Hello BIND Community. Looking forward to your suggestions, advises on setup DNSSEC enabled zones on multiple master/primary authoritative DNS server (Nameserver) with synced/replicated common shared directories/volume.
Please skip the section(s) that you dont need to read/scan, & goto the QUESTIONS , the last section. OBJECTIVES (END-RESULT): Trying to achieve HA (High-Availability<https://en.wikipedia.org/wiki/High_availability>), so-that, as long as 1 master/primary is up/running, then my domains are still available to world, and allowing users to obtain DNSSEC verified domain-name to IP-address resolving, etc from BIND DNS server services. RESOURCES: • Servers : rented 3 servers on 3 locations from different server providers. • Domain : I have multiple domains from domain providers (registrar) . Here i will use "example.com" • Each server has 1 IPv4-address, 1 IPv6-address. • Domain provider's "Use your own Nameserver" is pointed to 3 hostnames in 3 nameservers : n1.example.com ( 192.10.2.11 , 2001:db8:1::1 ) , n2.example.com ( 198.51.100.12 , 2001:db8:2::2 ) , n3.example.com ( 203.0.113.13 , 2001:db8:3::3 ) IP-addresses. • Each IP-adrs has it's RDNS setup done, to correspond & match with nameserver's hostname. • Using Debian GNU/Linux 12 (bookworm) OS in each server. ( Server operator can use any other OS, its their choice/preference. ) ( By the way, Debian GNU/Linux is base of Ubuntu Linux, kind of similar to: RedHat Enterprise GNU/Linux is base of Fedora Linux. ) • Using ISC BIND9 (9.18.0 , specifically now : 9.18.28) DNS server software, in each server. ( Server operator can use any other DNS server, its their choice/preference. ) ABOUT FILE/DIRECTORY REPLICATION: • For directories & files replication/sync purpose, using Gluster software ( 1<https://en.wikipedia.org/wiki/Gluster> , 2<https://docs.gluster.org/en/latest/> , 3<https://serverfault.com/a/1165339/217110> , 4<https://www.howtoforge.com/how-to-install-glusterfs-on-debian-12/> ). ( There are many other choices for server operators: Multi-Master Replicaiton<https://en.wikipedia.org/wiki/Multi-master_replication> , List<https://en.wikipedia.org/wiki/List_of_cluster_management_software> ), its their own choice what suits best/works for their need/purpose. • When any file/directory changes ( i.e: in "n1" server ) , then the replication/sync software that is installed/monitoring , will nearly immediately or within few seconds, begin to make same changes to same file/dir in server-operator's other servers ( n2 , n3 ), that are member of replication/sync volume/directory. These replication software uses time-server to have accurate time. Whichever edit/creation/deletion/modification is done last, that takes priority & duplicated/replicated/synced. SHARED/COMMON STORAGE/VOLUME/DIRECTORY: • I created a large file ("data-s1.img"), ~ 300 MB in size, inside root-partition , at "/storage/s1/data-s1.img" . Formatted with XFS filesystem creation/make tools . Attached large-file into a loop block device . Mounted it in "/data/s1" directory . Created a systemd service "mount-storage.service" in Debian to do previous steps one after another, so-that it can succeed in mounting during boot , (as "/etc/fstab" was not suitable for this purpose) . Others can create/use a 2nd partition in same storage drive (i.e: "/dev/sda2") or add another storage drive (i.e: "/dev/sdb") in server . Others can use a script (or "/etc/fstab") during boot to mount, etc. • after above steps, replication software (Gluster) was used to create replication volume "v1" inside the storage-mount-point ("/data/s1") , so it became "/data/s1/v1" . i configured gluster to enable SSL/TLS based secure connection for replication process. Gluster also needs user to mount the volume as "glusterfs" type mount-point to monitor data r/w & replicate, & its done in : "/mnt/vol/v1" mount-point of volume "v1" . Followed steps here<https://serverfault.com/a/1165339/217110> (& changed file/dir names). • the files+dirs under "/mnt/vol/v1/" is replicated/synced in each server, available/accessible in each server, in same location, has exact same contents. • Created "/mnt/vol/v1/etc/bind" directory for BIND aka named aka DNS server aka nameserver software usage. Applied : chgrp bind /mnt/vol/v1/etc/bind • Moved the "zones" dir+files from "/etc/bind", from "n1" server into the "/mnt/vol/v1/etc/bind/n1/" directory, & done similar for "n2" & "n3" servers . Moved the "keys" dir+files from "/etc/bind", from "n1" into the "/mnt/vol/v1/etc/bind/n1" directory, & done similar for "n2" & "n3". • so, "/mnt/vol/v1/etc/bind/keys" & "/mnt/vol/v1/etc/bind/zones" folders/directories are COMMON for all servers: "n1", "n2", "n3". • "n1" using "/mnt/vol/v1/etc/bind/n1/keys" dir & “/mnt/vol/v1/etc/bind/n1/zones” dir, so i created symlink inside to point+goto the replicated/synced mount-point, command : ln -s "/mnt/vol/v1/etc/bind/n1/keys" "/etc/bind/keys" ; ln -s "/mnt/vol/v1/etc/bind/n1/zones" "/etc/bind/zones" ; • "n2" using "/mnt/vol/v1/etc/bind/n2/keys" dir & “/mnt/vol/v1/etc/bind/n2/zones” dir . & created symlinks as shown above. • "n3" using "/mnt/vol/v1/etc/bind/n3/keys" dir & "/mnt/vol/v1/etc/bind/n3/zones" dir. & created symlinks as shown above. • Added permissions in AppArmor "/etc/apparmor.d/local/usr.sbin.named" file, for BIND/named, so that BIND/named can use "v1" replicated-volume "/mnt/vol/v1" BIND directories : /mnt/vol/v1/etc/bind , /mnt/vol/v1/etc/bind/zones , /mnt/vol/v1/etc/bind/keys , /mnt/vol/v1/etc/bind/n1/zones , /mnt/vol/v1/etc/bind/n1/keys in n1 server ( and i have done similar for n2 & n3 ) . Then applied changes with command : apparmor_parser -r /etc/apparmor.d/usr.sbin.named • Also applied or re-checked if the ownership-&-permission (O&P) convention used+recommended by BIND/named for directories & files, are applied/done on the dirs+files inside the "/mnt/vol/v1/etc/bind, etc. DNSSEC & DNS: • Each nameserver has BIND DNS server named daemon software . Each BIND need to be Authoritative for my domains ("example.com" , "example2.com", etc) & response back to any DNS servers/clients query for my domains & for my subnet's reverse-zone . And each BIND DNS server also need to serve/perform as a recursive DNS resolver for any queries made into "localhost" ( 127.0.0.1 , ::1 ). • Followed various related steps as-much-possible from "DNSSEC Howto for BIND 9.9+<https://wiki.debian.org/DNSSEC%20Howto%20for%20BIND%209%2E9%2B>” , ISC BIND docs for 9.18.28<https://downloads.isc.org/isc/bind9/9.18.28/doc/arm/html/> ( that i'm using now while writing this msg ) , etc . Debian OS will update BIND in distro’s repo, & then my/op's servers will be updated to that version . For next/latest version, goto ISC BIND download page here<https://www.isc.org/download/>, search for "PDF" word, select/click on the HTML / PDF doc version that you want to read/follow. • As each nameserver has different IP-addresses, so i've kept the "named.conf", "named.conf.local", "named.conf.options" files in the /etc/bind of server itself, for faster loading . • The "named.conf" file has BIND ACLs, and include directives . This file has same content in each server . Has “ acl LocalHostR { 127.0.0.1; ::1; } ; LocalHostRv4 { 127.0.0.1; } ; LocalHostRv6 { ::1; } ; acl BlockedNets { 0.0.0.0/8 ; 192.0.2.0/24 ; 224.0.0.0/3 ; 10.0.0.0/8 ; 172.16.0.0/12 ; 192.168.0.0/16 ; } ; acl N1-IPv4 { 192.10.2.11; } ; acl N1-IPv6 { 2001:db8:1::11; }; ” , etc, (remove quote symbols) . ( i added more IPv4 & IPv6 in BlockedNets later ). • The "named.conf.local" file has forward zones & reverse zones declarations : each zone has "type primary;" directive/option set , each zone has "file" directive with file located in replicated volume location . Each local zones & each local reverse-zone for IP-address) have "allow-query { LocalHostR; };" . My each domain's zone (i.e: "zone "example.com" { ... };") declarations, & reverse-zone for my own subnet, has "allow-query { any; };" . • My domain “example.com” zone declaration in “named.local.conf” file : “ zone "n1.example.com" { type master ; file "/mnt/vol/v1/etc/bind/zones/db.example.com" ; allow-query { any; } ; serial-update-method unixtime ; key-directory "/mnt/vol/v1/etc/bind/n1/keys" ; dnssec-policy opPolicy ; inline-signing yes ; notify no ; }; ” (remove quote symbols) . We allowed query from anyone . By the way, i also have a sub-domain zone declared in “named.local.conf” file as zone : “ zone "ns.example.com" { … }; ” , nearly same as “example.com”. • The "named.conf.options" file has “dnssec-policy "opPolicy" { ... };” , "options { ... };" , "logging { ... };" sections/declarations . Logging uses the server's "/var/log/named" dir ( into "Update_Debug.log" , "Security.log" , "BIND.log" files ). • The “options { … };” in “named.conf.options” file : “ options { recursion yes ; allow-recursion { LocalHostR; } ; allow-query-cache { LocalHostR; } ; allow-query-cache-on { LocalHostR; } ; allow-query { LocalHostR; } ; allow-recursion-on { LocalHostR; } ; empty-zones-enable yes ; blackhole { BlockedNets; } ; allow-transfer { none; } ; auth-nxdomain no ; listen-on { N1-IPv4; LocalHostRv4; } ; listen-on-v6 { N1-IPv6; LocalHostRv6; }; rate-limit { ... }; }; ” (remove quote symbols). We restricted recursion by allowing only LocalHostR, not external, not BlockedNets. • DNS server, for non-dnssec part of DNS related queries & responses for domain(s), IPv4-adrs, IPv6-adrs, etc (forward lookup/resolve , subnet IP-adrs reverse resolve/lookup ) WORKING FINE , from n1 & n2 & n3 . Authoritative mode is working for my domains . And "localhost" inside server can also provide website-name/domain-name To IP-address resolve response, to the the local software/daemons/clients that are running inside server. • To ENABLE DNSSEC : i add "dnssec-validation auto;" inside "options" inside "named.conf.options" file , i add "key-directory "/mnt/vol/v1/etc/bind/n1/keys" ; inline-signing yes;" in "zone "example.com" { ... };" in "named.conf.local" file, etc , ( changed the "n1" into "n2" for "n2" server, & similarly in n3. ) • For "dnssec-policy" directive about KSK & ZSK cert+key creation, usage period, signing, validity, verification, etc , i'm using shorter TTL period, etc , so-that dnssec/dns config lines can be changed+applied quickly during DNSSEC setup phase : dnssec-policy "opPolicy" { ksk lifetime P88D algorithm RSASHA256 ; zsk lifetime 22D algorithm RSASHA256 ; dnskey-ttl PT10M ; publish-safety P2D ; retire-safety P3D ; purge-keys P3D ; signatures-refresh P5D ; signatures-validity P10D ; signatures-validity-dnskey P11D ; max-zone-ttl PT30M ; zone-propagation-delay PT1H ; parent-ds-ttl PT1H ; parent-propagation-delay PT1H ; nsec3param iterations 0 optout yes salt-length 0 ; }; Now finally into the QUESTIONS: • How can i create 1 KSK key ( in "n1" server first ), for a (single) domain ("example.com") and get the DS code from KSK key and add that 1 DS in domain-provider ( to send to the TLD ), & configure other 2 nameservers ( n2 , n3 ) to use that 1 DS record from TLD & use that same/common 1 KSK file from the synced/replicated directory, while "type master;" is set for my domain/zone in each nameserver ? ( Using 3 KSK & their 3 DS in domain-provider did not work, created error indicators in DNSViz & in "DNSSEC-Annalyzer.VerisignLabs” test sites, when each nameserver used separate directories, files, etc. • if i specify same/COMMON (replicated) dir "/mnt/vol/v1/etc/bind/keys" & "/mnt/vol/v1/etc/bind/zones/zonename" inside 3 nameserver's “named.conf.local” file domains/zones , Can BIND DNS server add their own RRSIG response/lines for DNS records (into same zone file) without removing earlier or other nameserver's RRSIG lines (unless related ZSK key/period expired) ? • How do i disable/clean/move/backup earlier DNSSEC keys/usages, & setup DNSSEC completely as anew . ( Our zone TTLs are short 7m to 1h , (during setup/test phase) , So within 7m to an hour, all older-records should be discarded from caches. ) Thanks in advance for helpful responses. Erik. Erik T Ashfolk.
-- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
