Is DLV on dnssec deprecated?

Question

I'm trying to set up a recursive DNS that also have its own zone using bind.

Now I want to upgrade it to use dnssec but as far as I understood I have to use DLV if I don't own a domain name.

However the few guides that I could find say that you need to sign up in dlv.isc.org which doesn't exist. And a book I was reading about DNSSEC tells that DLV was going to get deprecated so that's why i'm wondering. (If you know any step by step guide to set it up would be appreciated too)

What are you trying to achieve? You want the server to act as a _validating recursive resolver_ or do you want other resolvers to be able to validate your private domain? — Piotr P. Karwasz, Jan 12 '20 at 11:23
@PiotrP.Karwasz I want it to be a validating recursive resolver but also have my own LAN zone like myzone.local that also uses dnssec — itasahobby, Jan 12 '20 at 11:26
Your private zone does not need validating, unless every computer is using a validating resolver instead of a stub resolver. In that case you can set up a DLV on each of them, pointing to your server. — Piotr P. Karwasz, Jan 12 '20 at 11:30
@PiotrP.Karwasz I think I do need to validate it, the aim of the laboratory is to do a dns spoof attack before and after using dnssec, so if I don't validate the local zone I would be able to commit a dns spoof attack as far as I know — itasahobby, Jan 12 '20 at 11:32
"if i dont own a domain name. " If you want to configure an authoritative nameserver AND make sure it gets queries, it needs to be properly delegated from some registry/TLD nameservers which means in turn either you own this domain name or you have full control over its DNS delegation... As you seem to be a beginner in the DNS world I STRONGLY suggest you stay away from DNSSEC (and hence from DLV) for now, and wait for some time to completely understand how the DNS works and then maybe think about adding DNSSEC feature. — Patrick Mevzek, Jan 17 '20 at 16:17

Piotr P. Karwasz · Accepted Answer · 2020-01-13T22:20:05.277

While the dlv.isc.org server is not running any more, you can still set another DNSSEC Lookaside server in your Bind 9 config through the dnssec-lookaside option. If the key for example.com can not be validated, the lookaside server's name will be appended to it and the validation will start over against the lookaside server's trusted key. I didn't test, but I believe that will not solve your problem: a private domain as lan. can these days be positively validated as non existent, so the lookaside query will not be performed.

So what can be done to secure a lan. zone? It depends on the usage:

The DNS server, which you want to use as both validating recursive resolver and authoritative server for the lan. zone does not require any additional configuration (I assume the dnssec-validation is already on):
- it will serve the lan. zone from the zone file and return an answer without the AD flag,
- when a query for other domains comes in, it will perform a recursive query, validate the results and only if they are valid return an answer with the AD flag. If the domain does not validate a SERVFAIL will be issued.
The stub resolvers, which use your DNS server, rely on the validating behaviour of your DNS server, so they will resolve lan. without issues. However, since the communication between stub resolver and server is unencrypted, the results can be modified in transit. You might use TSIG signatures or TLS to protect it.
The validating stub resolvers require you to add trusted anchors to their configuration.

I doubt you want to set up a Bind9 server on every client machine to act as a validating stub resolver (there are better alternatives like systemd-resolved, dnsmasq or unbound), but if that is the case, you need to retrieve first the key for your lan. zone:

piotr@akela:~$ dig lan. DNSKEY +short
257 3 13 nnbo5DS5vyxB0OjUd7GbcrmXY7TgdGstk4xqXpu2wvXyoFa0YRqjLcHM QJGMguTrKJVYklMNRQXrStvawSF5eg==

Then you will need to add the key as trusted, allow recursive queries just from localhost and forward the requests to the "real" DNS server (let's say its on 192.168.0.1):

options {
    directory "/var/cache/bind";
    listen-on { localhost; };
    listen-on-v6 { localhost; };
    recursion yes;
    allow-query { localhost; };
    forwarders { 192.168.0.1; };
};
trusted-keys {
    lan. 257 3 13 "nnbo5DS5vyxB0OjUd7GbcrmXY7TgdGstk4xqXpu2wvXyoFa0YRqjLcHM QJGMguTrKJVYklMNRQXrStvawSF5eg==";
};

At the end you just need to add localhost as the only DNS server in /etc/resolv.conf:

nameserver ::1;

Edit: systemd-resolved configuration is even simpler: just add your DNSKEY to a file named /etc/dnssec-trust-anchors.d/<your_name>.positive:

lan. IN DNSKEY 257 3 13 nnbo5DS5vyxB0OjUd7GbcrmXY7TgdGstk4xqXpu2wvXyoFa0YRqjLcHM QJGMguTrKJVYklMNRQXrStvawSF5eg==

and force DNSSEC in /etc/systemd/resolved.conf:

DNSSEC=yes

Thank you so much for taking your time and such a detailed answer :D — itasahobby, Jan 13 '20 at 23:14

Is DLV on dnssec deprecated?

1 Answers1