Setting up intentionally invalid DNSSEC record in auto-secure environment

classic Classic list List threaded Threaded
15 messages Options
Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Setting up intentionally invalid DNSSEC record in auto-secure environment

Nick Williams
Hi all,

We're running a PowerDNS 3.4.6 installation with the MySQL backend, and we’re using pdnsutil secure-zone/set-nsec3/rectify-zone to automatically secure all of our domains (the least-effort method, instead of manually signing everything). It works great. Thanks for the excellent software!

To support an internal testing tool, I would like to set up a few DNS records on a subdomain of one of our signed domains, and have those DNS records //intentionally invalidly signed// so that verifying resolvers will flag them and not return them. What is the best way to do this? Can I simply manually enter an invalid RRSIG record for each record, and that manual record will take precedence over any automatic signing that PowerDNS preforms? Or do I need to take some other step (perhaps it requires a separate domain)? Or is what I want to do impossible with PowerDNS automatic signing enabled?

Thanks!

Nick Williams
_______________________________________________
Pdns-users mailing list
[hidden email]
http://mailman.powerdns.com/mailman/listinfo/pdns-users

smime.p7s (5K) Download Attachment
Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Setting up intentionally invalid DNSSEC record in auto-secure environment

Nick Williams
Out of curiosity, what DOES PowerDNS do if it finds an both an A and an RRSIG record for a.b.c.com in the database?

Nick

On Wed, Jan 6, 2016 at 12:33 PM, Aki Tuomi <[hidden email]> wrote:
The code does not support this but you might be able to use postresolve Lua hook to break the reply signature.

---
Aki Tuomi
-------- Alkuperäinen viesti --------
Lähettäjä: Nick Williams <[hidden email]>
Päivämäärä: 6.1.2016 19.54 (GMT+02:00)
Saaja: pdns-users Users <[hidden email]>
Aihe: [Pdns-users] Setting up intentionally invalid DNSSEC record in auto-secure environment

Hi all,

We're running a PowerDNS 3.4.6 installation with the MySQL backend, and we’re using pdnsutil secure-zone/set-nsec3/rectify-zone to automatically secure all of our domains (the least-effort method, instead of manually signing everything). It works great. Thanks for the excellent software!

To support an internal testing tool, I would like to set up a few DNS records on a subdomain of one of our signed domains, and have those DNS records //intentionally invalidly signed// so that verifying resolvers will flag them and not return them. What is the best way to do this? Can I simply manually enter an invalid RRSIG record for each record, and that manual record will take precedence over any automatic signing that PowerDNS preforms? Or do I need to take some other step (perhaps it requires a separate domain)? Or is what I want to do impossible with PowerDNS automatic signing enabled?

Thanks!

Nick Williams
_______________________________________________
Pdns-users mailing list
[hidden email]
http://mailman.powerdns.com/mailman/listinfo/pdns-users


_______________________________________________
Pdns-users mailing list
[hidden email]
http://mailman.powerdns.com/mailman/listinfo/pdns-users
Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Setting up intentionally invalid DNSSEC record in auto-secure environment

bert hubert-3
On Wed, Jan 06, 2016 at 12:46:38PM -0600, Nicholas Williams wrote:
> Out of curiosity, what DOES PowerDNS do if it finds an both an A and an
> RRSIG record for a.b.c.com in the database?

Hi Nicholas,

To answer both your messages in one go, if you run with 'presigned zones',
PowerDNS will use the RRSIG from your database. So it will find the right
RRSIG that goes with your A record.

Secondly, if you use a pre-signed zone, you can also mess up your RRSIG by
hand to generate a 'broken' zone.

        Bert

>
> Nick
>
> On Wed, Jan 6, 2016 at 12:33 PM, Aki Tuomi <[hidden email]> wrote:
>
> > The code does not support this but you might be able to use postresolve
> > Lua hook to break the reply signature.
> >
> > ---
> > Aki Tuomi
> > -------- Alkuperäinen viesti --------
> > Lähettäjä: Nick Williams <[hidden email]>
> > Päivämäärä: 6.1.2016 19.54 (GMT+02:00)
> > Saaja: pdns-users Users <[hidden email]>
> > Aihe: [Pdns-users] Setting up intentionally invalid DNSSEC record in
> > auto-secure environment
> >
> > Hi all,
> >
> > We're running a PowerDNS 3.4.6 installation with the MySQL backend, and
> > we’re using pdnsutil secure-zone/set-nsec3/rectify-zone to automatically
> > secure all of our domains (the least-effort method, instead of manually
> > signing everything). It works great. Thanks for the excellent software!
> >
> > To support an internal testing tool, I would like to set up a few DNS
> > records on a subdomain of one of our signed domains, and have those DNS
> > records //intentionally invalidly signed// so that verifying resolvers will
> > flag them and not return them. What is the best way to do this? Can I
> > simply manually enter an invalid RRSIG record for each record, and that
> > manual record will take precedence over any automatic signing that PowerDNS
> > preforms? Or do I need to take some other step (perhaps it requires a
> > separate domain)? Or is what I want to do impossible with PowerDNS
> > automatic signing enabled?
> >
> > Thanks!
> >
> > Nick Williams
> > _______________________________________________
> > Pdns-users mailing list
> > [hidden email]
> > http://mailman.powerdns.com/mailman/listinfo/pdns-users
> >

> _______________________________________________
> Pdns-users mailing list
> [hidden email]
> http://mailman.powerdns.com/mailman/listinfo/pdns-users


_______________________________________________
Pdns-users mailing list
[hidden email]
http://mailman.powerdns.com/mailman/listinfo/pdns-users
Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Setting up intentionally invalid DNSSEC record in auto-secure environment

Nick Williams
Yea, but that's the rub. I want to do this WITHOUT 'presigned zones.' I want everything else to be live-signed (because it's SO much easier than presigning), and only munge this one subdomain's RRSIGs.

I'm looking into using a postresolve Lua script for this, as Aki suggested, because it sounds like that's likely the only way to do what I want. I found this sample, which is pretty helpful:


But I'm trying to find actual documentation about where to put the script, what the inputs and outputs to postresolve are, etc., and I can't find it with Google. I've only been able to find the Recursor scripting documentation, not the Authoritative documentation. Can someone point me to the Authoritative documentation on using scripting to alter responses?

Thanks,

Nick

On Wed, Jan 6, 2016 at 1:12 PM, bert hubert <[hidden email]> wrote:
On Wed, Jan 06, 2016 at 12:46:38PM -0600, Nicholas Williams wrote:
> Out of curiosity, what DOES PowerDNS do if it finds an both an A and an
> RRSIG record for a.b.c.com in the database?

Hi Nicholas,

To answer both your messages in one go, if you run with 'presigned zones',
PowerDNS will use the RRSIG from your database. So it will find the right
RRSIG that goes with your A record.

Secondly, if you use a pre-signed zone, you can also mess up your RRSIG by
hand to generate a 'broken' zone.

        Bert

>
> Nick
>
> On Wed, Jan 6, 2016 at 12:33 PM, Aki Tuomi <[hidden email]> wrote:
>
> > The code does not support this but you might be able to use postresolve
> > Lua hook to break the reply signature.
> >
> > ---
> > Aki Tuomi
> > -------- Alkuperäinen viesti --------
> > Lähettäjä: Nick Williams <[hidden email]>
> > Päivämäärä: 6.1.2016 19.54 (GMT+02:00)
> > Saaja: pdns-users Users <[hidden email]>
> > Aihe: [Pdns-users] Setting up intentionally invalid DNSSEC record in
> > auto-secure environment
> >
> > Hi all,
> >
> > We're running a PowerDNS 3.4.6 installation with the MySQL backend, and
> > we’re using pdnsutil secure-zone/set-nsec3/rectify-zone to automatically
> > secure all of our domains (the least-effort method, instead of manually
> > signing everything). It works great. Thanks for the excellent software!
> >
> > To support an internal testing tool, I would like to set up a few DNS
> > records on a subdomain of one of our signed domains, and have those DNS
> > records //intentionally invalidly signed// so that verifying resolvers will
> > flag them and not return them. What is the best way to do this? Can I
> > simply manually enter an invalid RRSIG record for each record, and that
> > manual record will take precedence over any automatic signing that PowerDNS
> > preforms? Or do I need to take some other step (perhaps it requires a
> > separate domain)? Or is what I want to do impossible with PowerDNS
> > automatic signing enabled?
> >
> > Thanks!
> >
> > Nick Williams
> > _______________________________________________
> > Pdns-users mailing list
> > [hidden email]
> > http://mailman.powerdns.com/mailman/listinfo/pdns-users
> >

> _______________________________________________
> Pdns-users mailing list
> [hidden email]
> http://mailman.powerdns.com/mailman/listinfo/pdns-users



_______________________________________________
Pdns-users mailing list
[hidden email]
http://mailman.powerdns.com/mailman/listinfo/pdns-users
Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Setting up intentionally invalid DNSSEC record in auto-secure environment

Leen Besselink
On 2016-01-06 20:26, Nicholas Williams wrote:
> Yea, but that's the rub. I want to do this WITHOUT 'presigned zones.'
> I want everything else to be live-signed (because it's SO much easier
> than presigning), and only munge this one subdomain's RRSIGs.
>

How about a creating a separate sub-zone with a broken presigned DNSSEC
?


_______________________________________________
Pdns-users mailing list
[hidden email]
http://mailman.powerdns.com/mailman/listinfo/pdns-users
Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Setting up intentionally invalid DNSSEC record in auto-secure environment

bert hubert-3
In reply to this post by Nick Williams
On Wed, Jan 06, 2016 at 01:26:59PM -0600, Nicholas Williams wrote:
> I'm looking into using a postresolve Lua script for this, as Aki suggested,
> because it sounds like that's likely the only way to do what I want. I
> found this sample, which is pretty helpful:

Well - the reason you can't find the documentation is that the Lua "break
your answer" scripting is our internal debugging tool that we haven't
documented because we might still change it at any time.
>
> https://wiki.powerdns.com/trac/browser/trunk/pdns/pdns/powerdns-example-script.lua

This is not the script you are looking for.

> But I'm trying to find actual documentation about where to put the script,
> what the inputs and outputs to postresolve are, etc., and I can't find it
> with Google. I've only been able to find the Recursor scripting
> documentation, not the Authoritative documentation. Can someone point me to
> the Authoritative documentation on using scripting to alter responses?

You might find inspiration in these regression tests:
https://github.com/PowerDNS/pdns/blob/master/regression-tests.recursor/config.sh

The scripts embedded there use our manipulation API.

I hope this helps!

        Bert

>
> Thanks,
>
> Nick
>
> On Wed, Jan 6, 2016 at 1:12 PM, bert hubert <[hidden email]>
> wrote:
>
> > On Wed, Jan 06, 2016 at 12:46:38PM -0600, Nicholas Williams wrote:
> > > Out of curiosity, what DOES PowerDNS do if it finds an both an A and an
> > > RRSIG record for a.b.c.com in the database?
> >
> > Hi Nicholas,
> >
> > To answer both your messages in one go, if you run with 'presigned zones',
> > PowerDNS will use the RRSIG from your database. So it will find the right
> > RRSIG that goes with your A record.
> >
> > Secondly, if you use a pre-signed zone, you can also mess up your RRSIG by
> > hand to generate a 'broken' zone.
> >
> >         Bert
> >
> > >
> > > Nick
> > >
> > > On Wed, Jan 6, 2016 at 12:33 PM, Aki Tuomi <[hidden email]> wrote:
> > >
> > > > The code does not support this but you might be able to use postresolve
> > > > Lua hook to break the reply signature.
> > > >
> > > > ---
> > > > Aki Tuomi
> > > > -------- Alkuperäinen viesti --------
> > > > Lähettäjä: Nick Williams <[hidden email]>
> > > > Päivämäärä: 6.1.2016 19.54 (GMT+02:00)
> > > > Saaja: pdns-users Users <[hidden email]>
> > > > Aihe: [Pdns-users] Setting up intentionally invalid DNSSEC record in
> > > > auto-secure environment
> > > >
> > > > Hi all,
> > > >
> > > > We're running a PowerDNS 3.4.6 installation with the MySQL backend, and
> > > > we’re using pdnsutil secure-zone/set-nsec3/rectify-zone to
> > automatically
> > > > secure all of our domains (the least-effort method, instead of manually
> > > > signing everything). It works great. Thanks for the excellent software!
> > > >
> > > > To support an internal testing tool, I would like to set up a few DNS
> > > > records on a subdomain of one of our signed domains, and have those DNS
> > > > records //intentionally invalidly signed// so that verifying resolvers
> > will
> > > > flag them and not return them. What is the best way to do this? Can I
> > > > simply manually enter an invalid RRSIG record for each record, and that
> > > > manual record will take precedence over any automatic signing that
> > PowerDNS
> > > > preforms? Or do I need to take some other step (perhaps it requires a
> > > > separate domain)? Or is what I want to do impossible with PowerDNS
> > > > automatic signing enabled?
> > > >
> > > > Thanks!
> > > >
> > > > Nick Williams
> > > > _______________________________________________
> > > > Pdns-users mailing list
> > > > [hidden email]
> > > > http://mailman.powerdns.com/mailman/listinfo/pdns-users
> > > >
> >
> > > _______________________________________________
> > > Pdns-users mailing list
> > > [hidden email]
> > > http://mailman.powerdns.com/mailman/listinfo/pdns-users
> >
> >

> _______________________________________________
> Pdns-users mailing list
> [hidden email]
> http://mailman.powerdns.com/mailman/listinfo/pdns-users


_______________________________________________
Pdns-users mailing list
[hidden email]
http://mailman.powerdns.com/mailman/listinfo/pdns-users
Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Setting up intentionally invalid DNSSEC record in auto-secure environment

Pieter Lexis-2
In reply to this post by Nick Williams
Hi Nick,

On Wed, 6 Jan 2016 13:26:59 -0600
Nicholas Williams <[hidden email]> wrote:

> Yea, but that's the rub. I want to do this WITHOUT 'presigned zones.'
> I want everything else to be live-signed (because it's SO much easier
> than presigning), and only munge this one subdomain's RRSIGs.

You can set presigned for just that single zone using the PRESIGNED
domain metadata[1] int your database.

1 - https://doc.powerdns.com/md/authoritative/domainmetadata/#presigned

--
Pieter Lexis
PowerDNS.COM BV -- https://www.powerdns.com

_______________________________________________
Pdns-users mailing list
[hidden email]
http://mailman.powerdns.com/mailman/listinfo/pdns-users
Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Setting up intentionally invalid DNSSEC record in auto-secure environment

Nick Williams
I'll look into that other script. Thanks, Bert.

How about a creating a separate sub-zone with a broken presigned DNSSEC

You can set presigned for just that single zone using the PRESIGNED domain metadata[1] int your database.

I really like this idea in combination. That documentation that Pieter sent me should help me get set up with presigning. But, Leen, how would I set up a subzone delegated to the same authoritative server (or can I, even?)? Can you point me to that documentation?

Google really hasn't indexed this documentation very well at all...

Thanks,

Nick

On Wed, Jan 6, 2016 at 1:34 PM, Pieter Lexis <[hidden email]> wrote:
Hi Nick,

On Wed, 6 Jan 2016 13:26:59 -0600
Nicholas Williams <[hidden email]> wrote:

> Yea, but that's the rub. I want to do this WITHOUT 'presigned zones.'
> I want everything else to be live-signed (because it's SO much easier
> than presigning), and only munge this one subdomain's RRSIGs.

You can set presigned for just that single zone using the PRESIGNED
domain metadata[1] int your database.

1 - https://doc.powerdns.com/md/authoritative/domainmetadata/#presigned

--
Pieter Lexis
PowerDNS.COM BV -- https://www.powerdns.com

_______________________________________________
Pdns-users mailing list
[hidden email]
http://mailman.powerdns.com/mailman/listinfo/pdns-users


_______________________________________________
Pdns-users mailing list
[hidden email]
http://mailman.powerdns.com/mailman/listinfo/pdns-users
Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Setting up intentionally invalid DNSSEC record in auto-secure environment

Michael Loftis
(inline)

On Wed, Jan 6, 2016 at 11:42 AM, Nicholas Williams
<[hidden email]> wrote:

> I'll look into that other script. Thanks, Bert.
>
>> How about a creating a separate sub-zone with a broken presigned DNSSEC
>
>> You can set presigned for just that single zone using the PRESIGNED domain
>> metadata[1] int your database.
>
> I really like this idea in combination. That documentation that Pieter sent
> me should help me get set up with presigning. But, Leen, how would I set up
> a subzone delegated to the same authoritative server (or can I, even?)? Can
> you point me to that documentation?

B/C the server is the same you don't necessarily need to setup the
delegation in the zone with records table.  You just need to have it
in the domains table.  That said you *can* totally do a full
delegation.  You just insert NS records into the parent zone records
w/ the parent domain_id, and do SOA+NS/whatever you normally do
(synthetic SOA/generated SOA comes to mind) inside the delegated zone
(child) domain_id...there's no magic to delegations.  You'll have like
2x the NS records for a self delegated zone (as the parent zone will
have the same records with a the parent/delegating domain_id)


>
> Google really hasn't indexed this documentation very well at all...
>
> Thanks,
>
> Nick

-- Samuel Butler

_______________________________________________
Pdns-users mailing list
[hidden email]
http://mailman.powerdns.com/mailman/listinfo/pdns-users
Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Setting up intentionally invalid DNSSEC record in auto-secure environment

Leen Besselink
In reply to this post by Nick Williams
On 2016-01-06 20:42, Nicholas Williams wrote:

> I'll look into that other script. Thanks, Bert.
>
>> How about a creating a separate sub-zone with a broken presigned
> DNSSEC
>
>> You can set presigned for just that single zone using the
> PRESIGNED domain metadata[1] int your database.
>
> I really like this idea in combination. That documentation that
> Pieter
> sent me should help me get set up with presigning. But, Leen, how
> would I set up a subzone delegated to the same authoritative server
> (or can I, even?)? Can you point me to that documentation?
>

It's just a domain & delegation like any other (this is the same thing
the TLD does for you):

Just have both a autosigned-domain.tld and
presigned-subzone.autosigned-domain.tld in the domains-table like any
normal domain.

Both domains should have NS and SOA records in the records table like
any normal domain.

Then create the delegation in the autosigned-domain.tld domain by
adding the NS-records pointing to the
presigned-subzone.autosigned-domain.tld

Domain_id: autosigned-domain.tld ; name:
presigned-subzone.autosigned-domain.tld ; type: NS ; content:
ns1.autosigned-domain.tld
Domain_id: autosigned-domain.tld ; name:
presigned-subzone.autosigned-domain.tld ; type: NS ; content:
ns2.autosigned-domain.tld

Now because it's DNSSEC you need to make it secure.

Assuming you want to sign the sub-zone for testing:

pdnssec secure-zone presigned-subzone.autosigned-domain.tld

The you can grab the DS-record which the needs to be added to the
parent zone:

pdnssec show-zone presigned-subzone.autosigned-domain.tld

To know what the DS-record is.

Add the DNSSEC DS-record for presigned-subzone.autosigned-domain.tld in
the autosigned-domain.tld domain.

domain_id: autosigned-domain.tld; name:
presigned-subzone.autosigned-domain.tld ; type: DS ; content: '5725 8 2
512fa6fe4d1f9ba974832e3456c4769db6c16ca1...'

Hope that makes it clear.

You should now be able to look up a DNSSEC-signed record for the
presigned-subzone.autosigned-domain.tld for example the SOA-record.

Have a good day,
  Leen.

> Google really hasn't indexed this documentation very well at all...
>
> Thanks,
>
> Nick
>


_______________________________________________
Pdns-users mailing list
[hidden email]
http://mailman.powerdns.com/mailman/listinfo/pdns-users
Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Setting up intentionally invalid DNSSEC record in auto-secure environment

Nick Williams
So, I think I’ve almost got this, but I’m having a problem with the pre-signed zone’s NSEC3 RRSIGs. Here’s what I did:

I already have a live-signed zone (my-zone.com) that works perfectly. A-records come with automatic RRSIGs, SOA record comes with an RRSIG, NS records come with an RRSIG, etc. I added a presigned delegated subzone by:

1. Creating a new domain d7e8ac.test-records.my-zone.com.
2. Running `pdnssec secure-zone d7e8ac.test-records.my-zone.com` and `pdnssec set-nsec3 d7e8ac.test-records.my-zone.com 1 0 3 B45550` so that the keys and NSEC3 params are automatically created for me by PowerDNS.
3. Creating the SOA, NS, and A (namely, good.d7e8ac.test-records.my-zone.com and bad.d7e8ac.test-records.my-zone.com) records I want.
4. Running `pdnssec rectify-zone d7e8ac.test-records.my-zone.com`.
5. Copying down all of the RRSIG records that PowerDNS live-generates.
6. Running `pdnssec set-presigned d7e8ac.test-records.my-zone.com` to disable live-signing.
7. Inserting the RRSIG records that PowerDNS previously created into MySQL.
8. Creating the NS records in my-zone.com for the d7e8ac.test-records.my-zone.com subzone pointing to the same servers.
9. Inserting the DS records in my-zone.com for the d7e8ac.test-records.my-zone.com subzone using the DS records from `pdnssec show-zone`.

I have not yet munged the RRSIG for bad.d7e8ac.test-records.my-zone.com, so it is still correctly signed. In other words, d7e8ac.test-records.my-zone.com should be just like any other pre-signed zone, except it’s a subzone.

So, I ran a thorough analysis of my-zone.com using http://dnsviz.net, just to make sure it hadn’t been affected, and everything checked out perfectly. I can also query any and all records through my verifying recursors and they get returned. And, if I dig the non-existent dne.my-zone.com, I get back NXDOMAIN with NSEC3 and RRSIG records as show below. It’s all perfect:

my-zone.com. 1800 IN SOA dns1.my-zone.com. noc.my-zone.com. 2016010608 10800 3600 604800 1800
my-zone.com. 1800 IN RRSIG SOA 8 2 86400 20160121000000 20151231000000 33379 my-zone.com. I2AxpLVafoux...
8jioqnlor5460c8jk6s0uqnlqobfsad1.my-zone.com. 1800 IN NSEC3 1 0 3 D4AF00 9T62A084PPEDCI0UGGCE6O1CBS88UP2G A NS SOA MX TXT RRSIG DNSKEY NSEC3PARAM
8jioqnlor5460c8jk6s0uqnlqobfsad1.my-zone.com. 1800 IN RRSIG NSEC3 8 3 1800 20160121000000 20151231000000 33379 my-zone.com. IOUTkKrHTp...
0dfe8me5brlq9g3ap8itfpiugjajs2is.my-zone.com. 1800 IN NSEC3 1 0 3 D4AF00 7RL9CKFSF6N7NQ3CJ78S9MVLPJB0T9G0 A RRSIG
0dfe8me5brlq9g3ap8itfpiugjajs2is.my-zone.com. 1800 IN RRSIG NSEC3 8 3 1800 20160121000000 20151231000000 33379 my-zone.com. Hbr5ir8PlS+/...
hb7aqcuebqfhou10qfsgcbu83no1plbb.my-zone.com. 1800 IN NSEC3 1 0 3 D4AF00 O7EF2SKIOJJKFASIIMVQGHUO03I2BNP5
hb7aqcuebqfhou10qfsgcbu83no1plbb.my-zone.com. 1800 IN RRSIG NSEC3 8 3 1800 20160121000000 20151231000000 33379 my-zone.com. EljCuzDzUA…

I then ran a thorough analysis of d7e8ac.test-records.my-zone.com using the same website and MOST things turned out perfectly. The NS, SOA, and A records all check out. However, I couldn’t query them through my verifying precursors—I get NXDOMAIN every time. (I could query through my verifying recursors before setting the zone to presigned.) That’s what led me to check the non-existent dne.d7e8ac.test-records.my-zone.com. And that revealed the problem. The documentation says presigned zones should NOT include NSEC3 records or their RRSIGs, because PowerDNS still automatically generates NSEC3 records and their RRSIGs for presigned zones. But it’s not. It’s only returning the NSEC3 records, unsigned:

d7e8ac.test-records.my-zone.com. 1800 IN SOA dns1.my-zone.com. noc.my-zone.com. 2016010701 10800 3600 604800 1800
d7e8ac.test-records.my-zone.com. 1800 IN RRSIG SOA 8 4 86400 20160121000000 20151231000000 34311 d7e8ac.test-records.my-zone.com. fJYArsO2S...
prhpl89qu0ncp23b3qhr10citsu7gs2n.d7e8ac.test-records.my-zone.com. 1800 IN NSEC3 1 0 3 B45550 H09M6KE4HUPDK9Q1NMF53UTSDBFDIIIC NS SOA RRSIG DNSKEY NSEC3PARAM
h09m6ke4hupdk9q1nmf53utsdbfdiiic.d7e8ac.test-records.my-zone.com. 1800 IN NSEC3 1 0 3 B45550 OV9D2N9BPO4FQVELB9H5O3SGSN329H1U A RRSIG

I can’t think of anything I missed. And, clearly, PowerDNS is correctly generating NSEC3 records. But it’s not signing those records.

Any insights as to what might be wrong?

Thanks,

Nick

On Jan 6, 2016, at 2:38 PM, [hidden email] wrote:

On 2016-01-06 20:42, Nicholas Williams wrote:
I'll look into that other script. Thanks, Bert.

 How about a creating a separate sub-zone with a broken presigned
DNSSEC

 You can set presigned for just that single zone using the
PRESIGNED domain metadata[1] int your database.

I really like this idea in combination. That documentation that Pieter
sent me should help me get set up with presigning. But, Leen, how
would I set up a subzone delegated to the same authoritative server
(or can I, even?)? Can you point me to that documentation?


It's just a domain & delegation like any other (this is the same thing the TLD does for you):

Just have both a autosigned-domain.tld and presigned-subzone.autosigned-domain.tld in the domains-table like any normal domain.

Both domains should have NS and SOA records in the records table like any normal domain.

Then create the delegation in the autosigned-domain.tld domain by adding the NS-records pointing to the presigned-subzone.autosigned-domain.tld

Domain_id: autosigned-domain.tld ; name: presigned-subzone.autosigned-domain.tld ; type: NS ; content: ns1.autosigned-domain.tld
Domain_id: autosigned-domain.tld ; name: presigned-subzone.autosigned-domain.tld ; type: NS ; content: ns2.autosigned-domain.tld

Now because it's DNSSEC you need to make it secure.

Assuming you want to sign the sub-zone for testing:

pdnssec secure-zone presigned-subzone.autosigned-domain.tld

The you can grab the DS-record which the needs to be added to the parent zone:

pdnssec show-zone presigned-subzone.autosigned-domain.tld

To know what the DS-record is.

Add the DNSSEC DS-record for presigned-subzone.autosigned-domain.tld in the autosigned-domain.tld domain.

domain_id: autosigned-domain.tld; name: presigned-subzone.autosigned-domain.tld ; type: DS ; content: '5725 8 2 512fa6fe4d1f9ba974832e3456c4769db6c16ca1...'

Hope that makes it clear.

You should now be able to look up a DNSSEC-signed record for the presigned-subzone.autosigned-domain.tld for example the SOA-record.

Have a good day,
Leen.

Google really hasn't indexed this documentation very well at all...

Thanks,

Nick



_______________________________________________
Pdns-users mailing list
[hidden email]
http://mailman.powerdns.com/mailman/listinfo/pdns-users


_______________________________________________
Pdns-users mailing list
[hidden email]
http://mailman.powerdns.com/mailman/listinfo/pdns-users

smime.p7s (5K) Download Attachment
Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Setting up intentionally invalid DNSSEC record in auto-secure environment

Pieter Lexis-2
Hi William,

On Sat, 9 Jan 2016 13:41:51 -0600
Nick Williams <[hidden email]> wrote:

> I can’t think of anything I missed. And, clearly, PowerDNS is
> correctly generating NSEC3 records. But it’s not signing those
> records.

This is because the zone is presigned, PowerDNS cannot generate the
signatures on the NSEC records, as it assumes the NSEC records and
RRSIGs are in place (as presigned zone most likely don't have the key
material online). This is the case when e.g. a zone is slaved or signed
using opendnssec.


--
Pieter Lexis
PowerDNS.COM BV -- https://www.powerdns.com

_______________________________________________
Pdns-users mailing list
[hidden email]
http://mailman.powerdns.com/mailman/listinfo/pdns-users
Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Setting up intentionally invalid DNSSEC record in auto-secure environment

Nick Williams


Sent from my iPhone, so please forgive brief replies and frequent typos

> On Jan 9, 2016, at 14:22, Pieter Lexis <[hidden email]> wrote:
>
> Hi William,
>
> On Sat, 9 Jan 2016 13:41:51 -0600
> Nick Williams <[hidden email]> wrote:
>
>> I can’t think of anything I missed. And, clearly, PowerDNS is
>> correctly generating NSEC3 records. But it’s not signing those
>> records.
>
> This is because the zone is presigned, PowerDNS cannot generate the
> signatures on the NSEC records, as it assumes the NSEC records and
> RRSIGs are in place (as presigned zone most likely don't have the key
> material online). This is the case when e.g. a zone is slaved or signed
> using opendnssec.

But the documentation says the opposite. It says NOT to create NSEC(3) records (in fact, zone2sql intentionally ignores them, even for presigned zones), because (again, it says) PowerDNS generates then automatically, even for presigned zones. It also says that manually inserting NSEC3 records could cause errors. So the documentation makes clear that, on presigned zones, it is still the authority. Indeed, PowerDNS IS generating the NSEC3 records (as I showed), just not signing them.

How could I possibly presign records that PowerDNS generates? I can't. So why does PowerDNS prohibit me creating NSEC3 records, generate them for me, but not sign them?

That is, at best, poor design. But I'm confident it's a bug or I've configured something incorrectly.

If I'm doing this correctly, it doesn't appear possible to host a presigned zone with PowerDNS.

Thanks,

Nick

_______________________________________________
Pdns-users mailing list
[hidden email]
http://mailman.powerdns.com/mailman/listinfo/pdns-users
Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Setting up intentionally invalid DNSSEC record in auto-secure environment

Pieter Lexis-2
Hi Nick,

On Sat, 9 Jan 2016 14:48:12 -0600
Nicholas Williams <[hidden email]> wrote:

> But the documentation says the opposite. It says NOT to create
> NSEC(3) records (in fact, zone2sql intentionally ignores them, even
> for presigned zones), because (again, it says) PowerDNS generates
> then automatically, even for presigned zones. It also says that
> manually inserting NSEC3 records could cause errors. So the
> documentation makes clear that, on presigned zones, it is still the
> authority. Indeed, PowerDNS IS generating the NSEC3 records (as I
> showed), just not signing them.

This is indeed the way this works. As the NXDOMAIN generation code
works as it should, the design choice was made to 'just' generate NSECs
on the fly. The signatures still have to be provided in the presigned
zone.

> How could I possibly presign records that PowerDNS generates? I
> can't. So why does PowerDNS prohibit me creating NSEC3 records,
> generate them for me, but not sign them?

This is because pre-signed zones (from e.g. opendnssec, ldns-signzone
or slaved from a master) contain the RRSIGs to the negative answers.

> That is, at best, poor design. But I'm confident it's a bug or I've
> configured something incorrectly.

I agree this is and 'interesting' design choice made back in the day.
In normal operation (using other tools to generate DNSSEC records or
slaving the zone) this will never come up.

I agree that the docs are not very verbose on how presigned zone work,
we'll fix this in the coming weeks.

--
Pieter Lexis
PowerDNS.COM BV -- https://www.powerdns.com

_______________________________________________
Pdns-users mailing list
[hidden email]
http://mailman.powerdns.com/mailman/listinfo/pdns-users
Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Setting up intentionally invalid DNSSEC record in auto-secure environment

Nick Williams

On Jan 9, 2016, at 3:28 PM, Pieter Lexis <[hidden email]> wrote:

Hi Nick,

On Sat, 9 Jan 2016 14:48:12 -0600
Nicholas Williams <[hidden email]> wrote:

But the documentation says the opposite. It says NOT to create
NSEC(3) records (in fact, zone2sql intentionally ignores them, even
for presigned zones), because (again, it says) PowerDNS generates
then automatically, even for presigned zones. It also says that
manually inserting NSEC3 records could cause errors. So the
documentation makes clear that, on presigned zones, it is still the
authority. Indeed, PowerDNS IS generating the NSEC3 records (as I
showed), just not signing them.

This is indeed the way this works. As the NXDOMAIN generation code
works as it should, the design choice was made to 'just' generate NSECs
on the fly. The signatures still have to be provided in the presigned
zone.

How could I possibly presign records that PowerDNS generates? I
can't. So why does PowerDNS prohibit me creating NSEC3 records,
generate them for me, but not sign them?

This is because pre-signed zones (from e.g. opendnssec, ldns-signzone
or slaved from a master) contain the RRSIGs to the negative answers.

That is, at best, poor design. But I'm confident it's a bug or I've
configured something incorrectly.

I agree this is and 'interesting' design choice made back in the day.
In normal operation (using other tools to generate DNSSEC records or
slaving the zone) this will never come up.

I agree that the docs are not very verbose on how presigned zone work,
we'll fix this in the coming weeks.

So I need to create signatures for the NSEC3 records, and insert those signatures, but not the NSEC3 records? Fascinating. Let me try this out…

I started from scratch to ensure I didn’t mess something else up…

I copied ALL of the RRSIGs this time, including the ones for the NSEC3 records, but I did not copy the NSEC3 records…

And it works! Everything passes the verification checks and I can resolve both A records through my verifying recursors.

bad.e7d8ca.test.dnscrawler.com has address x.x.x.x

Now, to munge the signature for bad.e7d8ca.test.my-zone.com

And it works! From my verifying recursors:


From non-verifying recursors:

$ host good.e7d8ca.test.my-zone.com 4.2.2.2
Using domain server:
Name: 4.2.2.2
Address: 4.2.2.2#53
Aliases: 
good.e7d8ca.test.my-zone.com has address x.x.x.x

$ host bad.e7d8ca.test.my-zone.com 4.2.2.2
Using domain server:
Name: 4.2.2.2
Address: 4.2.2.2#53
Aliases: 
bad.e7d8ca.test.my-zone.com has address x.x.x.x

Thanks for all your help. I still maintain that requiring presigners to provide RRSIG NSEC3 records but NOT provide the NSEC3 records is a bad idea. At the very least, as you said, the documentation needs significant enhancement. But I did get it to work, finally.

Thanks again,

Nick

_______________________________________________
Pdns-users mailing list
[hidden email]
http://mailman.powerdns.com/mailman/listinfo/pdns-users

smime.p7s (5K) Download Attachment
Loading...