Re: DNSSEC With Primary Hidden - Clarifying Question from Documentation

[Pirawat WATANAPONGSE via bind-users]

If my “understanding” of your desire is wrong, I do apologize for creating
even more noise rather than answering it.

I believe that your problem is only a matter of “semantics”: the “terms”
used do not sync-up with the “meanings”.

My best guess is that you want the “master copy & signing” of your zones
hidden, but still want (at least 2) Authoritative Servers answering the
(DNSsec) queries.

That is called the “Hidden-Master” implementation.
1. You set up a server capable of “sec” signing, put it somewhere in the
private part of your network, load it with your zone files and sign them
all, set it to transfer the zones out to the Primary.
This one is called the Hidden “Master”.
Nobody says that it has to serve the public; it only has to provide zone
transfers to the Primary (only).
Not putting the FQDN of your Master in the zone file, and firewall it out
from everyone except the Primary, is the best way to “hide”.
2. You set up a “Primary” Authoritative Server (in-house or out-sourced),
set it to get the (signed) zones "transferred in" from the Master, set it
to "transfer out" the (signed) zones to the Secondaries , and service the
queries from the public.
You do it by cheating; configuring the Primary to think itself as a
secondary to the Master, but at the same time configuring it to still be
the primary to the Secondaries.
Nobody says anything about where the Primary gets the zone information
from, or that it must carry the (unsigned) master copies and has to sign
them by itself; it only has to service the queries to the public, and
provide the zone transfers to the Secondaries (only).
3. You set 1 or more Secondary Authoritative Servers (in-house or
out-sourced),  set it to get the (signed) zones "transferred in" from the
Primary, and service the queries from the public.
Nobody says that zones cannot be “chained-transferred”.
4. You MUST use the FQDN of the Primary in your SOA Records, NOT the Master.

So, minimum configuration: 1 Master, 1 Primary, 1 Secondary.
Add Secondaries to taste.
Resolvers not included.


Cheers,

Pirawat.


> -- Forwarded message --
> From: E R 
> To: bind-users@lists.isc.org
> Cc:
> Bcc:
> Date: Tue, 17 Jan 2023 17:28:57 -0600
> Subject: DNSSEC With Primary Hidden - Clarifying Question from
> Documentation
> I am planning on implementing the current version of BIND to replace the
> aging, undocumented authoritative servers I inherited.  I want to hide the
> primary server on our internal network and have two secondary servers be
> publicly available.  While reading the DNSSEC Guide
> <https://bind9.readthedocs.io/en/v9_18_9/dnssec-guide.html#recipes> recipes
> it seems to imply that I cannot have a hidden primary that handles all the
> DNSSEC stuff.
>
> Does the primary server that handles the DNSSEC duties not be hidden?  Or
> were they just illustrating that you do not need to touch your hidden
> primary server and just add one that does the DNSSEC duties?
>
>
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DNSSEC With Primary Hidden - Clarifying Question from Documentation

[Peter]

On Tue, Jan 17, 2023 at 05:28:57PM -0600, E R wrote:
! I am planning on implementing the current version of BIND to replace the
! aging, undocumented authoritative servers I inherited.  I want to hide the
! primary server on our internal network and have two secondary servers be
! publicly available.  While reading the DNSSEC Guide
!  recipes
! it seems to imply that I cannot have a hidden primary that handles all the
! DNSSEC stuff.
! 
! Does the primary server that handles the DNSSEC duties not be hidden?  Or
! were they just illustrating that you do not need to touch your hidden
! primary server and just add one that does the DNSSEC duties?

In fact, none of them needs to.
I for my part have two publicly visible servers, plus a hidden
primary, and the DNSSEC stuff is entirely separated from all of them;
that happens in a vault, no network connection, signed e-mail in and
out only (I don't want to bother with a hw crypto device).

Obviousely, YMMV, it depends on the tools You use to maintain your
zones.

cheers,
PMc
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DNSSEC With Primary Hidden - Clarifying Question from Documentation

[Mark Andrews]

> On 18 Jan 2023, at 10:55, Grant Taylor via bind-users 
>  wrote:
> 
> On 1/17/23 4:45 PM, Michael Richardson wrote:
>> Many people do exactly that.
> 
> Sorry, I don't see that as an answer to -- my understanding of -- the OP's 
> question of "Does the primary server that handles the DNSSEC duties need to 
> be not hidden / publicly accessible?"
> 
> Specifically what many people do, or not, doesn't translate to a requirement.
> 
>> In my opinion, this is the best way to do things, and the in-place signing is
>> just a total pain.
> 
> Your opinions, such as they are, are independent of the OP's question.
> 
> I've got an ancient version of BIND managing all of the DNSSEC wherein the 
> master is sort of hidden in that it's listed in the SOA's MNAME, but is not 
> listed as an NS.  The MNAME is globally accessible.
> 
> I'm sure that I'm overlooking something at the end of a long day, but I can't 
> see anything that prevents the OP from having the primary perform DNSSEC 
> functions while also functioning as a hidden primary role.

DNSSEC was designed with the primary doing the signing and the secondaries just 
serving the signed content.  DNSSEC works fine with a hidden primary signing 
the zone.  As with everything DNSSEC every server involved needs to support 
DNSSEC.

Now how you manage that signing is a completely seperate topic and there are 
different ways to do it.

> -- 
> Grant. . . .
> unix || die
> 
> -- 
> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
> this list
> 
> ISC funds the development of this software with paid support subscriptions. 
> Contact us at https://www.isc.org/contact/ for more information.
> 
> 
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742  INTERNET: ma...@isc.org

-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DNSSEC With Primary Hidden - Clarifying Question from Documentation

[Grant Taylor via bind-users]

On 1/17/23 4:45 PM, Michael Richardson wrote:

Many people do exactly that.


Sorry, I don't see that as an answer to -- my understanding of -- the 
OP's question of "Does the primary server that handles the DNSSEC duties 
need to be not hidden / publicly accessible?"


Specifically what many people do, or not, doesn't translate to a 
requirement.



In my opinion, this is the best way to do things, and the in-place signing is
just a total pain.


Your opinions, such as they are, are independent of the OP's question.

I've got an ancient version of BIND managing all of the DNSSEC wherein 
the master is sort of hidden in that it's listed in the SOA's MNAME, but 
is not listed as an NS.  The MNAME is globally accessible.


I'm sure that I'm overlooking something at the end of a long day, but I 
can't see anything that prevents the OP from having the primary perform 
DNSSEC functions while also functioning as a hidden primary role.




--
Grant. . . .
unix || die



smime.p7s
Description: S/MIME Cryptographic Signature
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DNSSEC With Primary Hidden - Clarifying Question from Documentation

[Michael Richardson]

E R  wrote:
> I am planning on implementing the current version of BIND to replace the
> aging, undocumented authoritative servers I inherited.  I want to hide the
> primary server on our internal network and have two secondary servers be
> publicly available.  While reading the DNSSEC Guide
>  
recipes
> it seems to imply that I cannot have a hidden primary that handles all the
> DNSSEC stuff.

Many people do exactly that.
Check out the: “Bump in the Wire” Signing section.

In my opinion, this is the best way to do things, and the in-place signing is
just a total pain.



signature.asc
Description: PGP signature
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

DNSSEC With Primary Hidden - Clarifying Question from Documentation

[E R]

I am planning on implementing the current version of BIND to replace the
aging, undocumented authoritative servers I inherited.  I want to hide the
primary server on our internal network and have two secondary servers be
publicly available.  While reading the DNSSEC Guide
 recipes
it seems to imply that I cannot have a hidden primary that handles all the
DNSSEC stuff.

Does the primary server that handles the DNSSEC duties not be hidden?  Or
were they just illustrating that you do not need to touch your hidden
primary server and just add one that does the DNSSEC duties?
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users