< Networking | NameResolution | DNSSEC
Configuration requirements
The main network configuration tool is NetworkManager. When using DNSSEC it is combined with dnssec-trigger via a script shipped in the dnssec-trigger package.
Common operations
With or without DNSSEC, NetworkManager gathers the list of recursive name servers from DHCP and/or configuration. The purpose of those name servers is to answer DNS queries including those for DNSSEC records. Those name servers are not meant to be trusted for anything else than attempting to answer the queries and especially not for performing DNSSEC validation.
Without DNSSEC
When DNSSEC is not in use, the easiest way to handle the list of name servers is to put them into /etc/resolv.conf so that the stub resolver can do its job.
As /etc/resolv.conf doesn't support advanced configuration, it is often useful to instead configure a local recursive DNS server (e.g dnsmasq or unbound) with the name server list and point the stub resolver to the local host using /etc/resolv.conf.
With DNSSEC
When DNSSEC is in use, after gathering the recursive nameservers, NetworkManager reconfigures a local unbound instance using dnssec-trigger. In this case the stub resolver should point to the local unbound instance and it should be instructed that the local unbound instance is not just an ordinary recursive name server but also a trusted DNSSEC validator.
Notes
Problem: There is currently no way to distinguish ordinary recursive name servers and trusted DNSSEC validators in the stub resolver configuration, see later.
DNSSEC requirements on the stub resolver
Glossary
Recursive name server – DNS server used by the system to gather DNS data
Trusted validator – DNS server used by the system to verify DNSSEC signatures
Expected behavior
Hi,
Those distribution policies have been correct for ages. Before DNSSEC was created, noone would question them.
We were looking for a solution where:
1) Application or security library can trust the data from glibc resolver including security information.
2) Resolver can provide unauthenticated DNS data when in non-DNSSEC mode and the list of recursive name servers is configured by a system administrator or an automated tool.
3) Resolver can provide autenticated DNS data when in DNSSEC mode andthe list of trusted resolvers is provided by the system administrator (rarely) or by an automated tool (in most cases giving just 127.0.0.1).
The most important thing is that the application never receives autenticated data that were only verified by an ordinary recursive server. That would mean an implicit trust in an unauthorized and unexpected DNSSEC validator.
Note that a recursive name server is typically a host on the local network announced by DHCP while a trusted validator is typically the local machine which itself is talking to a recursive name server.
Current status
The current implementation in glibc doesn't achieve the goals stated above and doesn't prevent the security problem of implicitly using foreign recursive name servers as trusted DNSSEC validators.
We have an experimental implementation using '/etc/resolv-secure.conf' that solves the problem. I'm looking forward to see any alternatives. The issue has been holding back DNSSEC deployment for long and might cause a lot of damage.
Solution: Separate file where all DNS servers are DNSSEC validators
We have an experimental solution that relies on a separate resolv-secure.conf file. As opposed to /etc/resolv.conf typically containing the list of recursive name servers, resolv-secure.conf contains a list of trusted DNSSEC validators in form of validating DNSSEC servers. The list typically includes a single DNSSEC validator which is running on the local host.
Advantages
- The file can be separately protected using mandatory access control. The whole stub resolver configuration is protected.
- The syntax is identical to
/etc/resolv.conf. On a DNSSEC enabled system,/etc/resolv.confcan be just a symlink to/etc/resolv.conf.
Alternative solution: option secure-nameserver
Use a special
Risks
- The configuration file could not be protected by mandatory access control while at the same time allowing tools to write a
/etc/resolv.confconfiguration when not using DNSSEC.
Alternative solution: option secure-dns
(or for example option trust-dnssec-validation)
Mark /etc/resolv.conf configuration as secure when providing the list of secure DNSSEC validators.
Risks
- An existing tool might rewrite the list of name servers and keep the unknown options including
option secure-dns.
Alternative solution: option insecure-dns
Mark /etc/resolv.conf configuration explicitly as insecure unless providing the list of secure DNSSEC validators.
Risks
- Existing
/etc/resolv.conffiles would be wrongly considered secure for DNSSEC validation. - Existing tools would generate such files.
FAQ
Why is it wrong to implicitly trust the AD flag from recursive name servers
AD flag is how a validating name server informs the requester that the returned DNS data have been successfully validated using the DNSSEC mechanism.
There is a huge difference between using an untrusted recursive name server to retrieve DNS data and using an untrusted DNSSEC validator. DNSSEC works well with untrusted recursive name servers but its security is jeopardized by using them as DNSSEC validators. Applications may attribute additional trust to the validated data especially when they contain security keys for TLS, SSH and other authenticated protocols.
Trusting a random DNSSEC validator is like trusting a random security certificate.
Does DNSSEC work on untrusted or public networks?
Yes. There is no such concept as trusted or untrusted network in DNSSEC. The confusion comes from the distinction between a recursive name server (used by the system to retrieve DNS data) and a DNSSEC validator (which is typically a validating name server running on the local host).
For DNSSEC, all we need is to never implicitly use recursive name servers as trusted DNSSEC validators. In our opinion, the preferred way to implement that is to avoid passing security information from ordinary recursive name servers (not configured as trusted DNSSEC validators).
Does NetworkManager need to keep track of trusted DNSSEC validators
No. When working with dnssec-trigger, NetworkManager only needs to keep track of learnt and configured recursive name servers. The list of trusted DNSSEC validators always contains a single unbound instance running on the local host.
TODO
Some terms might need to be improved, especially recursive name server doesn't really say what we want to say which is a name server that is used by the system to gather necessary DNS data.