Translation(s): None

(!) ?/Discussion


What is DNSSEC

DNSSEC — Domain Name System Security Extensions.

DNSSEC enables users with security aware DNS resolvers to securely retrieve information from the domain name system such as IP addresses, or for those who have shell accounts on debian.org machines ssh host key fingerprints. Any tampering with DNS replies would be detected by a user's resolver.

DNSSEC is an important step in securing the Internet's name resolution infrastructure.

Test DNSSEC

Once you have enabled DNSSEC you will want to confirm that your configuration changes have worked. We recommend running the following test both before and after.

Command line

dig org. SOA +dnssec

; <<>> DiG 9.7.3 <<>> org. SOA +dnssec
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 31736
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 7, ADDITIONAL: 1

...[cut]...

;; Query time: 597 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Thu May 12 21:44:43 2011
;; MSG SIZE  rcvd: 536

In the flags you should see ad.

or

dig test.dnssec-or-not.net TXT  

; <<>> DiG 9.7.0-P1 <<>> test.dnssec-or-not.net TXT
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 56013
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;test.dnssec-or-not.net.                IN      TXT

;; ANSWER SECTION:
test.dnssec-or-not.net. 60      IN      CNAME   c391185c79a6d6ce.dnssec-or-not.net.
c391185c79a6d6ce.dnssec-or-not.net. 60 IN TXT   "Yes, you are using DNSSEC"

;; Query time: 1133 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sat May 14 12:25:18 2011
;; MSG SIZE  rcvd: 109

You will either see Yes, you are using DNSSEC or No, you are not using DNSSEC in the TXT record.

Web-based

Or visit one of these test pages: http://dnssectest.sidn.nl/ (informative) or http://test.dnssec-or-not.org/ (fun) ;-)

Troubleshooting

If DNSSEC doesn't work (you don't get answers from your caching DNS server) then there is possibly a problem in your firewall. Contact your system administrator and ask about this. Maybe some rules indirectly denied DNSSEC.

How to use DNSSEC

To use DNSSEC you need an aware resolver — a resolver that understands the DNS security extensions.

For this purpose you can use next software.

Unbound

unbound is a lightweight and easy to configure validating, recursive, and caching DNS resolver.

It also has built-in list of root servers in its root.hints file.

See also the unbound howto webpage http://www.unbound.net/documentation/howto_anchor.html.

Installing Unbound

apt-get install unbound

For Debian 5.0 («Lenny») unbound backported package available.

Adding root trust anchor

Download the root anchor from

wget https://data.iana.org/root-anchors/root-anchors.xml

Contents of root-anchors.xml:

<?xml version="1.0" encoding="UTF-8"?>
<TrustAnchor id="AD42165F-3B1A-4778-8F42-D34A1D41FD93" source="http://data.iana.org/root-anchors/root-anchors.xml">
<Zone>.</Zone>
<KeyDigest id="Kjqmt7v" validFrom="2010-07-15T00:00:00+00:00">
<KeyTag>19036</KeyTag>
<Algorithm>8</Algorithm>
<DigestType>2</DigestType>
<Digest>49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5</Digest>
</KeyDigest>
</TrustAnchor>

In the line below, replace the <KeyTag>, <Algorithm>, <DigestType>, and <Digest> tags with the corresponding values from root-anchors.xml.

. IN DS <KeyTag> <Algorithm> <DigestType> <Digest>

After this operation you should get something like:

. IN DS 19036 8 2 49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5

Note that this is an example and the root anchors can be changed with time.

Stop the unbound daemon.

/etc/init.d/unbound stop

Save this line to the file /var/lib/unbound/root.key.

Unbound should be able to read and write the root.key file and others have read access, only. So you need to change the owner:

chown unbound:unbound /var/lib/unbound/root.key

ls -l /var/lib/unbound/root.key
-rw-r--r-- 1 unbound unbound 759 May 12 20:27 /var/lib/unbound/root.key

Create (if doesn't exist) the file /etc/unbound/unbound.conf and add the following content:

server:
    auto-trust-anchor-file: "/var/lib/unbound/root.key"

This line will configure unbound to perform cryptographic DNSSEC validation using the root trust anchor.

Start the unbound daemon.

/etc/init.d/unbound start

BIND9

bind9 is widely used for both authorative domain name serving as well as resolving for local networks.

Installing BIND

$ apt-get install bind9

These instructions work for bind9 9.7 or later.

Debian stable (6.0) or later is fine.

Configuring the managed keys

BIND9 only (currently) supports the DNSKEY format. Which means it is configured using the public key (a DS record is a hash of a public key).

The current root public key is viewable by doing:

$ dig . @a.root-servers.net DNSKEY

; <<>> DiG 9.7.0-P1 <<>> . @a.root-servers.net DNSKEY
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 37624
;; flags: qr aa rd; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;.                              IN      DNSKEY

;; ANSWER SECTION:
.                       172800  IN      DNSKEY  256 3 8 AwEAAcaGQEA+OJmOzfzVfoYN249JId7gx+OZMbxy69HfUyuGBbRN0+Hu TOpBxxBCkNOL+EJB9qJxt+0FEY6ZUVjEg58sRr4ZQ6Iu6b1xTBKgc193 zUARk4mmQ/PPGxn7Cn5VEGJ/1h6dNaiXuRHwR+7oWh7DnzkIJChcTqlF rXDW3tjt
.                       172800  IN      DNSKEY  257 3 8 AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq QxA+Uk1ihz0=

;; Query time: 242 msec
;; SERVER: 198.41.0.4#53(198.41.0.4)
;; WHEN: Sat May 14 12:04:46 2011
;; MSG SIZE  rcvd: 439

So, create a file called /etc/bind/named.conf.keys and insert the following into it:

managed-keys {
  "." initial-key 257 3 8
    "AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF
     FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX
     bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD
     X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz
     W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS
     Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq
     QxA+Uk1ihz0=";
};

The managed-keys directive instructs BIND to use the RFC 5011 protocol to track subsequent changes to the key.

The "." attaches the key to the root.

Other data is extracted as per the response from the dig command (slightly reformatted).

Update bind9 configuration

You will now need to inform BIND of the new managed keys, edit the file /etc/bind/named.conf and make it look like:

// This is the primary configuration file for the BIND DNS server named.
//
// Please read /usr/share/doc/bind9/README.Debian.gz for information on the 
// structure of BIND configuration files in Debian, *BEFORE* you customize 
// this configuration file.
//
// If you are just adding zones, please do that in /etc/bind/named.conf.local

include "/etc/bind/named.conf.keys";
include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local";
include "/etc/bind/named.conf.default-zones";

The line including the /etc/bind/named.conf.keys file is new.

Now edit the file /etc/bind/named.conf.options and add the statement:

dnssec-validation yes;

inside the options directive.

Reload the BIND daemon

To have the configuration changes take place, reload the configuration

/etc/init.d/bind9 reload

Set system DNS resolver to use local caching DNS server

Modify your /etc/resolv.conf to use loopback interface as nameserver.

nameserver 127.0.0.1

Now you will use your local resolver (Unbound or BIND9) as a caching DNS server. All requests will go to it, and if it doesn't have a cached answer it will query root DNS servers.

If you use DHCP and your dhclient overwrites your /etc/resolv.conf then you should remove domain-name-servers from the request statement in the file /etc/dhcp/dhclient.conf.