Part 1 - DNSSEC Validation
Part 2 - DNSSEC Signing for Forward Zone
Part 3 - Secure Delegation and Key Rollover
DNSSEC Diagram
For reference, these are the IP address assignments for the servers:
Part 1 - DNSSEC Validation
For this part, you will configure and explore a DNSSEC-validating resolver, which automatically validates DNS answers from an authoritative server.
There are 2 steps in this part:
- Step 1 - Verify DNS
- Step 2 - DNSSEC Validation
Step 1 - Verify DNS
The two servers in this lab have BIND9 already installed and pre-configured as a Resolver.
1. Select primarydns which we will be using for this step. Login to the machine.
2. Check where BIND is installed and note the version.
It should show that named is in /usr/sbin/named and running BIND version 9.18.30 for Ubuntu 22.04.
3. Check if BIND is running.
There should be a process with /usr/sbin/named -u bind.
Check systemd to confirm that you see the status as active (running).
If not, then run the name daemon
4. Check the configuration file.
There are three zones already defined - one for the forward domain herdiansah-lab.xyz, another two for reverse domain 163.209.85.in-addr.arpa and 194.105.109.in-addr.arpa. This will be used in the next part.
5. Also check the logs and notice if there are any errors. Open a new tab in the Terminal, and run the command:
The zone files should load correctly with no issues.
Keep checking your log file after editing your config or if you restarted the BIND service. This is a good way to spot errors and fix them.
6. Do the same steps above for the secondarydns. Make sure to confirm that BIND is running without errors.
7. Use dig utility to resolve domains.
Step 2 - DNSSEC Validation
Now that you are familiar with the lab setup and DNS is running, we can proceed with DNSSEC.
DNSSEC validation is enabled by default in BIND, which allows it to validates responses from authoritative servers automatically.
1. From primarydns, check that dnssec-validation is enabled in the configuration file.
Within the options statement, confirm that dnssec-validation is set to auto.
If you need to update, open the file and update accordingly.
There are 3 possible values to use for dnssec-validation: | Value | Definition | |:---------|:-----------------| | **auto** | DNSSEC validation is enabled and a default trust anchor for the DNS root is used, provided as part of BIND. | | **yes** | DNSSEC validation is enabled and a trust anchor must be manually configured using the 'trust-anchors' statement | | **no** | DNSSEC validation is disabled |
2. Trust Anchor.
A validating resolver requires at least one trust anchor to be able to validate.
The default value is 'auto', which is used in most production setup. With this, the default root key stored in bind.keys file is used which is already included with BIND.
There is no need to modify this file. Check the contents.
Here is the format of the trust-anchors statement. Note that the inital-key modifier means it is trusted only once to initially load the managed key database.
Any further updates will be read from the managed-keys.bind file.
Notice the key identifier for root key (key ID 20326).
If DNSSEC-validation is set to yes, a custom trust anchor must be defined manually using a **trust-anchors** statement in the config file. A `static-key` modifier is used instead of `initial-key` so it is always trusted.
3. Update the logging statement to channel DNSSEC-related logs into another log file.
Update the category for dnssec to push logs into the channel just created.
This means the logs related to DNSSEC will be stored into the file dnssec.log.
Create this file and set the right permissions.
Reload the configuration to apply the changes.
4. Open the secondarydns and apply similar updates.
Check that dnssec-validation is set to auto.
Update the logging statement to create a channel for DNSSEC logs.
Update the category for dnssec to push logs into the channel just created.
Create this file and set the right permissions.
Check and verify the config file for any syntax errors.
Reload the BIND configuration
5. Use the dig utility to query.
Test a signed domain and confirm that the resolver is validating.
The output should include an A record and an RRSIG record. The RRSIG record holds the digital signature that is used to verify the A record.
Notice the 'AD' flag is set in the output. The AD bit means data is authenticated by the resolver.
For more detail about the information returned from the dig command refer to: * RFC1035 - 4.1.1. Header section format [https://www.rfc-editor.org/rfc/rfc1035](https://www.rfc-editor.org/rfc/rfc1035) * RFC6895 - 2. DNS Query/Response Headers [https://www.rfc-editor.org/rfc/rfc6895](https://www.rfc-editor.org/rfc/rfc6895)
6. Try to query a domain that is not DNSSEC-validating.
The domain dnssec-failed.org is explicitly failing validation, so this should result in SERVFAIL status.
A SERVFAIL error is generic. To confirm that this is a validation error, try the +CD option (checking disabled).
There should be an output record.
7. Another way to confirm this is to disable DNSSEC-validation.
Edit named.conf.options again and set dnssec-validation to no. Save and restart BIND.
Reload the config.
Execute the dig query.
Part 2 - DNSSEC Signing for Forward Zone
To allow a validating resolver to verify DNS record, the zone must be signed by the authoritative nameserver. Through DNSSEC Zone Signing, signatures are added to DNS as RRSIG records. In this part, you will sign the forward zone using a Fully-automated Key and Signing Policy (KASP).
There are 3 steps in this part:
- Step 1 - Default DNSSEC policy
- Step 2 - Custom DNSSEC policy
Step 1 - Default DNSSEC policy
A DNSSEC policy defines the parameters for a fully-automated way of signing and maintaining zones, also called Key and Signing Policy (KASP).
1. Open primarydns. Before proceeding, disable or stop BIND.
2. Create a DNSSEC policy for our forward zone.
There are 3 built-in policies: | Policy | Definition | |:---------|:-----------------| | **DEFAULT** | using the default policy | | **INSECURE** | used to gracefully unsign a zone | | **NONE** | no DNSSEC policy and the zone is not signed |
Use the default policy.
Update the zone statement for zone herdiansah-lab.xyz by adding these two lines:
The dnssec-policy statement requires dynamic DNS or inline-signing enabled.
The zone statement should look like this:
The default policy creates a single key and uses the following default parameters: * Algorithm: ECDSAP256SHA256 * Signing key: Combined Signing Key (CSK) * Key lifetime: unlimited * Proof of non-existence: NSEC
3. The zonefile also needs to be writeable by user BIND, so it's best to move the zonefile to the default directory for dynamic authoritative zones /var/lib/bind or add a symlink to point to the location of the file in /etc/bind/master.
And a symlink as follows:
Update the zone statement again to update the directory
The zone statement should look like this:
4. Start BIND with the new configuration file.
Check for any syntax error then restart BIND.
Check the logfile to see DNSSEC-related logs
5. Check that the key files are created automatically.
Go to the working directory and list the files.
There should be 3 files added.
What is the Key ID? @lab.TextBox(keyid_csk)
First, check the content of the private key
Then check the corresponding public key.
Also check the metadata. This includes information on timing parameters - when the key is created, published, activated - among others.
Aside from the keypair, BIND also maintains a state file to track key timing parameters.
Notice that both KSK and ZSK are set to yes. This means a combined signing key (CSK) is used.
6. Check the temporary files created after signing.
Find the files ending in .jnl, .jbk, or .signed
The following temporary files are created with inline-signing: | Filename | Purpose | |:-------|:---------| | db.herdiansah-lab.signed | all records from the zonefile including signatures | | db.herdiansah-lab.signed.jnl | working data for the signing process | | db.herdiansah-lab.jbk | journal backup file |
7. Compare the filesize of the original zonefile and the signed zonefile.
8. Check secondarydns.
The secondary DNS pulls the signed zone file.
Notice the file size is the same as the file from the primary nameserver.
9. Verify DNSSEC.
Use dig to query the primarydns.
Use dig to query the secondarydns
In addition to the A record, the output also shows an RRSIG record (Resource Record Signature).
Step 2 - Custom DNSSEC policy
For the most part, a default policy is sufficient. However, if you want to customise the key parameters, you can create a custom DNSSEC policy.
1. Open primarydns. Stop named and clean up old files before updating the policy.
Delete the previous CSK key files:
2. (Optional) Revoke any previously generated keys that will not be used further.
Replace the with the actual ID you wish to revoke.
3. Update the configuration file to use a custom policy.
Add the following dnssec-policy statement at the end of the file.
This new policy sets a separate Key and Zone Signing Keys (KSK and ZSK). You may also customise the other values, such as TTL and signature validity.
Check for any syntax error.
4. Restart BIND after the changes
Check for any DNSSEC-related errors in the logs:
5. Explore the keys
Go to the working directory.
Notice that there are two sets of keys created.
Open each file as needed and identify the KSK and ZSK key files.
What is the keyID for the Zone Signing Key (ZSK)?
@lab.TextBox(keyid_zsk)
What is the keyID for the Key Signing Key (ZSK)?
@lab.TextBox(keyid_ksk)
6. Use dig to verify DNSSEC.
Use dig to query the primarydns.
Use dig to query the secondarydns
The output should show an RRSIG record.
Part 3 - Secure Delegation and Key Rollover
After the zone is signed in Part 2, it is also required to establish the chain of trust from the parent zone. The parent zone must have a copy of the the zone's public key using the Delegation Signer or DS Record.
Step 1 - DS Record
1. Open the primarydns.
For the purposes of this lab, we will use a KSK (key ID 22956) that has been generated prior and has been preloaded to the parent.
This key is stored in the keys folder. Copy this over to the working directory.
Or update the key-directory to point to the keys folder.
Add the following line in the options statement.
2. (Optional) Revoke any previously generated keys that will not be used further.
Replace the <key-id> with the actual ID you wish to revoke.
After this step, notice the Inactive date in the .key file has been updated to current date. Also notice the Removed date has been updated in the .state file.
3. Generate the DS record from the public key.
The output should be a DS record
4. Use the new key to sign DNS records.
Confirm that you are using the key to sign the zone.
Here is another command to generate the DS keys from a dig output.
Step 2 - Confirm DNSSEC
1. From the primarydns, first verify the DS record in the parent zone.
Typically, the generated DS record needs to be sent to the parent and added to the herdiansah-lab.xyz zone. This part is already done for you.
Confirm that the DS record is in the parent.
2. Use dig to query adding the +dnssec option.
3. Use dig to trace the dig query from root to your primary server.
4. Check for the AD bit from the flags in the dig response.
The AD flag means Authenticated Data, which is used in DNSSEC to indicate that the data is verified.
Step 3 - Key Rollover
DNSSEC keys need to be rolled over regularly. Here are the steps to do ZSK and KSK rollover.
1. For automated signing, ZSK Rollover is automatically performed using the key lifetimes specified in the dnssec policy.
Try to find the active DNSKEY records for the forward zone.
If you see two ZSKs using the same algorithm, this usually means the rollover process is ongoing.
If key lifetime is set to unlimited, no rollover will be scheduled. For example, if you are using the default dnssec-policy in Part 2 Step 1, the lifetime is unlimited:
2. For automated signing, KSK and CSK Rollover are also done automatically. However, the new DS record needs to be submitted to the parent zone.
This can be done automatically using the parental-agents block to update delegation information.
Alternatively, use RNDC to check the DS uploaded to the parent.
The output will indicate the KSK is marked as published
Step 4 - Algorithm Rollover
Algorithm rollover is required when moving to a more secure DNSSEC algorithm. For example, from Type 8 (RSASHA256) to Type 13 (ECDSASHA256).
When using dnssec-policy, this is automatically maanged by named process.
1. Create a new dnssec-policy using DNSSEC algorithm Type 15 (Ed25519). Also enable NSEC3.
Type 15 or Ed25519 is currently the recommended algorithm for DNSSEC signing. ``` sudo vi /etc/bind/named.conf.options ``` ``` dnssec-policy custom { dnskey-ttl 600; keys { csk lifetime 365d algorithm ed25519; zsk lifetime 30d algorithm ed25519; }; nsec3param; max-zone-ttl 600; parent-ds-ttl 600; parent-propagation-delay 2h; publish-safety 7d; retire-safety 7d; signatures-refresh 5d; signatures-validity 15d; signatures-validity-dnskey 15d; zone-propagation-delay 2h; }; ```
Update the zone statement for the forward zone to use the new policy.
Check for any syntax errors, then load the new config.
2. Check for the new keys generated.
Find the new key files created in the key-directory.
Check if the new key is now used. Because of TTL and key rollover, this may not show instantly.
Comments
Post a Comment