Re: dns-sec and Maintaining Human Sanity
On 2010-08-06, at 6:36 PM, Tony Finch wrote: OpenDNSSEC predates BIND's auto-signing functionality, so it has become partly obsolete - but not completely. OpenDNSSEC is far from obsolete, it's in active development [1] and is being used for some important zones [2]. dave [1] http://www.opendnssec.org/2010/05/27/opendnssec-1-1-0-and-release-plan-for-1-2/ [2] http://www.opendnssec.org/about/known-users/ ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
dns-sec and Maintaining Human Sanity
I have started looking at various ways for our organization to begin using dns-sec as this appears to be a high management priority and it will eventually become necessary to operate. We have a fairly simple structure with a official master and slave with dynamic DHCP continuously updating the zone. The one thing that impresses me about dns-sec is that it appears to be one of those things that will probably work fine after installation but getting there may be an adventure to put it mildly. There is an application called opendns-sec that appears to automate much of the key generation and rollover logic and lets you use basically an unpublished master to handle your zone with opendns-sec being the machine that takes your zone from the master, signs it and is the public master as far as the world is concerned. That is, if one can get the latest version to compile under FreeBSD8.0. So far, the configure process is one dependency after another and I have yet to see it actually finish so that is shades of years gone by when installing software was an art on good days. Opendns-sec makes sense except that you need at least one more real or virtual box to do DNS and that is an issue on small campuses. Is there any sense of the group as to how best to make this problem become an automated non-issue? Here, we only allow trusted individuals and our DHCP servers to have the tsig keys which update our zones so it may make more sense to modify our main configuration but that is why I am asking questions. Half of me understands why this is necessary and the other half just wants to automate, set and forget. We are upgrading all DNS and DHCP servers to FreeBSD8.0 and my plan was to use bind9.6x. If there is a better version for dns-sec, best to plan to use it now in order to sleigh as much of this dragon which is breathing fire on the edge of town and threatens to move in soon. The only thing set in stone right now is that we need to get on the dns-sec band wagon. I am just trying to install steps that don't break our legs as we climb up. Many thanks. Martin McCormick ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: dns-sec and Maintaining Human Sanity
I'm running 9.6 in our lab environment with DNSSEC enabled, not much difficulty at all. To make it even easier, you might want to look at the Webmin BIND module. It makes it even easier. shameless plugAlso, I went to ISC's BIND deployment workshop and found it very insightful. /shameless plug Brian -Original Message- From: bind-users-bounces+brian.atkins2=va@lists.isc.org [mailto:bind-users-bounces+brian.atkins2=va@lists.isc.org] On Behalf Of Martin McCormick Sent: Friday, August 06, 2010 7:24 AM To: bind-us...@isc.org Subject: dns-sec and Maintaining Human Sanity I have started looking at various ways for our organization to begin using dns-sec as this appears to be a high management priority and it will eventually become necessary to operate. We have a fairly simple structure with a official master and slave with dynamic DHCP continuously updating the zone. The one thing that impresses me about dns-sec is that it appears to be one of those things that will probably work fine after installation but getting there may be an adventure to put it mildly. There is an application called opendns-sec that appears to automate much of the key generation and rollover logic and lets you use basically an unpublished master to handle your zone with opendns-sec being the machine that takes your zone from the master, signs it and is the public master as far as the world is concerned. That is, if one can get the latest version to compile under FreeBSD8.0. So far, the configure process is one dependency after another and I have yet to see it actually finish so that is shades of years gone by when installing software was an art on good days. Opendns-sec makes sense except that you need at least one more real or virtual box to do DNS and that is an issue on small campuses. Is there any sense of the group as to how best to make this problem become an automated non-issue? Here, we only allow trusted individuals and our DHCP servers to have the tsig keys which update our zones so it may make more sense to modify our main configuration but that is why I am asking questions. Half of me understands why this is necessary and the other half just wants to automate, set and forget. We are upgrading all DNS and DHCP servers to FreeBSD8.0 and my plan was to use bind9.6x. If there is a better version for dns-sec, best to plan to use it now in order to sleigh as much of this dragon which is breathing fire on the edge of town and threatens to move in soon. The only thing set in stone right now is that we need to get on the dns-sec band wagon. I am just trying to install steps that don't break our legs as we climb up. Many thanks. Martin McCormick ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: dns-sec and Maintaining Human Sanity
Hi, On 2010-08-06 13:24, Martin McCormick wrote: We are upgrading all DNS and DHCP servers to FreeBSD8.0 and my plan was to use bind9.6x. If there is a better version for dns-sec, best to plan to use it now in order to sleigh as much of this dragon which is breathing fire on the edge of town and threatens to move in soon. Definitely consider the 9.7 series! You can enable auto-dnssec which will maintain your signatures for you out-of-the-box. It also supports key rollover, but IIRC doesn't generate new keys at this moment. see for more details: http://www.isc.org/software/bind/new-features/9.7 http://www.isc.org/community/blog/201006/bind-972-and-and-automatic-dnssec-signing Niobos ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: dns-sec and Maintaining Human Sanity
That is, if one can get the latest version to compile under FreeBSD8.0. So far, the configure process is one dependency after another and I have yet to see it actually finish so that is shades of years gone by when installing software was an art on good days. Use the port, see /usr/ports/dns/openddnssec. jaap ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: dns-sec and Maintaining Human Sanity
Niobos writes: Definitely consider the 9.7 series! You can enable auto-dnssec which will maintain your signatures for you out-of-the-box. It also supports key rollover, but IIRC doesn't generate new keys at this moment. That's not much of a problem. Thanks for reminding me of 9.7. Martin McCormick ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: dns-sec and Maintaining Human Sanity
On 06/08/10 12:24, Martin McCormick wrote:
The one thing that impresses me about dns-sec is that it
appears to be one of those things that will probably work fine
after installation but getting there may be an adventure to put
it mildly.
My advice is to investigate upgrading to Bind 9.7 and using the
auto-dnssec maintain option on your zones.
We do something similar to this:
zone example.com {
type master;
# file in a per-zone directory
file data/zones/example.com/zone;
# keys in the same direction
key-directory data/zones/example.com;
# tell bind to do DNSSEC maintenance
auto-dnssec maintain;
# must allow updates for online (re)signing
allow-update { key ...; };
};
...at this point, signing a zone is very simple:
NAME=example.com
ZDIR=/var/named/data/zones/$NAME
# make key-signing key
dnssec-keygen -K $ZDIR -a RSASHA1 -b 2048 -n ZONE -f KSK $NAME
# make zone-signing key
dnssec-keygen -K $ZDIR -s RSASHA1 -b 1024 -n ZONE $NAME
# fixup perms
chgrp named $ZDIR/K*
chmod 640 $ZDIR/K*
# sign it
rndc sign $NAME
Bind will automatically maintain the signatures and re-sign every $SOME
days. When you want to do a key rollover, you can use the timestamp
options to generate a new key which is valid but not used:
# make new zone-signing key
dnssec-keygen -K $ZDIR -P now -A none -s RSASHA1 -b 1024 -n ZONE $NAME
# insert key
rndc sign $NAME
# wait for cache expiry times - see RFCs for details
# roll over keys fixup perms
dnssec-settime -K $ZDIR -A now KtheNEWkeyid chmod 640 $ZDIR/K*
dnssec-settime -K $ZDIR -I now KtheOLDkeyid chmod 640 $ZDIR/K*
# wait $SOME time for the zone to be incrementally
# resigned using the new key, and the old key is redundant,
# and any old RRs have expires from caches
# remove the old key
dnssec-settime -K $ZDIR -D now KtheOLDkeyid
rndc sign $NAME
Obviously there is some care and attention needed, but the above
procedures are very quick to test. Play around with it a bit - I think
you'll be pleasantly surprised how easy the stuff in bind 9.7 is.
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: dns-sec and Maintaining Human Sanity
On Fri, 6 Aug 2010, Martin McCormick wrote: I have started looking at various ways for our organization to begin using dns-sec as this appears to be a high management priority and it will eventually become necessary to operate. We have a fairly simple structure with a official master and slave with dynamic DHCP continuously updating the zone. Phil Mayers is right. Use BIND 9.7's built-in automated signing and follow Phil's suggested setup. BIND's DNSSEC support is designed to work well with a zone that is maintained using dynamic updates. Switching from static files to dynamic updates is one of the keys to working well with BIND and DNSSEC. You have already done that so you should feel happy :-) OpenDNSSEC predates BIND's auto-signing functionality, so it has become partly obsolete - but not completely. (As far as I can tell from a couple of looks at its documentation, it does not do large and/or dynamic zones very well. It seems to be designed to cope with spreading the CPU load of signing a very large number of mostly static zones using PKCS#11 crypto hardware.) It also does key management, and BIND does not yet do that for you. All you need to add is a cron job to run dnssec-keygen every so often with the right options. Sadly key management and rollover is still one of the most difficult areas of DNSSEC because there are so many interacting variables to get to grips with and the documentation is poor. For BIND the key things you need to know about are the sig-validity-interval option which controls the lifetime of RRSIG records, and dnssec-settime which sets the lifetime parameters of a DNSKEY. http://tools.ietf.org/html/draft-ietf-dnsop-dnssec-key-timing and http://tools.ietf.org/html/draft-ietf-dnsop-rfc4641bis explain how the parameters interact but are a bit intimidating. I don't know of any tutorials or documents that cut down the parameter space to something managable without sweeping the whole lot under the carpet. You also need to know that there is a lot of obsolete cruft in the dnssec-keygen manual page related to discarded bits of pre-4035 DNSSEC and the only non-trivial options you need to understand are -a -b -3 -e -f. Tony. -- f.anthony.n.finch d...@dotat.at http://dotat.at/ WIGHT PORTLAND PLYMOUTH NORTH BISCAY: SOUTHWESTERLY VEERING WESTERLY OR NORTHWESTERLY, 4 OR 5, OCCASIONALLY 6 AT FIRST. MODERATE, OCCASIONALLY ROUGH IN PLYMOUTH AND NORTH BISCAY. RAIN OR SHOWERS, FAIR LATER. MODERATE OR GOOD, OCCASIONALLY POOR. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
