Re: Question about missing bind.keys
On Tue, Apr 12, 2022 at 09:37:22PM -0400, J Doe wrote: > Apologies for my late reply. Thank you so much for the detailed > explanation of: dnssec-validation auto and what happens when: bind.keys > doesn't exist. > > With this setting in place in my: named.conf I then restarted BIND, gave > it a second to pull the trust information and then used: delv to test > verification. > > The first test for unverified/unsigned was: > > $ delv google.com > ; unsigned answer > . . . > > ... and the second test for verified/signed was: > > $ delv ietf.org > ; fully validated > . . . > > ... which wouldn't have worked if: dnssec-validation auto failed in > getting the same information as: bind.keys "delv" isn't actually the right tool for this job - it does its own internal validation, regardless of whether the name server it's querying is doing validation correctly or not. Instead, use "dig" to query your name server and look for the "ad" bit (Authenticated Data) in the reponse: $ dig @localhost unsigned.com | grep flags ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3 $ dig @localhost ietf.org | grep flags ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ^^ -- Evan Hunt -- e...@isc.org Internet Systems Consortium, Inc. -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Question about missing bind.keys
On 2022-03-30 02:23, Evan Hunt wrote: On Wed, Mar 30, 2022 at 12:16:05AM -0400, J Doe wrote: I have a question about the bind.keys file and what happens when it is not available. [...] ** If I don't have bind.keys in my BIND directory but have: dnssec-validation auto in my named.conf, is BIND automatically getting the trust anchor and storing it in managed-keys.bind so that when my recursive resolver does a lookup and performs DNSSEC validation, validation works ? Or do I still need to download bind.keys from [1] ? There's a copy of bind.keys that's compiled directly in named. If the file isn't there, named will just use its own internal copy. The first time named starts up with 'dnssec-validation' set to 'auto', it fetches the current root key, validates it against its local copy (either from bind.keys or from its own built-in copy), and then keeps the key up to date according to the RFC 5011 protocol from then on. The recommendation to use bind.keys and not rely on the built-in version was based on some assumptions that are no longer true. First, `dnssec-validation auto` is now the default, so unless you disabled it on purpose, you've been validating and keeping the root key up to date since the first time you ran your server. Second, back in those days it was harder to get hold of regularly-updated packages for BIND, and scads of people were running outdated code. We were concerned that someone would be running an old version of named, the root key would change, and *then* they'd decide to turn validation on for the first time, and it wouldn't work. To smooth that out a bit, we added the bind.keys file to the release tarball, and when giving tutorials about turning on DNSSEC validation, we included a note that you should always check whether bind.keys needed to be updated. In today's world, I don't think it's inmportant anymore. Hi Evan, Apologies for my late reply. Thank you so much for the detailed explanation of: dnssec-validation auto and what happens when: bind.keys doesn't exist. With this setting in place in my: named.conf I then restarted BIND, gave it a second to pull the trust information and then used: delv to test verification. The first test for unverified/unsigned was: $ delv google.com ; unsigned answer . . . ... and the second test for verified/signed was: $ delv ietf.org ; fully validated . . . ... which wouldn't have worked if: dnssec-validation auto failed in getting the same information as: bind.keys - J -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Question about missing bind.keys
On Wed, Mar 30, 2022 at 12:16:05AM -0400, J Doe wrote: > I have a question about the bind.keys file and what happens when it is > not available. [...] > ** If I don't have bind.keys in my BIND directory but have: > dnssec-validation auto in my named.conf, is BIND automatically getting > the trust anchor and storing it in managed-keys.bind so that when my > recursive resolver does a lookup and performs DNSSEC validation, > validation works ? Or do I still need to download bind.keys from [1] ? There's a copy of bind.keys that's compiled directly in named. If the file isn't there, named will just use its own internal copy. The first time named starts up with 'dnssec-validation' set to 'auto', it fetches the current root key, validates it against its local copy (either from bind.keys or from its own built-in copy), and then keeps the key up to date according to the RFC 5011 protocol from then on. The recommendation to use bind.keys and not rely on the built-in version was based on some assumptions that are no longer true. First, `dnssec-validation auto` is now the default, so unless you disabled it on purpose, you've been validating and keeping the root key up to date since the first time you ran your server. Second, back in those days it was harder to get hold of regularly-updated packages for BIND, and scads of people were running outdated code. We were concerned that someone would be running an old version of named, the root key would change, and *then* they'd decide to turn validation on for the first time, and it wouldn't work. To smooth that out a bit, we added the bind.keys file to the release tarball, and when giving tutorials about turning on DNSSEC validation, we included a note that you should always check whether bind.keys needed to be updated. In today's world, I don't think it's inmportant anymore. -- Evan Hunt -- e...@isc.org Internet Systems Consortium, Inc. -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Question about missing bind.keys
Hello, I have a question about the bind.keys file and what happens when it is not available. According to the ARM: dnssec-validation This option enables DNSSEC validation in named. . . . (To prevent problems if bind.keys is not found, the current trust anchor is also compiled in named. Relying on this is not recommended, however, as it requires named to be recompiled with a new key when the root key expires.) I note the part towards the bottom where it says _not_ to rely on the compiled in option when bind.keys is not found. With the packaged version of BIND that I am using (BIND 9.16.27), no bind.keys file was provided. I then enabled DNSSEC validation by adding: dnssec-validation auto in my named.conf file and restarted BIND. I now see I have managed-keys.bind file in my BIND directory. To find out more about that I went to [1] which states: For Current Releases (BIND 9.11 and higher) . . . Once named is managing the keys, the current keys will be in managed-keys.bind or *.mkeys, if you use views. In my case, I have BIND configured as a recursive resolver. I have an ACL section and an Options section but no views . . . but I still get managed-keys.bind. My question is: ** If I don't have bind.keys in my BIND directory but have: dnssec-validation auto in my named.conf, is BIND automatically getting the trust anchor and storing it in managed-keys.bind so that when my recursive resolver does a lookup and performs DNSSEC validation, validation works ? Or do I still need to download bind.keys from [1] ? Thanks for your help, - J Sources: [1] https://www.isc.org/bind-keys/ -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users