DNSSEC - Enable DNSSEC and DLV security extensions for DNS and prime validating resolvers with DNSSEC keys.
DNSSEC (DNS SECurity) is mechanism which provides integrity and authenticity of DNS data. It became more important after new Kaminsky DNS poisoning attacks were found in early 2008. The most widely used recursing nameservers support DNSSEC. We currently support it for bind and unbound.
- Targeted release: Fedora 22
- Last updated: 2009-03-11
- Percentage of completion: 99% (commandline tool dnssec-conf and bind/unbound integration finished 100%, GUI system-config-dnssec finished 70%)
Important DNS nameserver software and some TLD's already support DNSSEC. Main problem is key distribution. A full validation path would start at the root (".") but it is not likely that the root will be signed very soon. There are two methods for working around not having a signed root:
- Using Trust Anchor Repositories (TAR's or "batched TAR") for TLD keys
- Using DNSSEC Lookaside Verification (DLV or "live TAR") for enduser domains within an unsigned TLD.
This feature adds support for both TAR and DLV support, using the following approach:
- supply initial set of DNSSEC keys for TLD's (and perhaps some "very important domains") as long as the root is not signed. This is done via dnssec-conf) (completed)
- allow easy way to enable/disable DNSSEC via commandline tool dnssec-configure from the dnssec-conf package (completed)
- allow easy way to enable/disable DNSSEC via GUI tool system-config-dnssec tool (70% completed)
- allow configuration of any DLV Registry, with the default set to ISC, using the above two mentioned tools (completed)
- support for automated Trust Anchor Rollovers from DNS information via the autotrust package using secure RFC5011 update mechanism. This is in addition to updates supplied via the dnssec-conf package. (completed)
Benefit to Fedora
Our servers (and clients) will be able to use DNSSEC, and be safer against cache poisoning, Kaminsky attacks, spoofing and other known DNS attacks. Fedora machines will also be able to use signed TLD's and individually signed domains in DLV without any additional administration. For example, right now that already includes DNSSEC for the entire .gov domain, plus a handful of TLD's and a few dozen in-arpa domains including the ENUM zone.
- create and add a package dnssec-conf which will supply initial set of DNSSEC keys to machines. (completed)
- Do not yet enable DNSSEC in default bind and unbound configurations. But make it trivially easy to enable DNSSEC via dnssec-conf. (completed)
- create commandline tool (dnssec-configure from the dnssec-conf package) that will easily enable/disable DNSSEC and which allows to switch between DLV Registries and supplied DNSSEC keys (completed)
- add the "autotrust" package which implements RFC 5011 - "Automated Updates of DNS Security (DNSSEC) Trust Anchors". This package includes a daily cronjob that will try to update any configured DNSSEC trust anchors from the dnssec-conf package, and any manually installed trust anchors by the administrator. (completed)
- create system-config-dnssec GUI tool to enable / disable the most important features (70% done)
- Update the Bind and Unbound packages so the default configurations enable DNSSEC for Fedora-11
How To Install
yum install bind-utils yum install bind (or unbound or both) service named start (or unbound or both)
This installation should bring in dnssec-conf. Starting the daemon once will update the DNSSEC and DLV settings for the daemons. You can verify the installation and configuration using:
DNSSEC is enabled per default. DLV is also enabled per default, and uses dlv.isc.org as the DLV Registry. If you want to disable DNSSEC or DLV, edit /etc/sysconfig/dnssec. After changing this file, restart the daemon you were using:
service named restart (or service unbound restart)
For the GUI, use
yum install system-config-dnssec
Navigate to System->Administration->DNSSEC
(system-config-dnssec is not yet finished)
How to Test
dig +dnssec +multiline -t ns gov. @localhost
You should see the AD ("Authenticated Data") bit in the reply, as well as the RRSIG signature record:
$ dig +dnssec +multiline -t ns gov. @127.0.0.1 ; <<>> DiG 9.5.1b3-RedHat-9.5.1-0.9.b3.fc10 <<>> +dnssec +multiline -t ns gov. @localhost ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 14948 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 8, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;; QUESTION SECTION: ;gov. IN NS ;; ANSWER SECTION: gov. 259188 IN NS G.GOV.ZONEEDIT.COM. gov. 259188 IN NS A.GOV.ZONEEDIT.COM. gov. 259188 IN NS C.GOV.ZONEEDIT.COM. gov. 259188 IN NS E.GOV.ZONEEDIT.COM. gov. 259188 IN NS D.GOV.ZONEEDIT.COM. gov. 259188 IN NS F.GOV.ZONEEDIT.COM. gov. 259188 IN NS B.GOV.ZONEEDIT.COM. gov. 259188 IN RRSIG NS 7 1 259200 20090309210102 ( 20090304210102 31802 gov. N1azd+3+CfHD4YIMukC/cGlNBTvaG6gDOa7KmSy+MmjI hWiJv+1bHuj3caDrJ98vR4KuyS7xCb/q5J7ParrjtLYV YWxnB6dDdX8cyhB9NjAuwOmCrmXIM9/3uedKwpbuQK1z ktWuHp0xbQT1bkxKnqZswASqbqB96lvfryWsAH01M9b9 AOA/FP/iefWLGD/JaDCEfy2DtD2tke7hXNIQZICegoye oK1VhiOgkRYv6iEdYIH/pBztsP+DfaD5+hdBjQp2/P5b 7LflyjK2S26ZSZ3LAxDgWZGDvCFngCozSaoLq16RO4DU vVPg33HHycdslVP2s+mtthkW9wcAC9+IMA== ) ;; Query time: 122 msec ;; SERVER: 188.8.131.52#53(184.108.40.206) ;; WHEN: Wed Mar 4 18:07:11 2009 ;; MSG SIZE rcvd: 451
If you want to see more DNSSEC related records run:
dig +multiline +dnssec -t any gov. @localhost
To test the DLV, try to resolve a known DLV entry that does not occur in a DNSSEC signed zone (and is not loaded explicitely, such as dlv.isc.org), for example:
dig +dnssec +multiline -t ns isc.org.
To verify that forged/broken data is properly refused, you can test against some test zones:
dig +multiline +dnssec forged.test.xelerance.com @localhost
This should produce a ServFail answer. To force getting the known bad answer, run:
dig +multiline +dnssec +cd forged.test.xelerance.com @localhost
This should produce the forged/broken answer despite its known forgery.
To test the denial of existence, you can query a non-existing domain in a dnssec siged zone, eg:
dig +dnssec +multiline -t ns thisdoesnotexist.se.
This should return a the same "AD" bit, as well as an NSEC record. In this case:
thisdesertlife.se. 7200 IN NSEC thisell.se. NS RRSIG NSEC
This is a signed response saying your domain thisdoesnotexist.se does not exist. The signed entry here starts with "thisdesertlife.se." and the next record is "thisell.se". Since "thisdoesnotexist.se" would fall in between these two, this (sgned) record would only exist if "thisdoesnotexist.se" would not exist. To avoid revealing other domain names, another more complex method, called NSEC3, can be used. This is in use wth .gov, so you will see that manually validating that answer is much harder. For details on NSEC3, see RFC-5155
Easy configuration and priming of DNSSEC aware resolvers.
Disable DNSSEC and/or DLV by default in /etc/sysconfig/dnssec and release a software update of dnssec-conf
Bind and unbound (recursive DNS servers) now enable DNSSEC validation in their default configuration. DNSSEC Lookaside Verification (DLV) is not yet enabled. This behaviour can be modified in /etc/sysconfig/dnssec by changing the DNSSEC and DLV settings.
With DNSSEC enabled, when a domain supplies DNSSEC data (such as .gov, .se, the ENUM zone and other TLD's) then that data will be cryptographically validated on the recursive DNS server. If validation fails, due to attempts at cache poisoning (eg via a Kaminsky Attack) then the enduser will not be given this forged/spoofed data. DNSSEC deployment is gaining speed rapidly, and is a crucial part and the next logical step to make the internet more secure for end users.