According to the page
https://blog.apnic.net/2021/08/25/multi-signer-dnssec-models/
in MODEL 2.
I added an improved image as attachment.
<img alt="ZSK-signing" src="cid:ImportZSK-PublishDSofKSK.jpg" />
MULTI-ZSK-SIGNING IS ONE OF THE SOLUTION, and appears to be
suitable for my case.
So, multi-signing with ZSKs from multiple nameservers would have
worked,
when nameservers were using separate "zones" & "keys" folder,
I needed to sign n1's zone file with n2's ZSK & with n3's ZSK.
I needed to sign n2's zone file with n1's ZSK & with n3's ZSK.
I needed to sign n3's zone file with n1's ZSK & with n2's ZSK.
Because 3 nameservers are using SYNCED/REPLICATED shared
directories & files,
so each ZSK & KSK are available to other nameservers.
for "key-directory"
n1 using "/mnt/vol/v1/etc/bind/n1/keys"
n2 using "/mnt/vol/v1/etc/bind/n2/keys"
n3 using "/mnt/vol/v1/etc/bind/n3/keys"
and shared common directory for BIND keys is
"/mnt/vol/v1/etc/bind/keys"
and shared directory is
"/mnt/vol/v1"
is there an option in BIND, that can monitor+enable additional ZSK
signing from new ZSK key from other namerservers for same domain ?
if not, please add this as new feature in BIND.
if BIND itself cannot do the monitoring + multi-ZSK-signing now,
then, HOW can i monitor the ".../bind/n1/keys" (or
".../bind/n2/keys" or ".../bind//n3/keys" or ".../bind/keys" )
sub-dirs under shared-directory and find that BIND has began to use
a new ZSK key ?
or HOW can i get a signal from BIND in each nameserver ? that, BIND
has began to use a new ZSK key ?
so-that, i can trigger/run another script in each nameserver (which
added new ZSK key) to begin signing my domain's zone file in other
2 nameservers with the new ZSK.
example : if n1 added a new ZSK for "example.com" domain, then a
"new-zsk-key-monitoring-script.sh" script will create 2 files
"signal-n2-ExampleCom-MZS-zskNUMBER.txt"
"signal-n3-ExampleCom-MZS-zskNUMBER.txt"
in the shared-bind-directory : "/mnt/vol/v1/etc/bind/keys".
Then "monitor-for-signal-file.sh" script running in n2 & n3, will
get that signal, & run "multi-ZSK-sign-script.sh" to mulit ZSK signing.
Thanks in advance.
Erik.
Erik T Ashfolk.
On 9/26/24 7:26 PM, TErik Ashfolk wrote:
Hello BIND Community.
Looking forward to your suggestions, advises on setup DNSSEC
enabled zones on multiple master/primary authoritative DNS server
(Nameserver) with synced/replicated common shared directories/volume.
Please skip the section(s) that you dont need to read/scan,
& goto the QUESTIONS , the last section.
OBJECTIVES (END-RESULT):
Trying to achieve HA (High-Availability <https://en.wikipedia.org/
wiki/High_availability>), so-that, as long as 1 master/primary is
up/running, then my domains are still available to world, and
allowing users to obtain DNSSEC verified domain-name to IP-address
resolving, etc from BIND DNS server services.
RESOURCES:
• Servers : rented 3 servers on 3 locations from different server
providers.
• Domain : I have multiple domains from domain providers
(registrar) . Here i will use "example.com"
• Each server has 1 IPv4-address, 1 IPv6-address.
• Domain provider's "Use your own Nameserver" is pointed to 3
hostnames in 3 nameservers : n1.example.com ( 192.10.2.11 ,
2001:db8:1::1 ) , n2.example.com ( 198.51.100.12 ,
2001:db8:2::2 ) , n3.example.com ( 203.0.113.13 , 2001:db8:3::3 )
IP-addresses.
• Each IP-adrs has it's RDNS setup done, to correspond & match with
nameserver's hostname.
• Using Debian GNU/Linux 12 (bookworm) OS in each server. ( Server
operator can use any other OS, its their choice/preference. ) ( By
the way, Debian GNU/Linux is base of Ubuntu Linux, kind of similar
to: RedHat Enterprise GNU/Linux is base of Fedora Linux. )
• Using ISC BIND9 (9.18.0 , specifically now : 9.18.28) DNS server
software, in each server. ( Server operator can use any other DNS
server, its their choice/preference. )
ABOUT FILE/DIRECTORY REPLICATION:
• For directories & files replication/sync purpose, using Gluster
software (1 <https://en.wikipedia.org/wiki/Gluster>,2 <https://
docs.gluster.org/en/latest/>,3 <https://serverfault.com/
a/1165339/217110>,4 <https://www.howtoforge.com/how-to-install-
glusterfs-on-debian-12/>). ( There are many other choices for
server operators:Multi-Master Replicaiton <https://
en.wikipedia.org/wiki/Multi-master_replication>,List <https://
en.wikipedia.org/wiki/List_of_cluster_management_software>), its
their own choice what suits best/works for their need/purpose.
• When any file/directory changes ( i.e: in "n1" server ) , then
the replication/sync software that is installed/monitoring , will
nearly immediately or within few seconds, begin to make same
changes to same file/dir in server-operator's other servers ( n2 ,
n3 ), that are member of replication/sync volume/directory. These
replication software uses time-server to have accurate time.
Whichever edit/creation/deletion/modification is done last, that
takes priority & duplicated/replicated/synced.
SHARED/COMMON STORAGE/VOLUME/DIRECTORY:
• I created a large file ("data-s1.img"), ~ 300 MB in size, inside
root-partition , at "/storage/s1/data-s1.img" . Formatted with XFS
filesystem creation/make tools . Attached large-file into a loop
block device . Mounted it in "/data/s1" directory . Created a
systemd service "mount-storage.service" in Debian to do previous
steps one after another, so-that it can succeed in mounting during
boot , (as "/etc/fstab" was not suitable for this purpose) . Others
can create/use a 2nd partition in same storage drive (i.e: "/dev/
sda2") or add another storage drive (i.e: "/dev/sdb") in server .
Others can use a script (or "/etc/fstab") during boot to mount, etc.
• after above steps, replication software (Gluster) was used to
create replication volume "v1" inside the storage-mount-point ("/
data/s1") , so it became "/data/s1/v1" . i configured gluster to
enable SSL/TLS based secure connection for replication process.
Gluster also needs user to mount the volume as "glusterfs" type
mount-point to monitor data r/w & replicate, & its done in : "/mnt/
vol/v1" mount-point of volume "v1" . Followed stepshere <https://
serverfault.com/a/1165339/217110>(& changed file/dir names).
• the files+dirs under "/mnt/vol/v1/" is replicated/synced in each
server, available/accessible in each server, in same location, has
exact same contents.
• Created "/mnt/vol/v1/etc/bind" directory for BIND aka named aka
DNS server aka nameserver software usage. Applied : chgrp bind /
mnt/vol/v1/etc/bind
• Moved the "zones" dir+files from "/etc/bind", from "n1" server
into the "/mnt/vol/v1/etc/bind/n1/" directory, & done similar for
"n2" & "n3" servers . Moved the "keys" dir+files from "/etc/bind",
from "n1" into the "/mnt/vol/v1/etc/bind/n1" directory, & done
similar for "n2" & "n3".
• so, "/mnt/vol/v1/etc/bind/keys" & "/mnt/vol/v1/etc/bind/zones"
folders/directories are COMMON for all servers: "n1", "n2", "n3".
• "n1" using "/mnt/vol/v1/etc/bind/n1/keys" dir & “/mnt/vol/v1/etc/
bind/n1/zones” dir, so i created symlink inside to point+goto the
replicated/synced mount-point, command : ln -s "/mnt/vol/v1/etc/
bind/n1/keys" "/etc/bind/keys" ; ln -s "/mnt/vol/v1/etc/bind/n1/
zones" "/etc/bind/zones" ;
• "n2" using "/mnt/vol/v1/etc/bind/n2/keys" dir & “/mnt/vol/v1/etc/
bind/n2/zones” dir . & created symlinks as shown above.
• "n3" using "/mnt/vol/v1/etc/bind/n3/keys" dir & "/mnt/vol/v1/etc/
bind/n3/zones" dir. & created symlinks as shown above.
• Added permissions in AppArmor "/etc/apparmor.d/local/
usr.sbin.named" file, for BIND/named, so that BIND/named can use
"v1" replicated-volume "/mnt/vol/v1" BIND directories : /mnt/vol/
v1/etc/bind , /mnt/vol/v1/etc/bind/zones , /mnt/vol/v1/etc/bind/
keys , /mnt/vol/v1/etc/bind/n1/zones , /mnt/vol/v1/etc/bind/n1/
keys in n1 server ( and i have done similar for n2 & n3 ) . Then
applied changes with command : apparmor_parser -r /etc/apparmor.d/
usr.sbin.named
• Also applied or re-checked if the ownership-&-permission (O&P)
convention used+recommended by BIND/named for directories & files,
are applied/done on the dirs+files inside the "/mnt/vol/v1/etc/
bind, etc.
DNSSEC & DNS:
• Each nameserver has BIND DNS server named daemon software . Each
BIND need to be Authoritative for my domains ("example.com" ,
"example2.com", etc) & response back to any DNS servers/clients
query for my domains & for my subnet's reverse-zone . And each BIND
DNS server also need to serve/perform as a recursive DNS resolver
for any queries made into "localhost" ( 127.0.0.1 , ::1 ).
• Followed various related steps as-much-possible from "DNSSEC
Howto for BIND 9.9+ <https://wiki.debian.org/
DNSSEC%20Howto%20for%20BIND%209%2E9%2B>” , ISCBIND docs for 9.18.28
<https://downloads.isc.org/isc/bind9/9.18.28/doc/arm/html/> ( that
i'm using now while writing this msg ) , etc . Debian OS will
update BIND in distro’s repo, & then my/op's servers will be
updated to that version . For next/latest version, goto ISC BIND
download pagehere <https://www.isc.org/download/>, search for "PDF"
word, select/click on the HTML / PDF doc version that you want to
read/follow.
• As each nameserver has different IP-addresses, so i've kept the
"named.conf", "named.conf.local", "named.conf.options" files in
the /etc/bind of server itself, for faster loading .
• The "named.conf" file has BIND ACLs, and include directives .
This file has same content in each server . Has “ acl LocalHostR
{ 127.0.0.1; ::1; } ; LocalHostRv4 { 127.0.0.1; } ; LocalHostRv6
{ ::1; } ; acl BlockedNets { 0.0.0.0/8 ; 192.0.2.0/24 ;
224.0.0.0/3 ; 10.0.0.0/8 ; 172.16.0.0/12 ; 192.168.0.0/16 ; } ; acl
N1-IPv4 { 192.10.2.11; } ; acl N1-IPv6 {2001:db8:1::11; }; ” , etc,
(remove quote symbols) . ( i added more IPv4 & IPv6 in
BlockedNetslater ).
• The "named.conf.local" file has forward zones & reverse zones
declarations : each zone has "type primary;" directive/option set ,
each zone has "file" directive with file located in replicated
volume location . Each local zones & each local reverse-zone for
IP-address) have "allow-query { LocalHostR; };" . My each domain's
zone (i.e: "zone "example.com" { ... };") declarations, & reverse-
zone for my own subnet, has "allow-query { any; };" .
•My domain “example.com”zone declaration in “named.local.conf”
file : “ zone "n1.example.com" { type master ; file "/mnt/vol/v1/
etc/bind/zones/db.example.com" ; allow-query { any; } ; serial-
update-method unixtime ; key-directory "/mnt/vol/v1/etc/bind/n1/
keys" ; dnssec-policy opPolicy ; inline-signing yes ; notify
no ; }; ” (remove quote symbols) . We allowed query from anyone .
By the way, i also have a sub-domain zone declared in
“named.local.conf” file as zone : “ zone "ns.example.com" { … };
” , nearly same as “example.com”.
• The "named.conf.options" file has “dnssec-policy
"opPolicy" { ... };” , "options { ... };" , "logging { ... };"
sections/declarations . Logging uses the server's "/var/log/named"
dir ( into "Update_Debug.log" , "Security.log" , "BIND.log" files ).
• The “options { … };” in “named.conf.options” file : “ options
{ recursion yes ; allow-recursion { LocalHostR; } ; allow-query-
cache { LocalHostR; } ;allow-query-cache-on { LocalHostR; } ;
allow-query { LocalHostR; } ; allow-recursion-on { LocalHostR; } ;
empty-zones-enable yes ; blackhole { BlockedNets; } ; allow-
transfer { none; } ; auth-nxdomain no ; listen-on { N1-IPv4;
LocalHostRv4; } ; listen-on-v6 { N1-IPv6; LocalHostRv6; }; rate-
limit { ... }; }; ” (remove quote symbols). We restricted recursion
by allowing only LocalHostR, not external, not BlockedNets.
• DNS server, for non-dnssec part of DNS related queries &
responses for domain(s), IPv4-adrs, IPv6-adrs, etc (forward lookup/
resolve , subnet IP-adrs reverse resolve/lookup ) WORKING FINE ,
from n1 & n2 & n3 . Authoritative mode is working for my domains .
And "localhost" inside server can also provide website-name/domain-
name To IP-address resolve response, to the the local software/
daemons/clients that are running inside server.
• To ENABLE DNSSEC : i add "dnssec-validation auto;" inside
"options" inside "named.conf.options" file , i add "key-directory
"/mnt/vol/v1/etc/bind/n1/keys" ; inline-signing yes;" in "zone
"example.com" { ... };" in "named.conf.local" file, etc , ( changed
the "n1" into "n2" for "n2" server, & similarly in n3. )
• For "dnssec-policy" directive about KSK & ZSK cert+key creation,
usage period, signing, validity, verification, etc , i'm using
shorter TTL period, etc , so-that dnssec/dns config lines can be
changed+applied quickly during DNSSEC setup phase : dnssec-policy
"opPolicy" { ksk lifetime P88D algorithm RSASHA256 ; zsk lifetime
22D algorithm RSASHA256 ; dnskey-ttl PT10M ; publish-safety
P2D ; retire-safety P3D ; purge-keys P3D ; signatures-refresh
P5D ; signatures-validity P10D ; signatures-validity-dnskey
P11D ; max-zone-ttl PT30M ; zone-propagation-delay PT1H ; parent-
ds-ttl PT1H ; parent-propagation-delay PT1H ; nsec3param
iterations 0 optout yes salt-length 0 ; };
Now finally into the
QUESTIONS:
• How can i create 1 KSK key ( in "n1" server first ), for a
(single) domain ("example.com") and get the DS code from KSK key
and add that 1 DS in domain-provider ( to send to the TLD ), &
configure other 2 nameservers ( n2 , n3 ) to use that 1 DS record
from TLD & use that same/common 1 KSK file from the synced/
replicated directory, while "type master;" is set for my domain/
zone in each nameserver ?
( Using 3 KSK & their 3 DS in domain-provider did not work, created
error indicators in DNSViz & in "DNSSEC-Annalyzer.VerisignLabs”
test sites, when each nameserver used separate directories, files, etc.
• if i specify same/COMMON (replicated) dir "/mnt/vol/v1/etc/bind/
keys" & "/mnt/vol/v1/etc/bind/zones/zonename" inside 3 nameserver's
“named.conf.local” file domains/zones , Can BIND DNS server add
their own RRSIG response/lines for DNS records (into same zone
file) without removing earlier or other nameserver's RRSIG lines
(unless related ZSK key/period expired) ?
• How do i disable/clean/move/backup earlier DNSSEC keys/usages, &
setup DNSSEC completely as anew . ( Our zone TTLs are short 7m to
1h , (during setup/test phase) , So within 7m to an hour, all
older-records should be discarded from caches. )
Thanks in advance for helpful responses.
Erik.
Erik T Ashfolk.
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
