Appendix B. DNSSEC

 

DNSSEC

Cryptographic authentication of DNS information is possible through the DNS Security (DNSSEC-bis) extensions, defined in RFC 4033, RFC 4034, and RFC 4035. This section describes the creation and use of DNSSEC signed zones.

In order to setup a DNSSEC secure zone, there are a series of steps which must be followed. BIND9 ships with several tools that are used in this process, which are explained in more detail below. In all cases, the -h option prints a full list of parameters.

NOTE:  For use with MultiNet, define symbols for each of the tools, and call the symbol from the command line.  For example, to use the dnssec-keygen tool, a symbol could be created as follows:

$ keygen :== $multinet:dnssec-keygen

$ keygen -h

There must also be communication with the administrators of the parent and/or child zone to transmit keys. A zone’s security status must be indicated by the parent zone for a DNSSEC capable resolver to trust its data. This is done through the presence or absence of a DS record at the delegation point.

For other servers to trust data in this zone, they must either be statically configured with this zone’s zone key or the zone key of another zone above this one in the DNS tree.

Generating Keys

The dnssec-keygen program is used to generate keys.  A secure zone must contain one or more zone keys.  The zone keys will sign all other records in the zone, as well as the zone keys of any secure delegated zones.  Zone keys must have the same name as the zone, a name type of ZONE, and must be usable for authentication. It is recommended that zone keys use a cryptographic algorithm designated as “mandatory to implement” by the IETF; currently the only one is RSASHA1.  For convenience, run the dnssec-keygen tool in the directory the zone data files are located, so you won’t need to use full pathnames as arguments.

The following command will generate a 768-bit RSASHA1 key for the child.example zone, the symbol keygen has been created to refer to the dnssec-keygen executable:

$ keygen -a RSASHA1 -b 768 -n ZONE child-example

NOTE:  File names specified with the tools must conform to OpenVMS naming conventions.  Be aware of using multiple dots, etc. which will generate errors upon file creation.

Two output files will be produced: Kchild-example-005-12345.key and Kchild-example-005-12345.private (where 12345 is an example of a key tag). The key filenames contain the key name (child-example.), algorithm (3 is DSA, 1 is RSAMD5, 5 is RSASHA1, etc.), and the key tag (12345 in this case). The private key (in the .private file) is used to generate signatures, and the public key (in the .key file) is used for signature verification.  Always protect the .private key, anyone who knows it can forge signed zone data.  The .private key file will be written readable and writable only by the user who runs it.  Process Software recommends running the DNSSEC tools from a suitably privileged account.

To generate another key with the same properties (but with a different key tag), repeat the above command.

The dnssec-keyfromlabel program is used to get a key pair from a crypto hardware and build the key files.  Its usage is similar to dnssec-keygen.

The public keys can be inserted into the zone file by pasting in their contents, or better yet by including the .key file using $include statements.  For example, to insert the public key for child-example, add the following $include statement to the zone file:

$include Kchild-example-005-12345.key ;

The zone file (for examples in this Appendix, the file name is zone.1) may look like this:

$TTL 100

$ORIGIN child-example.

@       IN SOA  a.example. a.a.example. 1 360 36 60480 12

                NS      a.example.

                NS      b.example.

one             A       10.10.10.10

two             A       10.10.10.100

                MX      10 one.zz.example.

$include Kchild-example-005-12345.key ;

 

Signing the Zone

With the key included in the zone file, use the dnssec-signzone program to sign the zone.

Any keyset files corresponding to secure subzones should be present. The zone signer will generate NSEC, NSEC3 and RRSIG records for the zone, as well as DS for the child zones if -g is specified. If -g is not specified, then DS RRsets for the secure child zones need to be added manually.

The following command signs the zone, assuming it is in a file called zone.1. By default, all zone keys which have an available private key are used to generate signatures.  First define a symbol for dnssec-signzone:

$ signer :== $multinet:dnssec-signzone

The -o option specifies the zone origin, the default is the zone file name.

$ signer -o child-example zone.1

Note:  You may see the message “No self signing KSK found.”  This is normal as no KSK (key signing key) has been generated at this point.  Only a ZSK (zone signing key) is present.

One output file is produced:  zone.1_signed.  This file should be referenced by named.conf as the input file for the zone.

The output file, zone.1_signed, should look something like this:

; dnssec_signzone version 9.7.2-p3

child-example.  100     IN SOA  a.example. a.a.example. (

          1          ; serial

          360        ; refresh (6 minutes)

          36         ; retry (36 seconds)

          60480      ; expire (16 hours 48 minutes)

          12         ; minimum (12 seconds)

          )

    100     RRSIG   SOA 5 1 100 20110428114855 (

       20110329114855 36111 child-example.

       rWVs/euooBTVk0MzhxHQio61rDBhzAId13sV

       KXphVsA64bqyayhJcCfikmxww6vq6gG0W3mR

       z1tbIQ7znZ0SN90dsWhEcoEaEmm1Sl6hwSVY

       OzaYrN8HgahzcrNlsX5l )

    100     NS      a.example.

    100     NS      b.example.

    100     RRSIG   NS 5 1 100 20110428114855 (

       20110329114855 36111 child-example.

       SOrA8BihARhE+SPl/iYjB8PTqk+8lc4sEE4b

       CYhgcF6d9VOZtCotQFUqVKrk65xoGqf60+9R

       kBJr6lsOwr6mqDVCiZzVnAy1frWD8T8q5HNK

       nzVR8gb7AXyPtbgKqOS3 )

    12      NSEC    one.child-example. NS SOA RRSIG NSEC DNSKEY

    12      RRSIG   NSEC 5 1 12 20110428114855 (

       20110329114855 36111 child-example.

       L0K9USccXSgO4iYBaXDOrQ0zzrxVVRECwjAb

       DAeZqVec525V6kNIB5F2mCxjSJqlJ5C40vr+

       lCqe/EGzjxplEzqq0nSN/fCtTgXqhLL6EfZx

       M1lvB5C+4K4hR20neVWy )

    100     DNSKEY  256 3 5 (

       AwEAAcXIK+ljUWgMENcS9TUqnZGEFMOE5DBP

       WyQu5aIGSZqTTcvMWsaFtS7800LjapDB4kcs

       xwecfdA4I/0dUHPuHqmQREGfq/xstyxLPHKS

       MEkJthkVurf4MWzdX8dAVEd/GQ==

       ) ; key id = 36111

    100     RRSIG   DNSKEY 5 1 100 20110428114855 (

       20110329114855 36111 child-example.

       O8t91OOvLCSotc7mTG7iVr6fyeg7AA6ZuzHR

       GfN0dbOFzZHGxSAj2pRXPz8FC/eYz+ngy6rK

       23UhdklmuJN35IEA+qkXBilS7NJtEvaONOud

       1ANN6qQDtXyYFxnCuEN0 )

one.child-example.      100     IN A    10.10.10.10

    100     RRSIG   A 5 2 100 20110428114855 (

       20110329114855 36111 child-example.

       o3TPUffd5dLuxoac0TVVsT8HU3MFoJtIbfXV

       apidfBY7IbxU6YWgPPwkYO1oKgJ3CnWmKTZQ

       sUB+QRE1VHn8GmPbyjbg9QfhIKZDEQyT2f7x

       41QDNznnKnJyYjhmbyCf )

    12      NSEC    two.child-example. A RRSIG NSEC

    12      RRSIG   NSEC 5 2 12 20110428114855 (

       20110329114855 36111 child-example.

       w3RXqBeiUk/njCh/nHg2s1hv9kYynGdRsp2A

       vYm8ahrq4pGv1DLr6uuwCT5vBfjor1l5ePBj

       jsIO3FLkWyO7miBpfiLLPa7umKSQLN0AZGIE

       /5Z7LSc80o2fzwqcBkub )

two.child-example.      100     IN A    10.10.10.100

    100     RRSIG   A 5 2 100 20110428114855 (

       20110329114855 36111 child-example.

       jQAof31o6bO4oOVlhLAt6NQkifz1l4qnfN4a

       viZiB0RmLYuRNnHFRAPyZLkoI8PTgCuCdV/e

       co1ifFnXU9UauNnK/wQw8Djurvra/YMq8f5W

       ZZcOReQvZUoD8mS4C3ec )

    100     MX      10 one.zz.example.

    100     RRSIG   MX 5 2 100 20110428114855 (

       20110329114855 36111 child-example.

       hIQI20XS9qYdi5/3qMp1VeU0aQqBwQsugwkw

       mCD9gY7BrpYjMeeg3XQHY0Qx7ElqLc9Q0F3C

       kC0ETM5CDnUAicXCy2TOc1DAKfSOYlKRnzVd

       a5LlFGymsi2gVyW7VssH )

    12      NSEC    child-example. A MX RRSIG NSEC

    12      RRSIG   NSEC 5 2 12 20110428114855 (

       20110329114855 36111 child-example.

       OhIM8y6IGXixOUtD+ZH/bicznRtX6YrdeXxg

       5bD3ROSUcfpCL5YAUxfk/B9nj2n1OStle88r

       O7EeMB2rSiAPqYW88ZbIXXhOHsE6z3ff7Plc

       B3pT56MBxUh5cm2WDYTL )

dnssec-signzone will also produce a keyset and dsset files and optionally a dlvset file. These are used to provide the parent zone administrators with the DNSKEYs (or their corresponding DS records) that are the secure entry point to the zone.

 

Configuring Servers

To enable named to respond appropriately to DNS requests from DNSSEC aware clients, the option dnssec-enable must be set to yes. (This is the default setting.)

To enable named to validate answers from other servers, the dnssec-enable and dnssec-validation options must both be set to yes, and at least one trust anchor must be configured with a trusted-keys or managed-keys statement in named.conf.

trusted-keys are copies of DNSKEY RRs for zones that are used to form the first link in the cryptographic chain of trust. All keys listed in trusted-keys (and corresponding zones) are deemed to exist and only the listed keys will be used to validated the DNSKEY RRset that they are from.

managed-keys are trusted keys which are automatically kept up to date via RFC 5011 trust anchor maintenance. 

After DNSSEC gets established, a typical DNSSEC configuration will look something like the following.  It has one or more public keys for the root. This allows answers from outside the organization to be validated. It will also have several keys for parts of the namespace the organization controls. These are here to ensure that named is immune to compromises in the DNSSEC components of the security of parent zones.

managed-keys {

/* Root Key */

       "." initial-key 257 3 3 

 

"BNY4wrWM1nCfJ+CXd0rVXyYmobt7sEEfK3clRbGaTwS

JxrGkxJWoZu6I7PzJu/E9gx4UC1zGAHlXKdE4zYIpRh

aBKnvcC2U9mZhkdUpd1Vso/HAdjNe8LmMlnzY3zy2Xy

4klWOADTPzSv9eamj8V18PHGjBLaVtYvk/ln5ZApjYg

                           hf+6fElrmLkdaz MQ2OCnACR817DF4BBa7UR/beDHyp

                           5iWTXWSi6XmoJLbG9Scqc7l70KDqlvXR3M/lUUVRbke

                           g1IPJSidmK3ZyCllh4XSKbje/45SKucHgnwU5jefMtq

                           66gKodQj+MiA21AfUVe7u99WzTLzY3qlxDhxYQQ20FQ

                           97S+LKUTpQcq27R7AT3/V5hRQxScINqwcz4jYqZD2fQ

                           dgxbcDTClU0CRBdiieyLMNzXG3";

       };

 

trusted-keys {

/* Key for our organization’s forward zone */

example.net. 257 3 5

"AwEAAaxPMcR2x0HbQV4WeZB6oEDX+r0QM6

5KbhTjrW1ZaARmPhEZZe3Y9ifgEuq7vZ/z

GZUdEGNWy+JZzus0lUptwgjGwhUS1558Hb

4JKUbbOTcM8pwXlj0EiX3oDFVmjHO444gL

kBOUKUf/mC7HvfwYH/Be22GnClrinKJp1O

g4ywzO9WglMk7jbfW33gUKvirTHr25GL7S

TQUzBb5Usxt8lgnyTUHs1t3JwCY5hKZ6Cq

FxmAVZP20igTixin/1LcrgX/KMEGd/biuv

F4qJCyduieHukuY3H4XMAcR+xia2nIUPvm

/oyWR8BW/hWdzOvnSCThlHf3xiYleDbt/o

1OTQ09A0=";

 

/* Key for our reverse zone. */

 

2.0.192.IN-ADDRPA.NET. 257 3 5

"AQOnS4xn/IgOUpBPJ3bogzwc

xOdNax071L18QqZnQQQAVVr+i

LhGTnNGp3HoWQLUIzKrJVZ3zg

gy3WwNT6kZo6c0tszYqbtvchm

gQC8CzKojM/W16i6MG/eafGU3

siaOdS0yOI6BgPsw+YZdzlYMa

IJGf4M4dyoKIhzdZyQ2bYQrjy

Q4LB0lC7aOnsMyYKHHYeRvPxj

IQXmdqgOJGq+vsevG06zW+1xg

YJh9rCIfnm1GX/KMgxLPG2vXT

D/RnLX+D3T3UL7HJYHJhAZD5L

59VvjSPsZJHeDCUyWYrvPZesZ

DIRvhDD52SKvbheeTJUm6Ehkz

ytNN2SN96QRk8j/iI8ib";

};

 

options { ...

dnssec-enable yes;

dnssec-validation yes;

};

 

NOTE: None of the keys listed in this example are valid.  In particular, the root key is not valid.

When DNSSEC validation is enabled and properly configured, the resolver will reject any answers from signed, secure zones which fail to validate, and will return SERVFAIL to the client.

Responses may fail to validate for any of several reasons, including missing, expired, or invalid signatures, a key which does not match the DS RRset in the parent zone, or an insecure response from a zone which, according to its parent, should have been secure.

NOTE: When the validator receives a response from an unsigned zone that has a signed parent, it must confirm with the parent that the zone was intentionally left unsigned.  It does this by verifying, via signed and validated NSEC/NSEC3 records, that the parent zone contains no DS records for the child. If the validator can prove that the zone is insecure, then the response is accepted.  However, if it cannot, then it must assume an insecure response to be a forgery; it rejects the response and logs an error. The logged error reads “insecurity proof failed” and “got insecure response; parent indicates it should be secure”.

 

DNSSEC, DYNAMIC ZONES, AND AUTOMATIC SIGNING

As of BIND 9.7.0 it is possible to change a dynamic zone from insecure to signed and back again. A secure zone can use either NSEC or NSEC3 chains.

Converting from insecure to secure

Changing a zone from insecure to secure can be done in two ways: using a dynamic DNS update, or the auto-dnssec zone option.

For either method, you need to configure named so that it can see the K* files which contain the public and private parts of the keys that will be used to sign the zone. These files will have been generated by dnssec-keygen.  You can do this by placing them in the key-directory, as specified in named.conf:

zone example.net {

     type master;

     update-policy local;

     file "example.net";

     key-directory "multinet_common_root:[multinet]";

};

If one KSK and one ZSK DNSKEY key have been generated, this configuration will cause all records in the zone to be signed with the ZSK, and the DNSKEY RR set to be signed with the KSK as well. An NSEC chain will be generated as part of the initial signing process.

 

Dynamic DNS update method

To insert the keys via dynamic update:

$ nsupdate :== $multinet:nsupdate.exe

$ nsupdate

> ttl 3600

> update add example.net DNSKEY 256 3 7 AwEAAZn17pUF0KpbPA2c7Gz76Vb18v0teKT3EyAGfBfL8eQ8al35zz3Y

> update add example.net DNSKEY 257 3 7 AwEAAd/7odU/64o2LGsifbLtQmtO8dFDtTAZXSX2+

> send

While the update request will complete almost immediately, the zone will not be completely signed until named has had time to walk the zone and generate the NSEC and RRSIG records. The NSEC record at the apex will be added last, to signal that there is a complete NSEC chain.

If you wish to sign using NSEC3 instead of NSEC, you should add an NSEC3PARAM record to the initial update request. If you wish the NSEC3 chain to have the OPTOUT bit set, set it in the flags field of the NSEC3PARAM record.

$ nsupdate

> ttl 3600

> update add example.net DNSKEY 256 3 7 AwEAAZn17pUF0KpbPA2c7Gz76Vb18v0teKT3EyAGfBfL8eQ8al35zz3Y

> update add example.net DNSKEY 257 3 7 AwEAAd/7odU/64o2LGsifbLtQmtO8dFDtTAZXSX2+X3e/

> update add example.net NSEC3PARAM 1 1 100 1234567890

> send

Again, this update request will complete almost immediately; however, the record won’t show up until named has had a chance to build/remove the relevant chain. A private type record will be created to record the state of the operation (see below for more details), and will be removed once the operation completes.

While the initial signing and NSEC/NSEC3 chain generation is happening, other updates are possible as well.

 

Fully automatic zone signing

To enable automatic signing, add the auto-dnssec option to the zone statement in named.conf. auto-dnssec has two possible arguments: allow or maintain.

With auto-dnssec allow, named can search the key directory for keys matching the zone, insert them into the zone, and use them to sign the zone. It will do so only when it receives an rndc sign <zonename> or rndc loadkeys <zonename> command.

auto-dnssec maintain includes the above functionality, but will also automatically adjust the zone’s DNSKEY records on schedule according to the keys’ timing metadata.  If keys are present in the key directory the first time the zone is loaded, it will be signed immediately, without waiting for an rndc sign or rndc loadkeys command. (Those commands can still be used when there are unscheduled key changes, however.)

Using the auto-dnssec option requires the zone to be configured to allow dynamic updates, by adding an allow-update or update-policy statement to the zone configuration. If this has not been done, the configuration will fail.

 

Private-type records

The state of the signing process is signaled by private-type records (with a default type value of 65534). When signing is complete, these records will have a non-zero value for the final octet (for those records which have a non-zero initial octet).

The private type record format:  If the first octet is non-zero then the record indicates that the zone needs to be signed with the key matching the record, or that all signatures that match the record should be removed.

·         algorithm (octet 1)

·         key id in network order (octet 2 and 3)

·         removal flag (octet 4)

·         complete flag (octet 5)

Only records flagged as “complete” can be removed via dynamic update. Attempts to remove other private type records will be silently ignored. If the first octet is zero (this is a reserved algorithm number that should never appear in a DNSKEY record) then the record indicates changes to the NSEC3 chains are in progress. The rest of the record contains an NSEC3PARAM record. The flag field tells what operation to perform based on the flag bits.

·         0x01 OPTOUT

·         0x80 CREATE

·         0x40 REMOVE

·         0x20 NONSEC

 

DNSKEY rollovers

As within secure-to-secure conversions, rolling DNSSEC keys can be done in two ways:  using a dynamic DNS update, or the auto-dnssec zone option.

 

Dynamic DNS update method

To perform key rollovers via dynamic update, you need to add the K* files for the new keys so that named can find them. You can then add the new DNSKEY RRs via dynamic update. named will then cause the zone to be signed with the new keys. When the signing is complete the private type records will be updated so that the last octet is non-zero.

If this is for a KSK you need to inform the parent and any trust anchor repositories of the new KSK.

You should then wait for the maximum TTL in the zone before removing the old DNSKEY.  If it is a KSK that is being updated, you also need to wait for the DS RRset in the parent to be updated and its TTL to expire.  This ensures that all clients will be able to verify at least one signature when you remove the old DNSKEY.

The old DNSKEY can be removed via UPDATE.  Take care to specify the correct key.   named will clean out any signatures generated by the old key after the update completes.

 

Automatic key rollovers

When a new key reaches its activation date (as set by dnssec-keygen or dnssec-settime), if the auto-dnssec zone option is set to maintain, named will automatically carry out the key roll over.  If the key’s algorithm has not previously been used to sign the zone, then the zone will be fully signed as quickly as possible. However, if the new key is replacing an existing key of the same algorithm, then the zone will be re-signed incrementally, with signatures from the old key being replaced with signatures from the new key as their signature validity periods expire. By default, this rollover completes in 30 days, after which it will be safe to remove the old key from the DNSKEY RRset.

 

NSEC3PARAM rollovers via UPDATE

Add the new NSEC3PARAM record via dynamic update. When the new NSEC3 chain has been generated, the NSEC3PARAM flag field will be zero. At this point you can remove the old NSEC3PARAM record. The old chain will be removed after the update request completes.

 

Converting from NSEC to NSEC3

To do this, you just need to add an NSEC3PARAM record. When the conversion is complete, the NSEC chain will have been removed and the NSEC3PARAM record will have a zero flag field. The NSEC3 chain will be generated before the NSEC chain is destroyed.

 

Converting from NSEC3 to NSEC

To do this, use nsupdate to remove all NSEC3PARAM records with a zero flag field. The NSEC chain will be generated before the NSEC3 chain is removed.

 

Converting from secure to insecure

To convert a signed zone to unsigned using dynamic DNS, delete all the DNSKEY records from the zone apex using nsupdate. All signatures, NSEC or NSEC3 chains, and associated NSEC3PARAM records will be removed automatically. This will take place after the update request completes.

This requires the dnssec-secure-to-insecure option to be set to yes in named.conf.

In addition, if the auto-dnssec maintain zone statement is used, it should be removed or changed to allow instead (or it will re-sign).

 

Periodic re-signing

In any secure zone which supports dynamic updates, named will periodically re-sign RRsets which have not been re-signed as a result of some update action.  The signature lifetimes will be adjusted so as to spread the re-sign load over time rather than all at once.

 

NSEC3 and OPTOUT

named supports creating new NSEC3 chains where all the NSEC3 records in the zone have the same OPTOUT state.  named also supports UPDATES to zones where the NSEC3 records in the chain have mixed OPTOUT state.  named does not support changing the OPTOUT state of an individual NSEC3 record, the entire chain needs to be changed if the OPTOUT state of an individual NSEC3 needs to be changed.

 

Dynamic Trust Anchor Management

MultiNet’s version of BIND includes support for RFC 5011, dynamic trust anchor management. Using this feature allows named to keep track of changes to critical DNSSEC keys without any need for the operator to make changes to configuration files.

 

Validating Resolver

To configure a validating resolver to use RFC 5011 to maintain a trust anchor, configure the trust anchor using a managed-keys statement.

 

Authoritative Server

To set up an authoritative zone for RFC 5011 trust anchor maintenance, generate two (or more) key signing keys (KSKs) for the zone. Sign the zone with one of them; this is the “active” KSK. All KSK’s which do not sign the zone are “stand-by” keys.

Any validating resolver which is configured to use the active KSK as an RFC 5011-managed trust anchor will take note of the stand-by KSKs in the zone’s DNSKEY RRset, and store them for future reference.  The resolver will recheck the zone periodically, and after 30 days, if the new key is still there, then the key will be accepted by the resolver as a valid trust anchor for the zone. Any time after this 30-day acceptance timer has completed, the active KSK can be revoked, and the zone can be “rolled over” to the newly accepted key.

The easiest way to place a stand-by key in a zone is to use the “smart signing” features of dnssec-keygen and dnssec-signzone. If the key has a publication date in the past, but an activation date which is unset or in the future, dnssec-signzone -S will include the DNSKEY record in the zone, but will not sign with it:

$ dnssec-keygen -K keys -f KSK -P now -A now+2y example.net

$ dnssec-signzone -S -K keys example.net

To revoke a key, the new command dnssec-revoke has been added. This adds the REVOKED bit to the key flags and re-generates the K*.key and K*.private files.  After revoking the active key, the zone must be signed with both the revoked KSK and the new active KSK. (Smart signing takes care of this automatically.)

Once a key has been revoked and used to sign the DNSKEY RRset in which it appears, that key will never again be accepted as a valid trust anchor by the resolver. However, validation can proceed using the new active key (which had been accepted by the resolver when it was a stand-by key).

See RFC 5011 for more details on key rollover scenarios.

When a key has been revoked, its key ID changes, increasing by 128, and wrapping around at 65535. So, for example, the key Kexample-net-005-10000 becomes Kexample-net-005-10128.

If two keys have ID’s exactly 128 apart, and one is revoked, then the two key ID’s will collide, causing several problems.  To prevent this, dnssec-keygen will not generate a new key if another key is present which may collide. This checking will only occur if the new keys are written to the same directory which holds all other keys in use for that zone.

Older versions of BIND9 did not have this precaution.  Exercise caution if using key revocation on keys that were generated by previous releases, or if using keys stored in multiple directories or on multiple machines.

It is expected that a future release of BIND9 will address this problem in a different way, by storing revoked keys with their original unrevoked key ID’s.