Hi,
I am trying to set up DNSSEC validation (see RFCs 4034, 4035) on a
FreeBSD/amd64 system running either BIND (9.4.2-P2 or 9.5.0-P2) or
unbound (1.0.2) DNS server software. Both BIND and unbound use the
OpenSSL crypto libraries that are bundled with FreeBSD. The above RFCs
specify the use of RSA keying and SHA1 signing, as documented in RFC
3110. When configured to do so, a caching nameserver can be made to
validate signatures for all DNS resource records.
Unfortunately this validation process fails on FreeBSD/amd64, regardless
of what software is application is used to do the validation. (A glance
through the source code trees of both BIND and unbound reveal no common
validation code, save that they are both linked against OpenSSL's
libcrypto.) The process works just fine on an identically-configured
(i.e. config files rsynced from machine to machine) FreeBSD/i386 box and
on gentoo-linux for x86 (32-bit) *and* gentoo-linux for x86_64 (64-bit).
In other words, this issue does not appear to occur in Linux on either
platform, nor in FreeBSD/i386.
I have compiled many versions of openssl, using different options
(no-asm, -O optimization instead of -O3, static vs. shared libs), and
different versions of gcc (the base system version--see testlog output
below; as well as 3.3.6 and 4.4.0), and I have yet to make crypto
validation work in FreeBSD/amd64. As most of my caching nameservers are
FreeBSD/amd64, I am interested in finding a fix for this.
I have filed a Problem Report with FreeBSD, but I am also submitting a
bug report to OpenSSL because I am able to replicate the problem with
just the stock OpenSSL distribution (not in the base system or in the
FreeBSD ports collection), including the 0.9.8h release, plus
openssl-0.9.8-stable-SNAP-20080816 and openssl-SNAP-20080816 (the last
of which is where I generated the testlog below).
HOW TO REPLICATE:
1. Install standard FreeBSD/amd64 system, and synchronize the source
tree to the latest 7-STABLE sources. Rebuild world and kernel. (This
problem can probably be replicated with 7.0-RELEASE out of the box.)
2. Compile and install stock OpenSSL distribution from ftp.openssl.org,
either with or without no-asm.
3. Compile BIND 9.5.0-P2 with the --with-openssl=<openssl install dir>
option.
4. Verify that the binaries are not linked against the system
libcrypto--they should be statically linked. (I used 'strings named |
grep -i openssl' to verify the version that was linked.)
5. Use the included /etc/namedb/named.conf that comes with FreeBSD. To
that file, add the following:
- under the global "options" section:
dnssec-enable yes;
dnssec-validation yes;
dnssec-lookaside . trust-anchor dlv.isc.org;
- under the main (global) section:
trusted-keys {
dlv.isc.org. 257 3 5
"BEAAAAPp1USu3BecNerrrd78zxJIslqFaJ9csRkxd9LCMzvk9Z0wFzoF
kWAHMmMhWFpSLjPLX8UL6zDg85XE55hzqJKoKJndRqtncUwHkjh6zERN
uymtKZSCZvkg5mG6Q9YORkcfkQD2GIRxGwx9BW7y3ZhyEf7ht/jEh01N
ibG/uAhj4qkzBM6mgAhSGuaKdDdo40vMrwdv0CHJ74JYnYqU+vsTxEIw
c/u+5VdA0+ZOA1+X3yk1qscxHC24ewPoiASE7XlzFqIyuKDlOcFySchT
Ho/UhNyDra2uAYUH1onUa7ybtdtQclmYVavMplcay4aofVtjU9NqhCtv f/dbAtaWguDB";
};
- optional: add logging information:
channel dnssec_log {
file "/var/log/named/dnssec.log" size 20m;
print-time yes;
print-category yes;
print-severity yes;
severity debug 3;
};
category dnssec { dnssec_log; };
5. Start named. You should be able to resolve DNS names on localhost.
6. 'dig +dnssec br @localhost'
- on FreeBSD/i386, you will get a response with the 'ad' bit set, which
means that cryptographic validation worked. On FreeBSD/amd64, the query
will time out. Logging information shows that the keys for the DLV
registry are not being properly verified. Changing the above
trusted-key to something obviously bogus yields the same logging
information (if the optional logging section is configured) as when the
correct key is used--i.e. the one that really works on i386. It
therefore appears that BIND thinks the DLV key is bogus, even if it is
the correct key.
You can also replicate this with unbound, although unbound doesn't use
DLV, so you have to use a trust-anchor key from a specific domain. I
tested it with .SE and got the same results--validation works on i386
but not on amd64. Because there are very few commonalities between
these two software packages except OpenSSL, I think that OpenSSL is the
most likely candidate for a fix. So far, I haven't been able to find
any obvious bug, but I am not much of a cryptography expert.
testlog ('make report') output:
OpenSSL version: 0.9.9-dev
Last change: Add support for distinct certificate and CRL paths. The...
Options: no-asm no-gmp no-krb5 no-mdc2 no-rc5 no-rfc3779
no-shared no-zlib no-zlib-dynamic static-engine
OS (uname): FreeBSD ndrl3.berkeley.edu 7.0-STABLE FreeBSD
7.0-STABLE #4: Fri Aug 8 14:01:55 PDT 2008
[EMAIL PROTECTED]:/usr/obj/usr/src/sys/DRL amd64
OS (config): amd64-whatever-freebsd
Target (default): BSD-x86_64
Target: BSD-x86_64
Compiler: Using built-in specs.
Target: amd64-undermydesk-freebsd
Configured with: FreeBSD/amd64 system compiler
Thread model: posix
gcc version 4.2.1 20070719 [FreeBSD]
Test passed.
thanks,
michael
PS. You can view my FreeBSD PR at
<http://docs.freebsd.org/cgi/getmsg.cgi?fetch=69170+0+current/freebsd-amd64>.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [email protected]
Automated List Manager [EMAIL PROTECTED]
