0

I came across a Bind setup where there is only one DNSSEC value set like this:

dnssec-validation yes;

and the keys in named.conf.options are declared like this:

include "/etc/bind.keys"

However, the rest of it of:

dnssec-enable yes;
dnssec-lookaside auto;

is not set anywhere at all.

Now the question is does this setup work at all? I do not see any errors anywhere. Would appreciate any comments / suggestions / advices at all. Many thanks in advance!

kenlukas
  • 3,101
  • 2
  • 16
  • 26
guest
  • 1
  • 1
  • 1
  • 1
    What you mean by _does this setup work at all?_ Are you trying to serve your domain with DNSSEC or trying to validate other domains DNSSEC for your clients ? – vx3r Aug 21 '19 at 07:54
  • whatever is the final long-run objective if the settings are incorrect then none of your suggested options will work. I am just asking generally if these two lines are required at all and if they can be skipped. – guest Aug 21 '19 at 14:51
  • 1
    DNSSEC lookaside is now dead anyway (ISC decommissionned its zone): https://www.ietf.org/id/draft-ietf-dnsop-obsolete-dlv-00.txt – Patrick Mevzek Aug 21 '19 at 15:59
  • 1
    You are mixing two things, because you are mixing two separate features of a nameserver (but bind can do both at the same time, even if this is not recommended anymore): recursive operations, and authoritative operations. DNSSEC happens on both, but differently. `dnssec-validation` enables bind as recursive nameserver to do the cryptographic checks to ensure that the answer is DNSSEC validated. `dnssec-enable` enables bind to return DNSSEC records for the authoritative zones it manages. – Patrick Mevzek Aug 21 '19 at 16:02
  • Note in 9.14: "dnssec-enable This indicates whether DNSSEC-related resource records are to be returned by named. If set to no, named will not return DNSSEC-related resource records unless specifically queried for. The default is yes." but in 9.15: "dnssec-enable This option is obsolete and has no effect." You did not provide your bind version... – Patrick Mevzek Aug 21 '19 at 16:03
  • Excellent, Patrick! Thank you so much! You should've put that down as an answer, not a comment because it completely answers my question in full. The version of Bind I am talking about is 9.8 – guest Aug 22 '19 at 03:39
  • Updated link for the retirement of DNSSEC Lookaside Validation (DLV): https://datatracker.ietf.org/doc/html/rfc8749 – Peter Nowee Oct 20 '21 at 06:36

1 Answers1

0

After reading the comments let me show the setup for both (dnssec for your domain and dnssec for clients) cases using bind views.

Consider following configuration (which i use in production)

options {
        listen-on port 53 { any; };
        max-cache-size 128M;
        interface-interval 0;
        notify explicit;
        allow-transfer { none; };
        allow-update { none; };
        allow-recursion { none; };
        forwarders {
            2620:119:35::35;
            2620:119:53::53;
            208.67.222.222;
            208.67.220.220;
            2001:4860:4860::8888;
            2001:4860:4860::8844;
            8.8.8.8;
            8.8.4.4;
        };
        //dig -t txt -c chaos VERSION.BIND @<dns.server.com>
        version "Microsoft Windobe 2008 DNS Server. Et je t'emmerde (-_-)";
        auth-nxdomain no;    # love RFC1035
        dnssec-enable yes;
        dnssec-validation auto;
};

acl internal {
    127.0.0.0/8;
    ::1/128;
    10.0.0.0/8;
    fd9f::/64;
};

acl external {
    any;
};

view "internal" {
    match-clients {
        internal;
    };
    allow-recursion {
        any;
    };
};

view "external" {
    match-clients {
        any;
    };
    recursion no;
    zone "127-0-0-1.fr" {
        type master;
        file "/var/lib/bind/127-0-0-1.fr.db";
        key-directory "/var/lib/bind";
        auto-dnssec maintain;
        inline-signing yes;
    };
};

This BIND9 server act as authoritative name server for the domain 127-0-0-1.fr and as a recursive name server for internal (private) clients.

Lets try to resolve a DNSSEC enabled (full chain ok) domain as an internal client with dig @fd9f::10:0:0:2 www.isc.org

; <<>> DiG 9.14.4 <<>> @fd9f::10:0:0:2 isc.org
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 49658
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: d1c6f836121beafdedbc5fae5d5e281dc5c58851413f4fb2 (good)
;; QUESTION SECTION:
;isc.org.                       IN      A

;; ANSWER SECTION:
isc.org.                59      IN      A       149.20.1.66

;; Query time: 136 msec
;; SERVER: fd9f::10:0:0:2#53(fd9f::10:0:0:2)
;; WHEN: Thu Aug 22 07:29:01 CEST 2019
;; MSG SIZE  rcvd: 80

Note ad flag which means Authenticated Data. Check with delv @fd9f::10:0:0:2 www.isc.org

;; fetch: isc.org/A
;; fetch: isc.org/DNSKEY
;; fetch: isc.org/DS
;; fetch: org/DNSKEY
;; fetch: org/DS
;; fetch: ./DNSKEY
; fully validated
isc.org.                59 IN A 149.20.1.66
isc.org.                59 IN RRSIG A 5 2 60 (
                                20190904145623 20190805140610 28347 isc.org.
                                ty+0um1WeOQvOIDMfA0w4spR4qNwm4Pj581KA9xXMFro
                                0+N0bKDAcDJ3O8EpdEHzjejXU0GqrJvIyml7fpvmbcN4
                                b2QWr/INjW8e+MzFz49oajGF0G1Oi6Qzp/XIljibsSig
                                FUTZsnp5yL77PF2eJEc4CDlfgJOCGsYnWTEaNuI= )
isc.org.                59 IN RRSIG A 13 2 60 (
                                20190904145623 20190805140610 27566 isc.org.
                                QiL6Al0ycqO/Fxl4OUR017ck/Y6xnRG4qt/pRvzG1H/y
                                +xyt9EU3pvNqbus5mQYF7ruH6BFyQg5w94bnnjivGg== )

Now the same check for a no DNSSESC enabled domain dig @fd9f::10:0:0:2 dnssec-failed.org

; <<>> DiG 9.14.4 <<>> @fd9f::10:0:0:2 dnssec-failed.org
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 21410
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: 758deba64c4f30ba6ac402da5d5e28d3572fa9aa192352cd (good)
;; QUESTION SECTION:
;dnssec-failed.org.             IN      A

;; Query time: 4298 msec
;; SERVER: fd9f::10:0:0:2#53(fd9f::10:0:0:2)
;; WHEN: Thu Aug 22 07:32:03 CEST 2019
;; MSG SIZE  rcvd: 74

as you can see the resolution fail with SERVFAIL and bind logs showing 

bind             | 22-Aug-2019 04:17:09.845 client @0x55b0a804ea80 fd9f::1#49348 (www.dnssec-failed.org): view internal: query: www.dnssec-failed.org IN A +E(0)K (fd9f::10:0:0:2)
bind             | 22-Aug-2019 04:17:09.938 view internal: validating www.dnssec-failed.org/A: bad cache hit (dnssec-failed.org/DNSKEY)
bind             | 22-Aug-2019 04:17:09.938 broken trust chain resolving 'www.dnssec-failed.org/A/IN': 2001:4860:4860::8888#53
bind             | 22-Aug-2019 04:17:09.938 client @0x55b0a804ea80 fd9f::1#49348 (www.dnssec-failed.org): view internal: query failed (broken trust chain) for www.dnssec-failed.org/IN/A at query.c:6786

But if i force the resolution with dig @fd9f::10:0:0:2 dnssec-failed.org +cd i am able to get the response but without do flag, response is not signed.

Now lets do some check on my 127-0-0-1.fr domain from outside with delv @2001:4860:4860::8888 www.127-0-0-1.fr +rtrace +multiline

;; fetch: www.127-0-0-1.fr/A
;; fetch: 127-0-0-1.fr/DNSKEY
;; fetch: 127-0-0-1.fr/DS
;; fetch: fr/DNSKEY
;; fetch: fr/DS
;; fetch: ./DNSKEY
; fully validated
www.127-0-0-1.fr.       3599 IN A 164.132.222.187
www.127-0-0-1.fr.       3599 IN RRSIG A 7 2 3600 (
                                20190914021052 20190815015938 64469 127-0-0-1.fr.
                                aaQN/x+ZEfV1Vgp78QGdCEByau22cmt61pQ+7c+VdiUh
                                gmOy0+sPHcJZT6aq6FKRLMc+I76R/ZrzAnCK7mr96vXb
                                SCyiIVYGMva9lsl95zi4DK5FxacekonBkwB/l/upBhxb
                                Iiw+l3AZ4J19I7nQgGCSxj7vWqtQD1sb8jue/fw= )

And the last check with dig @2001:4860:4860::8888 www.127-0-0-1.fr

; <<>> DiG 9.14.4 <<>> @2001:4860:4860::8888 www.127-0-0-1.fr
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 45032
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;www.127-0-0-1.fr.              IN      A

;; ANSWER SECTION:
www.127-0-0-1.fr.       3536    IN      A       164.132.222.187

;; AUTHORITY SECTION:
127-0-0-1.fr.           3536    IN      NS      brown-sugar.127-0-0-1.fr.
127-0-0-1.fr.           3536    IN      NS      black-pearl.127-0-0-1.fr.

;; Query time: 10 msec
;; SERVER: 2001:4860:4860::8888#53(2001:4860:4860::8888)
;; WHEN: Thu Aug 22 06:23:52 CEST 2019
;; MSG SIZE  rcvd: 113

Showing ad flag which means Authenticated Data. You can check the same with web based tool like dnssec-analyzer

vx3r
  • 398
  • 2
  • 9
  • Thank you so much for your detailed reply, vx3r. Appreciate. Are you saying I have to set up every single zone with dnssec separately? – guest Aug 22 '19 at 09:53
  • Yes, you have to setup separately and upload ```DS``` record to your registrar. After inline signing by bind you can find DS records to upload with ```dig +trace +noadditional DS 127-0-0-1.fr. @8.8.8.8 | grep DS``` – vx3r Aug 23 '19 at 03:01
  • option 'dnssec-enable' is obsolete and should be removed, option 'dnssec-lookaside' is obsolete and should be removed – Max Muster Nov 06 '21 at 23:04