Features/DNSSEC

From FedoraProject

< Features(Difference between revisions)
Jump to: navigation, search
(Large rewrite of text and instructions. Also reflected the default disabled state of DNSSEC)
Line 1: Line 1:
 
= Feature Name =
 
= Feature Name =
DNSSEC - Enable DNSSEC and DLV security extensions for DNS
+
DNSSEC - Enable DNSSEC and DLV security extensions for DNS and prime validating resolvers with DNSSEC keys.
  
 
== Summary ==
 
== Summary ==
DNSSEC (DNS SECurity) is mechanism which can provide integrity and authenticity of DNS data. It became more important after new Kaminsky DNS poisoning attacks were found in early 2008. The most widely used name servers support DNSSEC, though it is only  (bind, unbound)
+
DNSSEC (DNS SECurity) is mechanism which provides integrity and authenticity of DNS data. It became more important after new Kaminsky DNS poisoning attacks were found in early 2008. The most widely used recursing nameservers support DNSSEC. We currently support it for [https://admin.fedoraproject.org/pkgdb/packages/name/bind bind] and [https://admin.fedoraproject.org/pkgdb/packages/name/unbound unbound].
  
 
== Owner ==
 
== Owner ==
Line 12: Line 12:
 
* Targeted release: [[Releases/{{FedoraVersion||next}} | {{FedoraVersion|long|next}} ]]  
 
* Targeted release: [[Releases/{{FedoraVersion||next}} | {{FedoraVersion|long|next}} ]]  
 
* Last updated: 2009-03-03
 
* Last updated: 2009-03-03
* Percentage of completion: 90%
+
* Percentage of completion: 90% (commandline tool [https://admin.fedoraproject.org/pkgdb/packages/name/dnssec-conf dnssec-conf] finished 100%, system-config-dnssec finished 70%)
  
 
== Detailed Description ==
 
== Detailed Description ==
Important servers already support DNSSEC. Main problem is key distribution.
+
Important servers already support DNSSEC. Main problem is key distribution. A full validation path would start at the root (".") but it is not likely that the root will be signed very soon. There are two methods for working around not having a signed root:
 +
* Using Trust Anchor Repositories (TAR's or "batched TAR") for TLD keys
 +
* Using DNSSEC Lookaside Verification (DLV or "live TAR") for enduser domains within an unsigned TLD.
  
Those problems have to be solved:
+
This feature adds support for both TAR and DLV support, using the following approach:  
* supply initial set of DNSSEC keys - especially as long as the Root is not signed (via [https://admin.fedoraproject.org/pkgdb/packages/name/dnssec-conf dnssec-conf] [[rhbug:480567|ReviewRequest]])
+
 
* allow easy way to enable/disable DNSSEC (via dnssec-configure and system-config-dnssec tool)
+
* supply initial set of DNSSEC keys for TLD's (and perhaps some "very important domains")  as long as the root is not signed. This is done via [https://admin.fedoraproject.org/pkgdb/packages/name/dnssec-conf dnssec-conf])
* allow to use ISC DLV registry (via dnssec-configure from dnssec-conf package)
+
* allow easy way to enable/disable DNSSEC via commandline tool dnssec-configure from the  dnssec-conf package (completed)
* support for automated updates from DNS for DNSSEC trust anchors (via autotrust package using the RFC5011 update mechanism). But also allow updates via dnssec-conf package.
+
* allow easy way to enable/disable DNSSEC via GUI tool system-config-dnssec tool (70% completed)
 +
* allow configuration of any DLV Registry, with the default set to [http://dlv.isc.org ISC], using the above two mentioned tools (completed)
 +
* support for automated Trust Anchor Rollovers from DNS information via the [https://admin.fedoraproject.org/pkgdb/packages/nameautotrust autotrust] package using secure RFC5011 update mechanism. This is in addition to updates supplied via the dnssec-conf package. (completed)
  
 
== Benefit to Fedora ==
 
== Benefit to Fedora ==
Our servers 9and clients) will be "invulnerable" against cache poisoning, Kaminsky attacks, spoofing and other known DNS attacks.
+
Our servers (and clients) will be able to use DNSSEC, and be safer against cache poisoning, Kaminsky attacks, spoofing and other known DNS attacks. Fedora machines will also be able to use signed TLD's and individually signed domains in DLV without any additional administration. For example, right now that already gives you DNSSEC for the entire .gov domain, plus a handful of TLD's and a few dozen in-arpa domains including the ENUM zone.
  
 
== Scope ==
 
== Scope ==
* create and add package which will supply initial set of DNSSEC keys (completed)
+
* create and add a package dnssec-conf which will supply initial set of DNSSEC keys to machines. (completed)
* enable DNSSEC in bind and unbound default configurations and include supplied DNSSEC keys
+
* Do not yet enable DNSSEC in default bind and unbound configurations. But make it trivially easy to enable DNSSEC via dnssec-conf. (completed)
* add "autotrust" tool which is implementation of RFC 5011 - Automated Updates of DNS Security (DNSSEC) Trust Anchors
+
* create commandline tool (dnssec-configure from the dnssec-conf package) that will easily enable/disable DNSSEC and which allows to switch between DLV Registries and supplied DNSSEC keys (completed)
* create commandline tool which will easily enable/disable DNSSEC and which allows to switch between DLV and supplied DNSSEC keys (= trust anchors)
+
* add the "autotrust" package which implements RFC 5011 - "Automated Updates of DNS Security (DNSSEC) Trust Anchors". This package includes a daily cronjob that will try to update any configured DNSSEC trust anchors from the dnssec-conf package, and any manually installed trust anchors by the administrator. (completed)
* create system-config-dnssec tool to enable / disable the most important features (30% done)
+
* create system-config-dnssec GUI tool to enable / disable the most important features (70% done)
 +
* Change the default configurations to enable DNSSEC for Fedora-12 (todo for F-12)
 +
== How To Install ==
 +
<pre>
 +
yum install bind-utils
 +
yum install bind (or unbound or both)
 +
yum install dnssec-conf
 +
dnssec-configure --dnssec=on --dlv=on
 +
service named start (or service unbound start)
  
== How To Test ==
+
yum install system-config-dnssec
Check that DNSSEC aware servers work fine.
+
then navigate to System->Administration->DNSSEC
Make sure /etc/resolv.conf points to a DNSSEC enabled nameserver (eg localhost), then run:
+
(system-config-dnssec is not yet finished)
 +
</pre>
 +
 
 +
== How to Test ==
 
<pre>
 
<pre>
  dig +multiline +dnssec forged.test.xelerance.com @yournameserverip
+
  dig +dnssec +multiline -t ns gov. @localhost
 
</pre>
 
</pre>
This should produce a ServFail answer. Run:
+
You should see the AD bit in the reply, as well as the RRSIG signature record:
 
<pre>
 
<pre>
dig +multiline +dnssec +cd forged.test.xelerance.com @yournameserverip
+
$ dig +dnssec +multiline -t ns gov. @127.0.0.1
 +
 +
; <<>> DiG 9.5.1b3-RedHat-9.5.1-0.9.b3.fc10 <<>> +dnssec +multiline -t ns gov. @localhost
 +
;; global options:  printcmd
 +
;; Got answer:
 +
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 14948
 +
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 8, AUTHORITY: 0, ADDITIONAL: 1
 +
 
 +
;; OPT PSEUDOSECTION:
 +
; EDNS: version: 0, flags: do; udp: 4096
 +
;; QUESTION SECTION:
 +
;gov. IN NS
 +
 
 +
;; ANSWER SECTION:
 +
gov. 259188 IN NS G.GOV.ZONEEDIT.COM.
 +
gov. 259188 IN NS A.GOV.ZONEEDIT.COM.
 +
gov. 259188 IN NS C.GOV.ZONEEDIT.COM.
 +
gov. 259188 IN NS E.GOV.ZONEEDIT.COM.
 +
gov. 259188 IN NS D.GOV.ZONEEDIT.COM.
 +
gov. 259188 IN NS F.GOV.ZONEEDIT.COM.
 +
gov. 259188 IN NS B.GOV.ZONEEDIT.COM.
 +
gov. 259188 IN RRSIG NS 7 1 259200 20090309210102 (
 +
20090304210102 31802 gov.
 +
N1azd+3+CfHD4YIMukC/cGlNBTvaG6gDOa7KmSy+MmjI
 +
hWiJv+1bHuj3caDrJ98vR4KuyS7xCb/q5J7ParrjtLYV
 +
YWxnB6dDdX8cyhB9NjAuwOmCrmXIM9/3uedKwpbuQK1z
 +
ktWuHp0xbQT1bkxKnqZswASqbqB96lvfryWsAH01M9b9
 +
AOA/FP/iefWLGD/JaDCEfy2DtD2tke7hXNIQZICegoye
 +
oK1VhiOgkRYv6iEdYIH/pBztsP+DfaD5+hdBjQp2/P5b
 +
7LflyjK2S26ZSZ3LAxDgWZGDvCFngCozSaoLq16RO4DU
 +
vVPg33HHycdslVP2s+mtthkW9wcAC9+IMA== )
 +
 
 +
;; Query time: 122 msec
 +
;; SERVER: 193.110.157.136#53(193.110.157.136)
 +
;; WHEN: Wed Mar  4 18:07:11 2009
 +
;; MSG SIZE  rcvd: 451
 
</pre>
 
</pre>
This should produce the forged/broken answer despite its known forgery.
+
If you want to see more DNSSEC related records run:
 
<pre>
 
<pre>
  dig +multiline +dnssec dnssec.se
+
  dig +multiline +dnssec -t any gov. @localhost
 
</pre>
 
</pre>
This should produce an answer with the Authenticated Data bit ("ad") set:
+
 
 +
To verify that forged/broken data is properly refused, you can test against some test zones:
 
<pre>
 
<pre>
;; global options: printcmd
+
  dig +multiline +dnssec forged.test.xelerance.com @localhost
;; Got answer:
+
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 23220
+
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 1
+
 
</pre>
 
</pre>
 +
This should produce a ServFail answer. To force getting the known bad answer, run:
 +
<pre>
 +
dig +multiline +dnssec +cd forged.test.xelerance.com @localhost
 +
</pre>
 +
This should produce the forged/broken answer despite its known forgery.
  
 
== User Experience ==
 
== User Experience ==
Easy setup and maintenance of DNSSEC aware resolver
+
Easy configuration and priming of DNSSEC aware resolvers.
  
 
== Related Packages ==
 
== Related Packages ==
Line 64: Line 117:
 
* [https://admin.fedoraproject.org/pkgdb/packages/name/bind bind]
 
* [https://admin.fedoraproject.org/pkgdb/packages/name/bind bind]
 
* [https://admin.fedoraproject.org/pkgdb/packages/name/nsd nsd]
 
* [https://admin.fedoraproject.org/pkgdb/packages/name/nsd nsd]
* [https://admin.fedoraproject.org/pkgdb/packages/name/autotrust autotrust] [[rhbug:473367|ReviewRequest]]
+
* [https://admin.fedoraproject.org/pkgdb/packages/name/autotrust autotrust]
* [https://admin.fedoraproject.org/pkgdb/packages/name/dnssec-conf dnssec-conf] [[rhbug:480567|ReviewRequest]]
+
* [https://admin.fedoraproject.org/pkgdb/packages/name/dnssec-conf dnssec-conf]
 
* [https://admin.fedoraproject.org/pkgdb/packages/name/sshfp sshfp]
 
* [https://admin.fedoraproject.org/pkgdb/packages/name/sshfp sshfp]
* system-config-dnssec (preview:  [ftp://ftp.xelerance.com/system-config-dnssec]
+
* system-config-dnssec (preview:  [ftp://ftp.xelerance.com/system-config-dnssec])
  
 
== Dependencies ==
 
== Dependencies ==
Line 79: Line 132:
  
 
== Release Notes ==
 
== Release Notes ==
BIND and unbound (recursive DNS servers) have enabled DNSSEC validation in their default configuration. When domain supplies DNSSEC data then that data will be validated on recursive server. If validation fails then certain domain will be unreachable for clients because it indicates attack (or, unfortunately, admin's misconfiguration). DNSSEC is crucial part and next step to make Internet more secure for end users.
+
Bind and unbound (recursive DNS servers) do not have DNSSEC validation enabled in their default configuration, but are ready to be configured and primed for DNSSEC using the dnssec-configure command of the dnssec-conf package.
 +
With DNSSEC enabled, when a domain supplies DNSSEC data (such as .gov, .se, the ENUM zone and other TLD's) then that data will be cryptographically validated on the recursive server. If validation fails, due to attempts at cache poisoning (eg via a Kaminsky Attack) then the enduser will not be given this forged/spoofed data. DNSSEC deployment is gaining speed rapidly, and is a crucial part and the next logical step to make the internet more secure for end users. And now Fedora makes this extremely easy to deploy. On the next version of Fedora, DNSSEC validation will be enabled per default.
  
 
== Comments and Discussion ==
 
== Comments and Discussion ==

Revision as of 23:41, 4 March 2009

Contents

Feature Name

DNSSEC - Enable DNSSEC and DLV security extensions for DNS and prime validating resolvers with DNSSEC keys.

Summary

DNSSEC (DNS SECurity) is mechanism which provides integrity and authenticity of DNS data. It became more important after new Kaminsky DNS poisoning attacks were found in early 2008. The most widely used recursing nameservers support DNSSEC. We currently support it for bind and unbound.

Owner

Current status

  • Targeted release: Fedora 22
  • Last updated: 2009-03-03
  • Percentage of completion: 90% (commandline tool dnssec-conf finished 100%, system-config-dnssec finished 70%)

Detailed Description

Important servers already support DNSSEC. Main problem is key distribution. A full validation path would start at the root (".") but it is not likely that the root will be signed very soon. There are two methods for working around not having a signed root:

  • Using Trust Anchor Repositories (TAR's or "batched TAR") for TLD keys
  • Using DNSSEC Lookaside Verification (DLV or "live TAR") for enduser domains within an unsigned TLD.

This feature adds support for both TAR and DLV support, using the following approach:

  • supply initial set of DNSSEC keys for TLD's (and perhaps some "very important domains") as long as the root is not signed. This is done via dnssec-conf)
  • allow easy way to enable/disable DNSSEC via commandline tool dnssec-configure from the dnssec-conf package (completed)
  • allow easy way to enable/disable DNSSEC via GUI tool system-config-dnssec tool (70% completed)
  • allow configuration of any DLV Registry, with the default set to ISC, using the above two mentioned tools (completed)
  • support for automated Trust Anchor Rollovers from DNS information via the autotrust package using secure RFC5011 update mechanism. This is in addition to updates supplied via the dnssec-conf package. (completed)

Benefit to Fedora

Our servers (and clients) will be able to use DNSSEC, and be safer against cache poisoning, Kaminsky attacks, spoofing and other known DNS attacks. Fedora machines will also be able to use signed TLD's and individually signed domains in DLV without any additional administration. For example, right now that already gives you DNSSEC for the entire .gov domain, plus a handful of TLD's and a few dozen in-arpa domains including the ENUM zone.

Scope

  • create and add a package dnssec-conf which will supply initial set of DNSSEC keys to machines. (completed)
  • Do not yet enable DNSSEC in default bind and unbound configurations. But make it trivially easy to enable DNSSEC via dnssec-conf. (completed)
  • create commandline tool (dnssec-configure from the dnssec-conf package) that will easily enable/disable DNSSEC and which allows to switch between DLV Registries and supplied DNSSEC keys (completed)
  • add the "autotrust" package which implements RFC 5011 - "Automated Updates of DNS Security (DNSSEC) Trust Anchors". This package includes a daily cronjob that will try to update any configured DNSSEC trust anchors from the dnssec-conf package, and any manually installed trust anchors by the administrator. (completed)
  • create system-config-dnssec GUI tool to enable / disable the most important features (70% done)
  • Change the default configurations to enable DNSSEC for Fedora-12 (todo for F-12)

How To Install

 yum install bind-utils
 yum install bind (or unbound or both)
 yum install dnssec-conf
 dnssec-configure --dnssec=on --dlv=on
 service named start (or service unbound start)

 yum install system-config-dnssec
 then navigate to System->Administration->DNSSEC
 (system-config-dnssec is not yet finished)

How to Test

 dig +dnssec +multiline -t ns gov. @localhost

You should see the AD bit in the reply, as well as the RRSIG signature record:

$ dig +dnssec +multiline -t ns gov. @127.0.0.1
 
; <<>> DiG 9.5.1b3-RedHat-9.5.1-0.9.b3.fc10 <<>> +dnssec +multiline -t ns gov. @localhost
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 14948
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 8, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;gov.			IN NS

;; ANSWER SECTION:
gov.			259188 IN NS G.GOV.ZONEEDIT.COM.
gov.			259188 IN NS A.GOV.ZONEEDIT.COM.
gov.			259188 IN NS C.GOV.ZONEEDIT.COM.
gov.			259188 IN NS E.GOV.ZONEEDIT.COM.
gov.			259188 IN NS D.GOV.ZONEEDIT.COM.
gov.			259188 IN NS F.GOV.ZONEEDIT.COM.
gov.			259188 IN NS B.GOV.ZONEEDIT.COM.
gov.			259188 IN RRSIG	NS 7 1 259200 20090309210102 (
				20090304210102 31802 gov.
				N1azd+3+CfHD4YIMukC/cGlNBTvaG6gDOa7KmSy+MmjI
				hWiJv+1bHuj3caDrJ98vR4KuyS7xCb/q5J7ParrjtLYV
				YWxnB6dDdX8cyhB9NjAuwOmCrmXIM9/3uedKwpbuQK1z
				ktWuHp0xbQT1bkxKnqZswASqbqB96lvfryWsAH01M9b9
				AOA/FP/iefWLGD/JaDCEfy2DtD2tke7hXNIQZICegoye
				oK1VhiOgkRYv6iEdYIH/pBztsP+DfaD5+hdBjQp2/P5b
				7LflyjK2S26ZSZ3LAxDgWZGDvCFngCozSaoLq16RO4DU
				vVPg33HHycdslVP2s+mtthkW9wcAC9+IMA== )

;; Query time: 122 msec
;; SERVER: 193.110.157.136#53(193.110.157.136)
;; WHEN: Wed Mar  4 18:07:11 2009
;; MSG SIZE  rcvd: 451

If you want to see more DNSSEC related records run:

 dig +multiline +dnssec -t any gov. @localhost

To verify that forged/broken data is properly refused, you can test against some test zones:

 dig +multiline +dnssec forged.test.xelerance.com @localhost

This should produce a ServFail answer. To force getting the known bad answer, run:

 dig +multiline +dnssec +cd forged.test.xelerance.com @localhost

This should produce the forged/broken answer despite its known forgery.

User Experience

Easy configuration and priming of DNSSEC aware resolvers.

Related Packages

Dependencies

None

Contingency Plan

Disable DNSSEC by default

Documentation

http://www.dnssec.net/

Release Notes

Bind and unbound (recursive DNS servers) do not have DNSSEC validation enabled in their default configuration, but are ready to be configured and primed for DNSSEC using the dnssec-configure command of the dnssec-conf package. With DNSSEC enabled, when a domain supplies DNSSEC data (such as .gov, .se, the ENUM zone and other TLD's) then that data will be cryptographically validated on the recursive server. If validation fails, due to attempts at cache poisoning (eg via a Kaminsky Attack) then the enduser will not be given this forged/spoofed data. DNSSEC deployment is gaining speed rapidly, and is a crucial part and the next logical step to make the internet more secure for end users. And now Fedora makes this extremely easy to deploy. On the next version of Fedora, DNSSEC validation will be enabled per default.

Comments and Discussion