Re: Testing RFC 5011 key roll

2015-04-17 Thread Edward Lewis 
Thanks.  Now have 'ad' bits via both BIND and unbound.

Will let you know when I've shot myself in the foot.

On 4/17/15, 12:45, "Evan Hunt"  wrote:
...

>instead of waiting a full 30 days.  (This is, I hope obviously, *not*
>something you want to run in production. :) )



smime.p7s
Description: S/MIME cryptographic signature
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Testing RFC 5011 key roll

2015-04-17 Thread Evan Hunt 
On Fri, Apr 17, 2015 at 02:46:16PM +, Edward Lewis wrote:
> I am building named and unbound recursive servers to follow a test of RFC
> 5011 trust anchor updates, the experiment is documented at
> http://keyroll.systems.  One reason why I'm asking here is in
> http://jpmens.net/2015/01/21/opendnssec-rfc-5011-bind-and-unbound/
> which mentions some issues with RFC 5011 rolls in BIND.

I believe all of the issues Jan-Piet discovered have been fixed in
the latest versions.

> But I bet my problem is that I haven't included yet-another configuration
> statement.

A minor nit: You have both a bindkeys-file (which is loaded when you use
"dnssec-validation auto") and a managed-keys statement in your named.conf.
It's harmless, but there's no need to have both.  You can lose the bindkeys
file and set "dnssec-validation yes", or lose the managed-keys statement.

The key at keyroll.systems rolls every 90 minutes if I recall correctly,
so when you start the process you'll need to be sure you're using the
latest key; if you leave your file alone for a few hours it'll stop
working.  "dig @204.42.252.20 dnskey ." will show you the current key
set.

I tried your configuration, and after updating the key to the most recent
one, I am getting responses that validate.

By the way, if you want to ensure that named smoothly rolls over to the
next key, you'll need to adjust its timers.  RFC 5011 says that you can't
trust a new key until it's been in the DNSKEY rrset for at least a month.
To enable testing in a reasonable time, there's an undocumented
option to named that redefines time units for RFC 5011 purposes:

$ named -T mkeytimers=2/5/60

The numbers between the slashes are the number of seconds to use for
an "hour", a "day", and a "month", respectively.  If you run with the
above option, named will trust a new key 60 seconds after it's seen it,
instead of waiting a full 30 days.  (This is, I hope obviously, *not*
something you want to run in production. :) )

-- 
Evan Hunt -- e...@isc.org
Internet Systems Consortium, Inc.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Testing RFC 5011 key roll

2015-04-17 Thread Edward Lewis 
I am building named and unbound recursive servers to follow a test of RFC
5011 trust anchor updates, the experiment is documented at
http://keyroll.systems.  One reason why I'm asking here is in
http://jpmens.net/2015/01/21/opendnssec-rfc-5011-bind-and-unbound/
which mentions some issues with RFC 5011 rolls in BIND.

But I bet my problem is that I haven't included yet-another configuration
statement.

I have unbound working, but can't get bind to give me an 'ad' bit, so I'm
certain that the authoritative server side is set up right.

What is puzzling is that I don't see any (relevant) errors when starting
up my named instance.

I'm running named in user space, off port 1053.  So the "permission
denied" parts are acceptable.

$ named -g -c rfc5011.conf
17-Apr-2015 10:17:02.083 starting BIND 9.10.0 -g -c rfc5011.conf
17-Apr-2015 10:17:02.083 built with '--with-openssl=/usr/local/ssl'
'STD_CDEFINES=-DDIG_SIGCHASE=1'
17-Apr-2015 10:17:02.083

17-Apr-2015 10:17:02.083 BIND 9 is maintained by Internet Systems
Consortium,
17-Apr-2015 10:17:02.083 Inc. (ISC), a non-profit 501(c)(3) public-benefit
17-Apr-2015 10:17:02.083 corporation.  Support and training for BIND 9 are
17-Apr-2015 10:17:02.083 available at https://www.isc.org/support
17-Apr-2015 10:17:02.083

17-Apr-2015 10:17:02.083 found 4 CPUs, using 4 worker threads
17-Apr-2015 10:17:02.083 using 2 UDP listeners per interface
17-Apr-2015 10:17:02.084 using up to 4096 sockets
17-Apr-2015 10:17:02.091 loading configuration from
'/Users/edwardlewis/Documents/DNS/secure_BIND_resolver/rfc5011.conf'
17-Apr-2015 10:17:02.092 reading built-in trusted keys from file
'/Users/edwardlewis/Documents/DNS/secure_BIND_resolver/test.key'
17-Apr-2015 10:17:02.092 using default UDP/IPv4 port range: [49152, 65535]
17-Apr-2015 10:17:02.092 using default UDP/IPv6 port range: [49152, 65535]
17-Apr-2015 10:17:02.093 listening on IPv6 interfaces, port 53
17-Apr-2015 10:17:02.093 could not listen on UDP socket: permission denied
17-Apr-2015 10:17:02.093 listening on all IPv6 interfaces failed
17-Apr-2015 10:17:02.093 listening on IPv4 interface lo0, 127.0.0.1#1053
17-Apr-2015 10:17:02.094 generating session key for dynamic DNS
17-Apr-2015 10:17:02.094 couldn't mkdir '/var/run/named': Permission denied
17-Apr-2015 10:17:02.094 could not create /var/run/named/session.key
17-Apr-2015 10:17:02.094 failed to generate session key for dynamic DNS:
permission denied
17-Apr-2015 10:17:02.094 sizing zone task pool based on 1 zones
17-Apr-2015 10:17:02.096 using built-in root key for view recursive
17-Apr-2015 10:17:02.097 set up managed keys zone for view recursive, file
'21ce078705d04ca6324c1d0313fc08ea99f3cef6389a6744d40bd2d9d0cd7816.mkeys'
17-Apr-2015 10:17:02.097 automatic empty zone: ...yadda...yadda...yadda...
17-Apr-2015 10:17:02.101 command channel listening on 127.0.0.1#1953
17-Apr-2015 10:17:02.101 not using config file logging statement for
logging due to -g option
17-Apr-2015 10:17:02.101 listening on IPv6 interfaces, port 53
17-Apr-2015 10:17:02.101 could not listen on UDP socket: permission denied
17-Apr-2015 10:17:02.101 listening on all IPv6 interfaces failed
17-Apr-2015 10:17:02.101 managed-keys-zone/recursive: loaded serial 5
17-Apr-2015 10:17:02.112 all zones loaded
17-Apr-2015 10:17:02.112 running

$ cat /Users/edwardlewis/Documents/DNS/secure_BIND_resolver/rfc5011.conf

options
{
dnssec-enable yes;
dnssec-validation auto;
bindkeys-file 
"/Users/edwardlewis/Documents/DNS/secure_BIND_resolver/test.key";
pid-file none;
dump-file "5011logs/cache_dump.db";
statistics-file "5011logs/named_stats.txt";
memstatistics-file "5011logs/named.memstats";
zone-statistics yes;
hostname "foobar";
recursion yes;
notify no;
auth-nxdomain no;
listen-on port 1053 { 127.0.0.1; };
};

managed-keys {
.initial-key 257 3 8
"AwEAAchoK9nG+mBjR/NZKqez+XYcqoWPL5e0VTreHS3Wi1KmU0Qgsr1N3O9u+McnsUwF/dsSW8
F/h3yXSMAEhS731eFvqxNDkhL8rQUfGBtALB3onTthYM38fk16vki5UsCecbt3uI46lb5cz5Dts
9drW/55OckwnSw4GTwiq2zebO5fo/UZlftpZTsupqgojL1Y3QlqL0LpP+vPIAgBe+OfhVpFPLxT
P6aeKoNviWC0O2CJiVqVZxp9cumjwOnKUvSfHcsl8tcH3cQjmIhQDDw+Z109J9ly+QcL6RUdHo9
m/TyKL04dQulKBAmgWanAQ0CF7zwhIiUxkxTsUtMTRMuXWcM=";
};

view "recursive" IN {
match-clients { any; };
allow-query   { any; };
recursion yes;

allow-recursion { any; };

// prime the server with the RFC5011 Key roll server.
zone "." {
   type hint;
   file "keyroller-db.root";
};

};  // End of recursive view.

$ cat /Users/edwardlewis/Documents/DNS/secure_BIND_resolver/test.key

managed-keys {
. initial-key 257 3 8
"AwEAAchoK9nG+mBjR/NZKqez+XYcqoWPL5e0VTreHS3Wi1KmU0Qgsr1N3O9u+McnsUwF/dsSW8
F/h3yXSMAEhS731eFvqxNDkhL8rQUfGBtALB3onTthYM38fk16vki5UsCecbt3uI46lb5cz5Dts
9drW/55OckwnSw4GTwiq2zebO5fo/UZlftpZTsupqgojL1Y3QlqL0LpP+vPIA