opennic:dnssec

This is an old revision of the document!

DNSSEC Validation

DNSSEC is a mechanism that prevents DNS forgeries that could potentially redirect you or your Tier 2 users to malicious sites.

Tier 2 Configuration

FIXME We're looking for guides for other DNS software, contributions welcome!

Tier 2 providers may enable DNSSEC validation by following the guide(s) below, corresponding to their DNS software. Please note that in each case, the keys need to be manually defined in your configuration, and will need to be updated each time the root key changes. Servers providing this service will need to stay up-to-date on the mailing list to ensure they remain in service.

BIND9

The file paths in this guide are the defaults on many systems including Ubuntu and Debian, but may need to be modified to suit your configuration.

1. Create the file /etc/bind/named.conf.keys with the following content:

named.conf.keys
trust-anchors {
  . initial-key 257 3 8 "AwEAAbtbsu+wl3fbEDbgvMgJ1BDXeAk5t6BU7B1KGVvc13zMJtjvarxp
    WWrAb7fmWERX8kJawa3KpYty0EDFQ24nfQyhwEOld442ca89u4/ZU3jP
    uwKohbGn55vIQ7KjCIrDNvRYjGVn2MNwZnL4WVVclJYsa1cGwVQ9t575
    I5yvU+5g+jVcjUsGwFn6xmuJC0Z33ABKsC8b1cjfcnvE4wP3CrXOlDQ+
    Er4uPUtMKrmG+Sj1Bm5U+do78mwEXOlTz/sNj8tkpL0pYB2j+XNaDVrO
    0uS1beekejnttMsC4SHMCsiwMvigW2O54ByhzijU2v87d7U9WEMVfPvO
    6gearg1fo/1Tk4buzPZcS+W9WZgFAt7kT1ois3x0GGT7J55zENB9IZU4
    tMmWdYbZJOZsdAzmshuWJIUlTZdNN5671Rhc6P9TWnMlvb9iNT7G3DZ9
    PhBw1OF/OmmXobv3Wygbt5+u7q2CPPzwU4WTGpVNtr3Iry2SPW3XVpJS
    M3+nW7LfxxtWZJlN4MDQYC5IptU+A5EO80/yE38E9tKGDWC1+Nw59QLa
    BE7ff+Jkq7OMjTHjFhYivkJSv+8LEbkGjWoaMAS2CT3/ZVMYLiQn8THi
    ZUBF+aOzJMw0EGPag1Qq4vfGgFkQMM3hOaH6bWN1yCvmspuiwLYkNCZZ
    /l8ThKc57bGYy9TX";

};
:!: Don't just blindly copy this wiki page, ensure the key matches the current root zone's DNSKEY:

dig DNSKEY . @195.201.99.61 +short


257 3 8 AwEAAbtbsu+wl3fbEDbgvMgJ1BDXeAk5t6BU7B1KGVvc13zMJtjvarxp WWrAb7fmWERX8kJawa3KpYty0EDFQ24nfQyhwEOld442ca89u4/ZU3jP uwKohbGn55vIQ7KjCIrDNvRYjGVn2MNwZnL4WVVclJYsa1cGwVQ9t575 I5yvU+5g+jVcjUsGwFn6xmuJC0Z33ABKsC8b1cjfcnvE4wP3CrXOlDQ+ Er4uPUtMKrmG+Sj1Bm5U+do78mwEXOlTz/sNj8tkpL0pYB2j+XNaDVrO 0uS1beekejnttMsC4SHMCsiwMvigW2O54ByhzijU2v87d7U9WEMVfPvO 6gearg1fo/1Tk4buzPZcS+W9WZgFAt7kT1ois3x0GGT7J55zENB9IZU4 tMmWdYbZJOZsdAzmshuWJIUlTZdNN5671Rhc6P9TWnMlvb9iNT7G3DZ9 PhBw1OF/OmmXobv3Wygbt5+u7q2CPPzwU4WTGpVNtr3Iry2SPW3XVpJS M3+nW7LfxxtWZJlN4MDQYC5IptU+A5EO80/yE38E9tKGDWC1+Nw59QLa BE7ff+Jkq7OMjTHjFhYivkJSv+8LEbkGjWoaMAS2CT3/ZVMYLiQn8THi ZUBF+aOzJMw0EGPag1Qq4vfGgFkQMM3hOaH6bWN1yCvmspuiwLYkNCZZ /l8ThKc57bGYy9TX
256 3 8 AwEAAeTLQxrID2eS743HVStjROHT7LfydvDYj4Y4CIh5usKF0NwWLKMY ybNcXbDXWWJvMKrIDcb/Z1XRe61xriy9LRGOnneAnOF5viESZL+WwR69 y4TpdyTOCebrWI/teGGTSao0YY6ueAZ9RKLiDuNXrm9wozEQj6iCRrbo U/wbPBEHYDvXaj1jxwJYipsop1nYvlHOofhUaJtMJrWI4mb9+INdrzvH MgzdhOj5xYbVQMjIDFzR9wwHSAVV89tr8lLbeTAyXdhUMi9JwqbLp4uZ atzHdXglHlW/7UCCgab0lAVxLJjv8X6QbZyWIYnMfsIIYAUlCzvYCk3v 3fljogGkAmM=
256 3 8 AwEAAeXw6/FhGTrrrowgiK/4mWwP76JM/Np6FwHmQ+Qn73wdOWT0d189 gkNeVNTVyQNU+q+MBnJ01OFbgQqsey6pd2OjAD5i8pDqZz/0zS7z70Uv eScfqLv08n8qoZOsv7QhytVE9qGqfXgeeGPUctOeqfdlJN/NXnU7crBT 6AxLg1FChV1m3dOcJwCW72XPi/Mbo9dsJSgbWZmVGCILBEQjVa13K4lt roHibq/1kUvmei0TLpzDpwu9OG3m50tAa+JTyId2vqopbCqEk2rQspQ/ TbewkG2jF7TRvDZbRje8Z2eA2HLW3ClrlIFBcyv/0NqrFH9CJCR2g2Mu a77etVdrgUE=

2. Add dnssec-validation yes; to /etc/bind/named.conf.options, replacing dnssec-validation auto; if it already exists: 

options {
        directory "/var/cache/bind";
        dnssec-validation yes;
        notify yes;
        recursion yes;
        allow-query { any; };
        allow-transfer { any; };
        auth-nxdomain no;    # conform to RFC1035
        listen-on-v6 { any; };
};

3. Add the line include “/etc/bind/named.conf.keys”; to /etc/bind/named.conf above all other include lines. Your final named.conf file should look something like this: 

include "/etc/bind/named.conf.keys";
include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local";
include "/etc/bind/named.conf.default-zones";
include "/etc/bind/named.conf.opennic";

4. Restart BIND: systemctl restart bind9

PowerDNS Recursor

Create /etc/powerdns/config.lua with the following content:

config.lua
addDS('.', "47089 8 2 6D81988A88BD546E429486CC0A97518F90F9FC6C6C6B7E5BC2788469858C7324")

Add the following lines to /etc/powerdns/recursor.conf: 

lua-config-file=/etc/powerdns/config.lua
dnssec=log-fail

Note that this will validate correctly, but will only log bogus domains instead of returning SERVFAIL. This is fine in the DNSSEC testing period, but for full DNSSEC compliance, dnssec should be changed from log-fail to validate.

Restart PowerDNS: systemctl restart pdns-recursor

dnsmasq

Add the following lines to your dnsmasq.conf file: 

dnssec
trust-anchor=.,33750,8,2,ced6135102155c7a9c8a99945068ee0dcc21e2f70a5046b4e50ae98ad3ba9de2
trust-anchor=.,47089,8,2,6d81988a88bd546e429486cc0a97518f90f9fc6c6c6b7e5bc2788469858c7324

Unbound

1. Generate the /etc/unbound/opennic.dnskey file: 

dig @195.201.99.61 . DNSKEY | dnssec-dsfromkey -2 -f - . > /etc/unbound/opennic.dnskey

2. Edit /etc/unbound/unbound.conf and set the attribute auto-trust-anchor-file with the opennic.dnskey file: 

auto-trust-anchor-file: "opennic.dnskey"

3. Restart Unbound: systemctl restart unbound

Testing DNSSEC

Queries to a DNSSEC validating server with the DO flag set should return an answer with the ad (Authenticated Data) flag set in the header: 

root@nyc3:~# dig pir.org +dnssec +multi @167.99.153.82

; <<>> DiG 9.10.3-P4-Ubuntu <<>> pir.org +dnssec +multi @167.99.153.82
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 3924
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;pir.org.               IN A

;; ANSWER SECTION:
pir.org.                241 IN A 97.107.141.235
pir.org.                241 IN RRSIG A 5 2 300 (
                                20180430162216 20180416162216 30795 pir.org.
                                Al1OgzE47XZcgl2t9IysJROLgM2Z2/f7tJ6LDuDdTHOD
                                itT5fJZjRypVJLfZrU73ng5J86dJCFEREk2k6I1lhmno
                                lJHKH1/MZK+LRDjZWJWqo3F5+MJTFv8W0F8zXWu4AMJE
                                RYyyhX4fl+mL02T4VLGqpjrH2AX9tH8wRT9TuJE= )

;; Query time: 4 msec
;; SERVER: 167.99.153.82#53(167.99.153.82)
;; WHEN: Mon Apr 16 19:46:05 UTC 2018
;; MSG SIZE  rcvd: 21

On these servers, attempting to resolve a domain with broken DNSSEC validation should return a SERVFAIL, without any DNS data: 

root@nyc3:~# dig dnssec-failed.org +dnssec +multi @167.99.153.82

; <<>> DiG 9.10.3-P4-Ubuntu <<>> dnssec-failed.org +dnssec +multi @167.99.153.82
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 10808
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;dnssec-failed.org.     IN A

;; Query time: 1029 msec
;; SERVER: 167.99.153.82#53(167.99.153.82)
;; WHEN: Mon Apr 16 19:48:04 UTC 2018
;; MSG SIZE  rcvd: 46

And finally, requesting a domain with no DNSSEC data should just return a normal response, with no ad flag: 

root@nyc3:~# dig google.com +dnssec +multi @167.99.153.82

; <<>> DiG 9.10.3-P4-Ubuntu <<>> google.com +dnssec +multi @167.99.153.82
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 51509
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;google.com.            IN A

;; ANSWER SECTION:
google.com.             40 IN A 172.217.12.206

;; Query time: 2 msec
;; SERVER: 167.99.153.82#53(167.99.153.82)
;; WHEN: Mon Apr 16 19:48:56 UTC 2018
;; MSG SIZE  rcvd: 55
  • /wiki/data/attic/opennic/dnssec.1776376161.txt.gz
  • Last modified: 3 weeks ago
  • by joestr1