys.

After seeing a /. article today, about comcast rolling out dnssec
for their customers, I decided to check my version of bind, to
see if it was setup to use dnssec.

Mandriva 2010.1, bind 9.7.

$ host www.dnssec-failed.org 127.0.0.1
did return an ip address, so it wasn't using dsnsec.

Eventually I found instructions that work at
http://nsrc.org/workshops/2010/aroc-...nda/dnssec.txt
that explains the changes, and how to validate the key.

Basically, to summarize, edit named.conf
(/var/lib/named/etc/named.conf on Mandriva), and add two lines

dnssec-enable yes;
dnssec-validation yes;

in the options block. Then add another block (at the end of the
file is ok), with ...

managed-keys {
"." initial-key 257 3 8
"AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0 O8gcCjF
FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX
bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD
X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6 G3LQpz
W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ 57relS
Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7k nNnulq
QxA+Uk1ihz0=";
};

Note: You should verify the key, yourself, rather then just
relying on my say so. Easiest way is to search on the start
of the key, "AwEAAagAIKlVZrpC6Ia7gEzahOR", which leads to
http://www.isc.org/community/blog/20...nd-9-resolvers

It's easier to verify that the key matches the isc.org blog,
Then restart bind ("service named restart", in Mandriva.

Now my test shows ...
$ host www.dnssec-failed.org 127.0.0.1
Host www.dnssec-failed.org not found: 2(SERVFAIL)

My browser could still load http://www.dnssec-failed.org so
I had to remove my isp's nameservers from /etc/resolv.conf,
as the resolver will use each nameserver in the list, for
a name the gets a servfail. Don't forget to alter the network
setup (/etc/sysconfig/network-scripts/ifcfg-$INTERFACE), so
the ip addresses will not get put back into resolv.conf, on
a network restart.

The opendns nameservers (208.67.220.220 & 208.67.222.222), and
googles public nameservers (8.8.4.4 & 8.8.8.8) do not currently
have dnssec enabled either, so don't use them, if you want to
use dnssec, for now.

Regards, Dave Hodgins

--
Change nomail.afraid.org to ody.ca to reply by email.
(nomail.afraid.org has been set up specifically for
use in usenet. Feel free to use it yourself.)

On Mon, 18 Oct 2010 20:33:51 -0400, David W. Hodgins wrote:
> After seeing a /. article today, about comcast rolling out dnssec
> for their customers, I decided to check my version of bind, to
> see if it was setup to use dnssec.

Yes, saw that article. Interesting on how they were doing the rollout.
If no using there ad/revenue generating dns servers, you get the
secured dns servers.

> Mandriva 2010.1, bind 9.7.
>
> $ host www.dnssec-failed.org 127.0.0.1
> did return an ip address, so it wasn't using dsnsec.

Sounds like you need to play with dnssec-keygen
Something like
dnssec-keygen -a HMAC-MD5 -b 512 -n HOST ddnsupdate

On Tue, 19 Oct 2010 00:51:24 +0000 (UTC), Bit Twister wrote:
>
> Sounds like you need to play with dnssec-keygen
> Something like
Oops, cut/paste missed trailing r.

> dnssec-keygen -a HMAC-MD5 -b 512 -n HOST ddnsupdate
dnssec-keygen -a HMAC-MD5 -b 512 -n HOST ddnsupdater

On Mon, 18 Oct 2010 20:55:31 -0400, Bit Twister <(E-Mail Removed)> wrote:

> On Tue, 19 Oct 2010 00:51:24 +0000 (UTC), Bit Twister wrote:
>>
>> Sounds like you need to play with dnssec-keygen
> dnssec-keygen -a HMAC-MD5 -b 512 -n HOST ddnsupdater

Doesn't seem to be necessary. I believe that's only going to be
needed, if you're going to be signing zones that bind will be
serving. I haven't yet looked into how the keys for a server get
validated, but gather it's hierarchical, starting with the one
key in named.conf being trusted, with rir keys signed by that key.
Individual name servers will have to have some way to get their
key signed, before it would be trusted, or the whole security
extensions fall apart, or at least that's my understanding.

The instructions I posted are enough, for a caching only nameserver.
The resolver will reject a key that has a bad signature, accept one
that is valid, and accept lookups where the dns does not have any
key's specified.

I'll look into the signing part later, and follow-up on it in
this thread.

Regards, Dave Hodgins

--
Change nomail.afraid.org to ody.ca to reply by email.
(nomail.afraid.org has been set up specifically for
use in usenet. Feel free to use it yourself.)

On Mon, 18 Oct 2010 23:40:11 -0400, David W. Hodgins <(E-Mail Removed)> wrote:

> I'll look into the signing part later, and follow-up on it in
> this thread.

Found it. You have to register with https://dlv.isc.org/, to get
them to sign your signing key, then your signing key will be
treated as trusted.

Regards, Dave Hodgins

--
Change nomail.afraid.org to ody.ca to reply by email.
(nomail.afraid.org has been set up specifically for
use in usenet. Feel free to use it yourself.)