Re: Validating a DNSSEC installation
On Jun 16, 2009, at 4:08 AM, Chris Thompson wrote: On Jun 15 2009, Chris Buxton wrote: On Jun 13, 2009, at 4:59 AM, Erik Lotspeich wrote: Is it normal that a validating resolver can't validate a domain it is authoritative for? Absolutely. As Alan Clegg wrote not long ago on this list, You presumably refer to https://lists.isc.org/pipermail/bind-users/2009-January/074760.html which I *suppose* counts as not long ago ... :-) That's not long ago to me... it was this year after all. :-) this is why a DNSSEC validating resolver should not be authoritative for any signed zones. This seems too strong to me, There are lots of good reasons why one may want a resolver to stealth slave local (possibly signed) zones, and thus be authoritative for them. However, it is certainly the case that because no other validation is performed on these zones, they should be fetched by secure means, e.g. TSIG-signed transfers from trusted master servers. As a purist, I dislike stealth slaves. They're too error-prone. It's better to use a stub zone if necessary, in my opinion. That said, if only DNSSEC-ignorant resolvers (including stub resolvers) are querying the server, then yes, there is a valid case to be made for a stealth slave. But even then, if the zone has any subzones, or might ever be given any subzones, then I believe there will be problems unless the resolving stealth slave is also given trust anchors for all such subzones. It's better and simpler, then, to use a single trust anchor and a stub zone (a resolver hint) for the domain apex rather than a slave zone. Chris Buxton Professional Services Men Mice ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Validating a DNSSEC installation
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi Chris, Thanks for your response -- that explains it. I hope that you don't mind if I continue this discussion with another question. I changed my configuration to use views to separate my external zone (for which BIND is authoritative) from internal clients (which should use BIND as a validating resolver). I now receive the expected behavior - -- sort of. r...@starfish:/home/erik# dig +dnssec +adflag @localhost lotspeich.org ; DiG 9.6.1 +dnssec +adflag @localhost lotspeich.org ; (1 server found) ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 60454 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1 [snip] r...@starfish:/home/erik# dig +adflag @localhost lotspeich.org ; DiG 9.6.1 +adflag @localhost lotspeich.org ; (1 server found) ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 3194 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 1 As you can see, the ad bit is set when +dnssec is used along with +adflag. However, I can receive the ad bit without +dnssec when making other queries: r...@starfish:/home/erik# dig +adflag isc.org. ; DiG 9.6.1 +adflag isc.org. ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 6612 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 4 Is this expected or do I need to fine-tune my configuration further? Thanks, Erik. Chris Buxton wrote: On Jun 13, 2009, at 4:59 AM, Erik Lotspeich wrote: Is it normal that a validating resolver can't validate a domain it is authoritative for? Absolutely. As Alan Clegg wrote not long ago on this list, this is why a DNSSEC validating resolver should not be authoritative for any signed zones. Chris Buxton Professional Services Men Mice -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.9 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org iEYEARECAAYFAko4jHMACgkQY21D/n6bGwcU8QCgvliX8Hbu3A0BvTjbo9LxaS8B EBkAn0m0N9btGvXrGaiORug3M03RF7Eh =Fpf5 -END PGP SIGNATURE- ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Validating a DNSSEC installation
On Jun 15 2009, Chris Buxton wrote: On Jun 13, 2009, at 4:59 AM, Erik Lotspeich wrote: Is it normal that a validating resolver can't validate a domain it is authoritative for? Absolutely. As Alan Clegg wrote not long ago on this list, You presumably refer to https://lists.isc.org/pipermail/bind-users/2009-January/074760.html which I *suppose* counts as not long ago ... :-) this is why a DNSSEC validating resolver should not be authoritative for any signed zones. This seems too strong to me, There are lots of good reasons why one may want a resolver to stealth slave local (possibly signed) zones, and thus be authoritative for them. However, it is certainly the case that because no other validation is performed on these zones, they should be fetched by secure means, e.g. TSIG-signed transfers from trusted master servers. -- Chris Thompson Email: c...@cam.ac.uk ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Validating a DNSSEC installation
On Thu, 11 Jun 2009, Erik Lotspeich wrote: Although I'm not new to DNS, I'm new to DNSSEC. I have read documentation and howtos regarding DNSSEC. I believe that I have it configured and working for my domain, lotspeich.org. I have registered with the ISC's DLV registry. I am having trouble finding the best way for me to validate that my setup is working and that my zone validates. I've looked into drill and dnssec-tools, but it isn't clear to me how to use these tools with ISC's DLV. Any help would be greatly appreciated. Hi Erik, For me: dig +dnssec lotspeich.org does return RRSIG but no ad (authenticated data) flag. lotspeich.org.dlv.isc.org doesn't yet exist in ISC's DLV. dig +dnssec lotspeich.org.dlv.isc.org DLV for me is flagged ad and NXDOMAIN (Maybe wait until served by the ISC DLV nameservers? I didn't check internally if was registered.) ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Validating a DNSSEC installation
In message 4a3177c1.5040...@lotspeich.org, Erik Lotspeich writes: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi, Although I'm not new to DNS, I'm new to DNSSEC. I have read documentation and howtos regarding DNSSEC. I believe that I have it configured and working for my domain, lotspeich.org. I have registered with the ISC's DLV registry. I am having trouble finding the best way for me to validate that my setup is working and that my zone validates. I've looked into drill and dnssec-tools, but it isn't clear to me how to use these tools with ISC's DLV. Any help would be greatly appreciated. Regards, Erik. The simplest way is to configure a caching only server to use dlv and run queries against it. dig +adflag soa zone dig +dnssec soa zone and look for the ad flag in the response. e.g. ; DiG 9.3.6-P1 +adflag isc.org soa ;; global options: printcmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 41624 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 4 ;; QUESTION SECTION: ;isc.org. IN SOA ;; ANSWER SECTION: isc.org.7030IN SOA ns-int.isc.org. hostmaster.isc.org. 2009061200 7200 3600 24796800 3600 ;; AUTHORITY SECTION: isc.org.35695 IN NS ns-ext.nrt1.isc.org. isc.org.35695 IN NS ams.sns-pb.isc.org. isc.org.35695 IN NS ord.sns-pb.isc.org. isc.org.35695 IN NS sfba.sns-pb.isc.org. ;; ADDITIONAL SECTION: ams.sns-pb.isc.org. 35695 IN A 199.6.1.30 ord.sns-pb.isc.org. 35695 IN A 199.6.0.30 sfba.sns-pb.isc.org.35695 IN A 149.20.64.3 sfba.sns-pb.isc.org.35693 IN 2001:4f8:0:2::19 ;; Query time: 180 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Fri Jun 12 12:07:03 2009 ;; MSG SIZE rcvd: 243 Note the DLV record for lotspeich.org is not currently being published. When you look at Managed Zones you should see as green tick and Good for the records to be published. If you don't see this then look at Help to what is being reported. If you can't address the problem use the Contact Us link. ; DiG 9.3.6-P1 dlv lotspeich.org.dlv.isc.org ;; global options: printcmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NXDOMAIN, id: 25701 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION: ;lotspeich.org.dlv.isc.org. IN DLV ;; AUTHORITY SECTION: dlv.isc.org.3440IN SOA ns-int.isc.org. hostmaster.isc.org. 2009060800 7200 3600 2419200 3600 ;; Query time: 3 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Fri Jun 12 12:00:30 2009 ;; MSG SIZE rcvd: 97 Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Validating a DNSSEC installation
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Erik Lotspeich wrote: I have registered with the ISC's DLV registry. I am having trouble finding the best way for me to validate that my setup is working and that my zone validates. dlv.isc.org doesn't list your keys yet. It can take a day or two for DLV records to appear after your DNSKEY and cookie records have been checked. If you just added the zone to dlv.isc.org and it still shows a pending validation state, try request re-check in the DNSKEY Details section to force immediate validation. Once your DLV record shows up, you may query external validating resolvers and see if they set the AD flag in response. OARC operates resolvers validating against dlv.isc.org. See their website at: https://www.dns-oarc.net/oarc/services/odvr dig +adflag lotspeich.org @149.20.64.20 dig +adflag lotspeich.org @149.20.64.21 A successful validation should look like this: [...] ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 6841 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 [...] ^^ Future reference: Once .org completes their testing phase *and* your registrar allows you to register DS records for your domain, queries should also return AD when validated against the ITAR trust anchor repository (at https://itar.iana.org/): dig +adflag lotspeich.org @149.20.64.22 I also run a somewhat-public resolver using the dnssec.iks-jena.de DLV (http://www.iks-jena.de/leistungen/dnssec.php): dig +adflag lotspeich.org @85.10.240.255 Hauke. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkoxvWsACgkQKIgAG9lfHFPMNgCffasC89jnBB6T2erBR1IN0YLG O04An27s6qOg9WeW7l8ck6o6E/vmr31F =gE/Q -END PGP SIGNATURE- ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Validating a DNSSEC installation
In message 20090612025851.ga23...@frell.ambush.de, Hauke Lampe writes: On Fri, Jun 12, 2009 at 04:29:11 +0200, Hauke Lampe wrote: Future reference: Once .org completes their testing phase *and* your registrar allows you to register DS records for your domain, queries should also return AD when validated against the ITAR trust anchor repository (at https://itar.iana.org/): dig +adflag lotspeich.org @149.20.64.22 I got that one wrong. My apologies. That resolver uses IANA's version of a signed root (https://ns.iana.org/), not ITAR. Personally, I don't expect to add DS records for my .org domains within the next two or three years, anyway. By the time the domain registration services I use add working DS support, the root zone could possibly already be signed. The root is supposed to be signed by the end of the year. IANA is already collecting DS / DNSKEY records for inclusion in the signed root. A compentent registrar would be looking to add support for DS records now as once the root is signed there is no longer any real excuse to delay anymore. Similarly there is no excuse for not accepting as glue these days. Mark Hauke. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users