DNSSEC problem with our zone

Wed, 18 May 2022 14:11:57 -0700 

Dear All,
In the past three days I have just made our domain DNSSEC signed. However, I seem to be missing something. 


When I query other DNS servers, like CloudFlare 1.0.0.1, I get the "ad" 
flag.



But in my own domain, and my own domain servers, the "ad" flag is still 
missing:



root@domac:/var/cache/bind# dig -u @161.53.235.3 domac.alu.hr a +dnssec 
+multiline



; <<>> DiG 9.11.5-P4-5.1+deb10u7-Debian <<>> -u @161.53.235.3 
domac.alu.hr a +dnssec +multiline

; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5934
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1232
; COOKIE: 172503ebbe7de24201000000628512077e46d89b4369e3dd (good)
;; QUESTION SECTION:
;domac.alu.hr.          IN A

;; ANSWER SECTION:
domac.alu.hr.           86400 IN A 161.53.235.3
domac.alu.hr.           86400 IN RRSIG A 8 3 86400 (
                                20220615102400 20220516102400 46119 alu.hr.
tHS58DiuHm0BTCbpyR7k9G9YRtl0iG03Sl5YBK55tBQF
MqR5Bdk9t0Gz8HTFvqYd2kO7jHVRP5hBsMpETXo1PTWa
FYq5WAd4NW+qNJg2giVp04ZC0agS+rPaCQZgeUXuneUk
5wle1qc5GF+R3E8rheTioWPJLw+L2V/n39LYOlQ= )

;; Query time: 189 usec
;; SERVER: 161.53.235.3#53(161.53.235.3)
;; WHEN: Wed May 18 17:34:31 CEST 2022
;; MSG SIZE  rcvd: 251

root@domac:/var/cache/bind#

Can you please help?

Thank you very much.

Kind regards,
Mirsad

On 5/18/2022 4:14 PM, Mirsad Goran Todorovac wrote:


Dear Sir or Madam,


According to this article: 
https://www.cloudflare.com/dns/dnssec/how-dnssec-works/ ,
I did everything right by following the APNIC article for manual 
signing procedure. And uploaded
DS record made of zone KSK hash to the parent domain's 
registrar.carnet.hr :



root@domac:/etc/bind/keys# dig @localhost dnskey alu.hr | 
dnssec-dsfromkey -f - alu.hr
alu.hr. IN DS 34042 8 2 
FD6D9A51ABB63FFDF8B2205AA8529D32CB1121D8342D5929481567D5885BBF08

root@domac:/etc/bind/keys# host -t ds alu.hr

alu.hr has DS record 34042 8 2 
FD6D9A51ABB63FFDF8B2205AA8529D32CB1121D8342D5929481567D5 885BBF08

root@domac:/etc/bind/keys#

The BIND version we use is 9.16.27, latest backport on Debian buster:

root@domac:/etc/bind/keys# dpkg -l | grep bind9 | grep 9.16

ii  bind9 1:9.16.27-1~deb11u1~bpo10+1 amd64        Internet Domain 
Name Server
ii  bind9-libs:amd64 1:9.16.27-1~deb11u1~bpo10+1 amd64        Shared 
Libraries used by BIND 9
ii  bind9-utils 1:9.16.27-1~deb11u1~bpo10+1 amd64        Utilities for 
BIND 9
ii  bind9utils 1:9.16.27-1~deb11u1~bpo10+1 all          Transitional 
package for bind9-utils



However, for some reason the validation doesn't give me the "ad" 
authenticated data flag in dig queries.


There must be something I'm missing.

I would be grateful for any help.

P.S.


I withdraw my question. Now it automagically started working (the "ad" 
flag appeared):


root@magrf:~# dig @127.0.0.1 domac.alu.hr +dnssec +multiline

; <<>> DiG 9.16.27-Debian <<>> @127.0.0.1 domac.alu.hr +dnssec +multiline
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 55024
;; flags: qr rd ra *ad*; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1232
; COOKIE: ac834aa33f88f006010000006284fdf6c5738a0b6f9bde2b (good)
;; QUESTION SECTION:
;domac.alu.hr.          IN A

;; ANSWER SECTION:
domac.alu.hr.           86400 IN A 161.53.235.3
domac.alu.hr.           86400 IN RRSIG A 8 3 86400 (

                                20220615102400 20220516102400 46119 
alu.hr.

tHS58DiuHm0BTCbpyR7k9G9YRtl0iG03Sl5YBK55tBQF
MqR5Bdk9t0Gz8HTFvqYd2kO7jHVRP5hBsMpETXo1PTWa
FYq5WAd4NW+qNJg2giVp04ZC0agS+rPaCQZgeUXuneUk
5wle1qc5GF+R3E8rheTioWPJLw+L2V/n39LYOlQ= )

;; Query time: 39 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Wed May 18 16:08:54 CEST 2022
;; MSG SIZE  rcvd: 251

root@magrf:~#

Thank you for any help. At least I was motivated to do more homework.

I believe there is a future for DNSSEC, much like nowadays we do not 
have too many
legacy sites that request password without HTTPS. I guess now our 
domain won't be

easily spoofed :-)


The next step is to make the subzone delegation and automatic DS 
record upload to
the main zone, for maintaining half a dozen of DS delegations might 
become infeasible

if the KSK expires every couple of months :-/


Thank you for your time reading this. You are patient if you came this 
far.


Kind regards,
Mirsad Todorovac

On 5/18/2022 11:52 AM, Mirsad Goran Todorovac wrote:


Dear Sir or Madam,


I have tried to implement an instance of DNSSEC signed DNS zone at 
our Academy's server.



Though we apparently got away without anything catastrophic, the 
DNSSEC apparently doesn't

work, despite doing everything like in the tutorial:

https://blog.apnic.net/2019/05/23/how-to-deploying-dnssec-with-bind-and-ubuntu-server/


I recall getting help here with dynamic ISC DHCP-updated reverse zone 
lookup for sub/24 rev zone.

And it is a gift that keeps on giving :)

Now, to provide as much info as possible, the output of
# dig @efk.alu.hr alu.hr. AXFR +multiline +onesoa
is attached.

root@domac:~# host -t ds alu.hr

alu.hr has DS record 34042 8 2 
FD6D9A51ABB63FFDF8B2205AA8529D32CB1121D8342D5929481567D5 885BBF08

root@domac:~#

DS record came as the result of the command from the tutorial:

# dig @localhost dnskey alu.hr | dnssec-dsfromkey -f - alu.hr

alu.hr. IN DS 34042 8 2 
FD6D9A51ABB63FFDF8B2205AA8529D32CB1121D8342D5929481567D5885BBF08



I am doing the reading of the documentation on kb.isc.org and 
elsewhere, but it would be good to have some
immediate result as well, at least to make the static zones running 
signed.


Step two would be the dynamically updated zone.


I am otherwise thrilled how much better BIND9 is when compared to the 
Windows Server 2016 DNS server.



Though, so many features look as well a bit scary, for it is trivial 
to shoot oneself in his own leg ...


Please, any help would be welcome.


Apparently, the record in DS iz the KSK key 34042, while in other 
records like domac.alu.hr, they are referenced

with the ZSK key 46119. Is that normal?

From RFC 3658, https://datatracker.ietf.org/doc/html/rfc3658#section-2.1

    Even though DS identifies two roles for KEYs, Key Signing Key (KSK)
    and Zone Signing Key (ZSK), there is no requirement that zone uses
    two different keys for these roles.  It is expected that many small
    zones will only use one key, while larger zones will be more likely
    to use multiple keys.

It is not quite clear to me what went wrong. I am completely new to DNSSEC, 
despite it being
around since about 1999 or 2006.

The output of dig command doesn't show the "ad" (authenticated data) flag:

root@domac:/etc/bind/keys# dig @127.0.0.1 domac.alu.hr +dnssec +multiline

; <<>> DiG 9.11.5-P4-5.1+deb10u7-Debian <<>> @127.0.0.1 domac.alu.hr +dnssec 
+multiline
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 239
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1232
; COOKIE: c4a4792d65d3fbb7010000006284c0b0bd75890e0cf18dca (good)
;; QUESTION SECTION:
;domac.alu.hr.          IN A

;; ANSWER SECTION:
domac.alu.hr.           86400 IN A 161.53.235.3
domac.alu.hr.           86400 IN RRSIG A 8 3 86400 (
                                 20220615102400 20220516102400 46119 alu.hr.
                                 tHS58DiuHm0BTCbpyR7k9G9YRtl0iG03Sl5YBK55tBQF
                                 MqR5Bdk9t0Gz8HTFvqYd2kO7jHVRP5hBsMpETXo1PTWa
                                 FYq5WAd4NW+qNJg2giVp04ZC0agS+rPaCQZgeUXuneUk
                                 5wle1qc5GF+R3E8rheTioWPJLw+L2V/n39LYOlQ= )

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Wed May 18 11:47:28 CEST 2022
;; MSG SIZE  rcvd: 251

root@domac:/etc/bind/keys#

Thank you very much for your help.
I have now received the confirmation that it wasn't DNSSEC that caused 
yesterday's outage
and that it only only on a couple of blocked accounts, so I am enthusiastic to 
make this
work.

Eventually, I would migrate to BIND9.16 automatically signed zones and rollout 
of keys,
once the basic stuff starts to work.

Best regards,
Mirsad Todorovac
--
Mirsad Goran Todorovac
CARNet sistem inženjer
Grafički fakultet | Akademija likovnih umjetnosti
Sveučilište u Zagrebu
--
CARNet system engineer
Faculty of Graphic Arts | Academy of Fine Arts
University of Zagreb, Republic of Croatia
tel. +385 (0)1 3711 451
mob. +385 91 57 88 355

--
Mirsad Goran Todorovac
CARNet sistem inženjer
Grafički fakultet | Akademija likovnih umjetnosti
Sveučilište u Zagrebu
--
CARNet system engineer
Faculty of Graphic Arts | Academy of Fine Arts
University of Zagreb, Republic of Croatia
tel. +385 (0)1 3711 451
mob. +385 91 57 88 355


--
Mirsad Goran Todorovac
CARNet sistem inženjer
Grafički fakultet | Akademija likovnih umjetnosti
Sveučilište u Zagrebu
--
CARNet system engineer
Faculty of Graphic Arts | Academy of Fine Arts
University of Zagreb, Republic of Croatia
tel. +385 (0)1 3711 451
mob. +385 91 57 88 355

-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users






















					Reply via email to