You need to remember multi-signer still has a lot of hand waving in its specification. All the coordination between operators is unspecified.
Things like how you generate CDS automatically is undefined. A pre CDS (PCDS) record with an signer tag and signer count before the CDS data would work. The servers would then look for a full set of PCDS records and promote them to CDS records when that exists. This would be per algorithm. A full set is defined as having a record from each signer and the count of such signers matching the maximum signers of all PCDS records. Each signer needs to know its signer identifier and the total count of signers. When a new signer is added a new PCDS is generated by each signer for its keys. Similarly for when a signer is removed. Signers will log discrepancies between the configured signer count and the observed value in the PCDS records. All this needs to go through the IETF. -- Mark Andrews > On 28 Sep 2024, at 07:54, Terik Erik Ashfolk <ate...@outlook.com> wrote: > > According to the page > https://blog.apnic.net/2021/08/25/multi-signer-dnssec-models/ > in MODEL 2. > I added an improved image as attachment. > <img alt="ZSK-signing" src="cid:ImportZSK-PublishDSofKSK.jpg" /> > MULTI-ZSK-SIGNING IS ONE OF THE SOLUTION, and appears to be suitable for my > case. > > So, multi-signing with ZSKs from multiple nameservers would have worked, > when nameservers were using separate "zones" & "keys" folder, > > I needed to sign n1's zone file with n2's ZSK & with n3's ZSK. > I needed to sign n2's zone file with n1's ZSK & with n3's ZSK. > I needed to sign n3's zone file with n1's ZSK & with n2's ZSK. > > Because 3 nameservers are using SYNCED/REPLICATED shared directories & files, > so each ZSK & KSK are available to other nameservers. > > for "key-directory" > n1 using "/mnt/vol/v1/etc/bind/n1/keys" > n2 using "/mnt/vol/v1/etc/bind/n2/keys" > n3 using "/mnt/vol/v1/etc/bind/n3/keys" > > and shared common directory for BIND keys is > "/mnt/vol/v1/etc/bind/keys" > > and shared directory is > "/mnt/vol/v1" > > is there an option in BIND, that can monitor+enable additional ZSK signing > from new ZSK key from other namerservers for same domain ? > if not, please add this as new feature in BIND. > > if BIND itself cannot do the monitoring + multi-ZSK-signing now, then, HOW > can i monitor the ".../bind/n1/keys" (or ".../bind/n2/keys" or > ".../bind//n3/keys" or ".../bind/keys" ) sub-dirs under shared-directory and > find that BIND has began to use a new ZSK key ? > > or HOW can i get a signal from BIND in each nameserver ? that, BIND has began > to use a new ZSK key ? > > so-that, i can trigger/run another script in each nameserver (which added new > ZSK key) to begin signing my domain's zone file in other 2 nameservers with > the new ZSK. > > example : if n1 added a new ZSK for "example.com" domain, then a > "new-zsk-key-monitoring-script.sh" script will create 2 files > "signal-n2-ExampleCom-MZS-zskNUMBER.txt" > "signal-n3-ExampleCom-MZS-zskNUMBER.txt" > in the shared-bind-directory : "/mnt/vol/v1/etc/bind/keys". > Then "monitor-for-signal-file.sh" script running in n2 & n3, will get that > signal, & run "multi-ZSK-sign-script.sh" to mulit ZSK signing. > > > Thanks in advance. > > Erik. > > Erik T Ashfolk. > > > > >> On 9/26/24 7:26 PM, TErik Ashfolk wrote: >> Hello BIND Community. >> Looking forward to your suggestions, advises on setup DNSSEC enabled zones >> on multiple master/primary authoritative DNS server (Nameserver) with >> synced/replicated common shared directories/volume. >> Please skip the section(s) that you dont need to read/scan, >> & goto the QUESTIONS , the last section. >> OBJECTIVES (END-RESULT): >> Trying to achieve HA (High-Availability <https://en.wikipedia.org/ >> wiki/High_availability>), so-that, as long as 1 master/primary is >> up/running, then my domains are still available to world, and allowing users >> to obtain DNSSEC verified domain-name to IP-address resolving, etc from BIND >> DNS server services. >> RESOURCES: >> • Servers : rented 3 servers on 3 locations from different server providers. >> • Domain : I have multiple domains from domain providers (registrar) . Here >> i will use "example.com" >> • Each server has 1 IPv4-address, 1 IPv6-address. >> • Domain provider's "Use your own Nameserver" is pointed to 3 hostnames in 3 >> nameservers : n1.example.com ( 192.10.2.11 , 2001:db8:1::1 ) , >> n2.example.com ( 198.51.100.12 , 2001:db8:2::2 ) , n3.example.com ( >> 203.0.113.13 , 2001:db8:3::3 ) IP-addresses. >> • Each IP-adrs has it's RDNS setup done, to correspond & match with >> nameserver's hostname. >> • Using Debian GNU/Linux 12 (bookworm) OS in each server. ( Server operator >> can use any other OS, its their choice/preference. ) ( By the way, Debian >> GNU/Linux is base of Ubuntu Linux, kind of similar to: RedHat Enterprise >> GNU/Linux is base of Fedora Linux. ) >> • Using ISC BIND9 (9.18.0 , specifically now : 9.18.28) DNS server software, >> in each server. ( Server operator can use any other DNS server, its their >> choice/preference. ) >> ABOUT FILE/DIRECTORY REPLICATION: >> • For directories & files replication/sync purpose, using Gluster software >> (1 <https://en.wikipedia.org/wiki/Gluster>,2 <https:// >> docs.gluster.org/en/latest/>,3 <https://serverfault.com/ a/1165339/217110>,4 >> <https://www.howtoforge.com/how-to-install- glusterfs-on-debian-12/>). ( >> There are many other choices for server operators:Multi-Master Replicaiton >> <https:// en.wikipedia.org/wiki/Multi-master_replication>,List <https:// >> en.wikipedia.org/wiki/List_of_cluster_management_software>), its their own >> choice what suits best/works for their need/purpose. >> • When any file/directory changes ( i.e: in "n1" server ) , then the >> replication/sync software that is installed/monitoring , will nearly >> immediately or within few seconds, begin to make same changes to same >> file/dir in server-operator's other servers ( n2 , n3 ), that are member of >> replication/sync volume/directory. These replication software uses >> time-server to have accurate time. Whichever >> edit/creation/deletion/modification is done last, that takes priority & >> duplicated/replicated/synced. >> SHARED/COMMON STORAGE/VOLUME/DIRECTORY: >> • I created a large file ("data-s1.img"), ~ 300 MB in size, inside >> root-partition , at "/storage/s1/data-s1.img" . Formatted with XFS >> filesystem creation/make tools . Attached large-file into a loop block >> device . Mounted it in "/data/s1" directory . Created a systemd service >> "mount-storage.service" in Debian to do previous steps one after another, >> so-that it can succeed in mounting during boot , (as "/etc/fstab" was not >> suitable for this purpose) . Others can create/use a 2nd partition in same >> storage drive (i.e: "/dev/ sda2") or add another storage drive (i.e: >> "/dev/sdb") in server . Others can use a script (or "/etc/fstab") during >> boot to mount, etc. >> • after above steps, replication software (Gluster) was used to create >> replication volume "v1" inside the storage-mount-point ("/ data/s1") , so it >> became "/data/s1/v1" . i configured gluster to enable SSL/TLS based secure >> connection for replication process. Gluster also needs user to mount the >> volume as "glusterfs" type mount-point to monitor data r/w & replicate, & >> its done in : "/mnt/ vol/v1" mount-point of volume "v1" . Followed stepshere >> <https:// serverfault.com/a/1165339/217110>(& changed file/dir names). >> • the files+dirs under "/mnt/vol/v1/" is replicated/synced in each server, >> available/accessible in each server, in same location, has exact same >> contents. >> • Created "/mnt/vol/v1/etc/bind" directory for BIND aka named aka DNS server >> aka nameserver software usage. Applied : chgrp bind / mnt/vol/v1/etc/bind >> • Moved the "zones" dir+files from "/etc/bind", from "n1" server into the >> "/mnt/vol/v1/etc/bind/n1/" directory, & done similar for "n2" & "n3" servers >> . Moved the "keys" dir+files from "/etc/bind", from "n1" into the >> "/mnt/vol/v1/etc/bind/n1" directory, & done similar for "n2" & "n3". >> • so, "/mnt/vol/v1/etc/bind/keys" & "/mnt/vol/v1/etc/bind/zones" >> folders/directories are COMMON for all servers: "n1", "n2", "n3". >> • "n1" using "/mnt/vol/v1/etc/bind/n1/keys" dir & “/mnt/vol/v1/etc/ >> bind/n1/zones” dir, so i created symlink inside to point+goto the >> replicated/synced mount-point, command : ln -s "/mnt/vol/v1/etc/ >> bind/n1/keys" "/etc/bind/keys" ; ln -s "/mnt/vol/v1/etc/bind/n1/ zones" >> "/etc/bind/zones" ; >> • "n2" using "/mnt/vol/v1/etc/bind/n2/keys" dir & “/mnt/vol/v1/etc/ >> bind/n2/zones” dir . & created symlinks as shown above. >> • "n3" using "/mnt/vol/v1/etc/bind/n3/keys" dir & "/mnt/vol/v1/etc/ >> bind/n3/zones" dir. & created symlinks as shown above. >> • Added permissions in AppArmor "/etc/apparmor.d/local/ usr.sbin.named" >> file, for BIND/named, so that BIND/named can use "v1" replicated-volume >> "/mnt/vol/v1" BIND directories : /mnt/vol/ v1/etc/bind , >> /mnt/vol/v1/etc/bind/zones , /mnt/vol/v1/etc/bind/ keys , >> /mnt/vol/v1/etc/bind/n1/zones , /mnt/vol/v1/etc/bind/n1/ keys in n1 server ( >> and i have done similar for n2 & n3 ) . Then applied changes with command : >> apparmor_parser -r /etc/apparmor.d/ usr.sbin.named >> • Also applied or re-checked if the ownership-&-permission (O&P) convention >> used+recommended by BIND/named for directories & files, are applied/done on >> the dirs+files inside the "/mnt/vol/v1/etc/ bind, etc. >> DNSSEC & DNS: >> • Each nameserver has BIND DNS server named daemon software . Each BIND need >> to be Authoritative for my domains ("example.com" , "example2.com", etc) & >> response back to any DNS servers/clients query for my domains & for my >> subnet's reverse-zone . And each BIND DNS server also need to serve/perform >> as a recursive DNS resolver for any queries made into "localhost" ( >> 127.0.0.1 , ::1 ). >> • Followed various related steps as-much-possible from "DNSSEC Howto for >> BIND 9.9+ <https://wiki.debian.org/ DNSSEC%20Howto%20for%20BIND%209%2E9%2B>” >> , ISCBIND docs for 9.18.28 >> <https://downloads.isc.org/isc/bind9/9.18.28/doc/arm/html/> ( that i'm using >> now while writing this msg ) , etc . Debian OS will update BIND in distro’s >> repo, & then my/op's servers will be updated to that version . For >> next/latest version, goto ISC BIND download pagehere >> <https://www.isc.org/download/>, search for "PDF" word, select/click on the >> HTML / PDF doc version that you want to read/follow. >> • As each nameserver has different IP-addresses, so i've kept the >> "named.conf", "named.conf.local", "named.conf.options" files in the >> /etc/bind of server itself, for faster loading . >> • The "named.conf" file has BIND ACLs, and include directives . This file >> has same content in each server . Has “ acl LocalHostR { 127.0.0.1; ::1; } ; >> LocalHostRv4 { 127.0.0.1; } ; LocalHostRv6 { ::1; } ; acl BlockedNets { >> 0.0.0.0/8 ; 192.0.2.0/24 ; 224.0.0.0/3 ; 10.0.0.0/8 ; 172.16.0.0/12 ; >> 192.168.0.0/16 ; } ; acl N1-IPv4 { 192.10.2.11; } ; acl N1-IPv6 >> {2001:db8:1::11; }; ” , etc, (remove quote symbols) . ( i added more IPv4 & >> IPv6 in BlockedNetslater ). >> • The "named.conf.local" file has forward zones & reverse zones declarations >> : each zone has "type primary;" directive/option set , each zone has "file" >> directive with file located in replicated volume location . Each local zones >> & each local reverse-zone for IP-address) have "allow-query { LocalHostR; >> };" . My each domain's zone (i.e: "zone "example.com" { ... };") >> declarations, & reverse- zone for my own subnet, has "allow-query { any; };" >> . >> •My domain “example.com”zone declaration in “named.local.conf” file : “ zone >> "n1.example.com" { type master ; file "/mnt/vol/v1/ >> etc/bind/zones/db.example.com" ; allow-query { any; } ; serial- >> update-method unixtime ; key-directory "/mnt/vol/v1/etc/bind/n1/ keys" ; >> dnssec-policy opPolicy ; inline-signing yes ; notify no ; }; ” (remove quote >> symbols) . We allowed query from anyone . By the way, i also have a >> sub-domain zone declared in “named.local.conf” file as zone : “ zone >> "ns.example.com" { … }; ” , nearly same as “example.com”. >> • The "named.conf.options" file has “dnssec-policy "opPolicy" { ... };” , >> "options { ... };" , "logging { ... };" sections/declarations . Logging uses >> the server's "/var/log/named" dir ( into "Update_Debug.log" , "Security.log" >> , "BIND.log" files ). >> • The “options { … };” in “named.conf.options” file : “ options { recursion >> yes ; allow-recursion { LocalHostR; } ; allow-query- cache { LocalHostR; } >> ;allow-query-cache-on { LocalHostR; } ; allow-query { LocalHostR; } ; >> allow-recursion-on { LocalHostR; } ; empty-zones-enable yes ; blackhole { >> BlockedNets; } ; allow- transfer { none; } ; auth-nxdomain no ; listen-on { >> N1-IPv4; LocalHostRv4; } ; listen-on-v6 { N1-IPv6; LocalHostRv6; }; rate- >> limit { ... }; }; ” (remove quote symbols). We restricted recursion by >> allowing only LocalHostR, not external, not BlockedNets. >> • DNS server, for non-dnssec part of DNS related queries & responses for >> domain(s), IPv4-adrs, IPv6-adrs, etc (forward lookup/ resolve , subnet >> IP-adrs reverse resolve/lookup ) WORKING FINE , from n1 & n2 & n3 . >> Authoritative mode is working for my domains . And "localhost" inside server >> can also provide website-name/domain- name To IP-address resolve response, >> to the the local software/ daemons/clients that are running inside server. >> • To ENABLE DNSSEC : i add "dnssec-validation auto;" inside "options" inside >> "named.conf.options" file , i add "key-directory >> "/mnt/vol/v1/etc/bind/n1/keys" ; inline-signing yes;" in "zone "example.com" >> { ... };" in "named.conf.local" file, etc , ( changed the "n1" into "n2" for >> "n2" server, & similarly in n3. ) >> • For "dnssec-policy" directive about KSK & ZSK cert+key creation, usage >> period, signing, validity, verification, etc , i'm using shorter TTL period, >> etc , so-that dnssec/dns config lines can be changed+applied quickly during >> DNSSEC setup phase : dnssec-policy "opPolicy" { ksk lifetime P88D algorithm >> RSASHA256 ; zsk lifetime 22D algorithm RSASHA256 ; dnskey-ttl PT10M ; >> publish-safety P2D ; retire-safety P3D ; purge-keys P3D ; >> signatures-refresh P5D ; signatures-validity P10D ; >> signatures-validity-dnskey P11D ; max-zone-ttl PT30M ; >> zone-propagation-delay PT1H ; parent- ds-ttl PT1H ; >> parent-propagation-delay PT1H ; nsec3param iterations 0 optout yes >> salt-length 0 ; }; >> Now finally into the >> QUESTIONS: >> • How can i create 1 KSK key ( in "n1" server first ), for a (single) domain >> ("example.com") and get the DS code from KSK key and add that 1 DS in >> domain-provider ( to send to the TLD ), & configure other 2 nameservers ( n2 >> , n3 ) to use that 1 DS record from TLD & use that same/common 1 KSK file >> from the synced/ replicated directory, while "type master;" is set for my >> domain/ zone in each nameserver ? >> ( Using 3 KSK & their 3 DS in domain-provider did not work, created error >> indicators in DNSViz & in "DNSSEC-Annalyzer.VerisignLabs” test sites, when >> each nameserver used separate directories, files, etc. >> • if i specify same/COMMON (replicated) dir "/mnt/vol/v1/etc/bind/ keys" & >> "/mnt/vol/v1/etc/bind/zones/zonename" inside 3 nameserver's >> “named.conf.local” file domains/zones , Can BIND DNS server add their own >> RRSIG response/lines for DNS records (into same zone file) without removing >> earlier or other nameserver's RRSIG lines (unless related ZSK key/period >> expired) ? >> • How do i disable/clean/move/backup earlier DNSSEC keys/usages, & setup >> DNSSEC completely as anew . ( Our zone TTLs are short 7m to 1h , (during >> setup/test phase) , So within 7m to an hour, all older-records should be >> discarded from caches. ) >> Thanks in advance for helpful responses. >> Erik. >> Erik T Ashfolk. > <ImportZSK-PublishDSofKSK.jpg> > -- > Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from > this list > > ISC funds the development of this software with paid support subscriptions. > Contact us at https://www.isc.org/contact/ for more information. > > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
