[Pdns-users] Setting up intentionally invalid DNSSEC record in auto-secure environment
Hi all, We're running a PowerDNS 3.4.6 installation with the MySQL backend, and we’re using pdnsutil secure-zone/set-nsec3/rectify-zone to automatically secure all of our domains (the least-effort method, instead of manually signing everything). It works great. Thanks for the excellent software! To support an internal testing tool, I would like to set up a few DNS records on a subdomain of one of our signed domains, and have those DNS records //intentionally invalidly signed// so that verifying resolvers will flag them and not return them. What is the best way to do this? Can I simply manually enter an invalid RRSIG record for each record, and that manual record will take precedence over any automatic signing that PowerDNS preforms? Or do I need to take some other step (perhaps it requires a separate domain)? Or is what I want to do impossible with PowerDNS automatic signing enabled? Thanks! Nick Williams smime.p7s Description: S/MIME cryptographic signature ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] Setting up intentionally invalid DNSSEC record in auto-secure environment
Out of curiosity, what DOES PowerDNS do if it finds an both an A and an RRSIG record for a.b.c.com in the database? Nick On Wed, Jan 6, 2016 at 12:33 PM, Aki Tuomiwrote: > The code does not support this but you might be able to use postresolve > Lua hook to break the reply signature. > > --- > Aki Tuomi > Alkuperäinen viesti > Lähettäjä: Nick Williams > Päivämäärä: 6.1.2016 19.54 (GMT+02:00) > Saaja: pdns-users Users > Aihe: [Pdns-users] Setting up intentionally invalid DNSSEC record in > auto-secure environment > > Hi all, > > We're running a PowerDNS 3.4.6 installation with the MySQL backend, and > we’re using pdnsutil secure-zone/set-nsec3/rectify-zone to automatically > secure all of our domains (the least-effort method, instead of manually > signing everything). It works great. Thanks for the excellent software! > > To support an internal testing tool, I would like to set up a few DNS > records on a subdomain of one of our signed domains, and have those DNS > records //intentionally invalidly signed// so that verifying resolvers will > flag them and not return them. What is the best way to do this? Can I > simply manually enter an invalid RRSIG record for each record, and that > manual record will take precedence over any automatic signing that PowerDNS > preforms? Or do I need to take some other step (perhaps it requires a > separate domain)? Or is what I want to do impossible with PowerDNS > automatic signing enabled? > > Thanks! > > Nick Williams > ___ > Pdns-users mailing list > Pdns-users@mailman.powerdns.com > http://mailman.powerdns.com/mailman/listinfo/pdns-users > ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] Setting up intentionally invalid DNSSEC record in auto-secure environment
On Wed, Jan 06, 2016 at 12:46:38PM -0600, Nicholas Williams wrote: > Out of curiosity, what DOES PowerDNS do if it finds an both an A and an > RRSIG record for a.b.c.com in the database? Hi Nicholas, To answer both your messages in one go, if you run with 'presigned zones', PowerDNS will use the RRSIG from your database. So it will find the right RRSIG that goes with your A record. Secondly, if you use a pre-signed zone, you can also mess up your RRSIG by hand to generate a 'broken' zone. Bert > > Nick > > On Wed, Jan 6, 2016 at 12:33 PM, Aki Tuomiwrote: > > > The code does not support this but you might be able to use postresolve > > Lua hook to break the reply signature. > > > > --- > > Aki Tuomi > > Alkuperäinen viesti > > Lähettäjä: Nick Williams > > Päivämäärä: 6.1.2016 19.54 (GMT+02:00) > > Saaja: pdns-users Users > > Aihe: [Pdns-users] Setting up intentionally invalid DNSSEC record in > > auto-secure environment > > > > Hi all, > > > > We're running a PowerDNS 3.4.6 installation with the MySQL backend, and > > we’re using pdnsutil secure-zone/set-nsec3/rectify-zone to automatically > > secure all of our domains (the least-effort method, instead of manually > > signing everything). It works great. Thanks for the excellent software! > > > > To support an internal testing tool, I would like to set up a few DNS > > records on a subdomain of one of our signed domains, and have those DNS > > records //intentionally invalidly signed// so that verifying resolvers will > > flag them and not return them. What is the best way to do this? Can I > > simply manually enter an invalid RRSIG record for each record, and that > > manual record will take precedence over any automatic signing that PowerDNS > > preforms? Or do I need to take some other step (perhaps it requires a > > separate domain)? Or is what I want to do impossible with PowerDNS > > automatic signing enabled? > > > > Thanks! > > > > Nick Williams > > ___ > > Pdns-users mailing list > > Pdns-users@mailman.powerdns.com > > http://mailman.powerdns.com/mailman/listinfo/pdns-users > > > ___ > Pdns-users mailing list > Pdns-users@mailman.powerdns.com > http://mailman.powerdns.com/mailman/listinfo/pdns-users ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] Setting up intentionally invalid DNSSEC record in auto-secure environment
(inline) On Wed, Jan 6, 2016 at 11:42 AM, Nicholas Williamswrote: > I'll look into that other script. Thanks, Bert. > >> How about a creating a separate sub-zone with a broken presigned DNSSEC > >> You can set presigned for just that single zone using the PRESIGNED domain >> metadata[1] int your database. > > I really like this idea in combination. That documentation that Pieter sent > me should help me get set up with presigning. But, Leen, how would I set up > a subzone delegated to the same authoritative server (or can I, even?)? Can > you point me to that documentation? B/C the server is the same you don't necessarily need to setup the delegation in the zone with records table. You just need to have it in the domains table. That said you *can* totally do a full delegation. You just insert NS records into the parent zone records w/ the parent domain_id, and do SOA+NS/whatever you normally do (synthetic SOA/generated SOA comes to mind) inside the delegated zone (child) domain_id...there's no magic to delegations. You'll have like 2x the NS records for a self delegated zone (as the parent zone will have the same records with a the parent/delegating domain_id) > > Google really hasn't indexed this documentation very well at all... > > Thanks, > > Nick -- Samuel Butler ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] Setting up intentionally invalid DNSSEC record in auto-secure environment
On 2016-01-06 20:42, Nicholas Williams wrote: I'll look into that other script. Thanks, Bert. How about a creating a separate sub-zone with a broken presigned DNSSEC You can set presigned for just that single zone using the PRESIGNED domain metadata[1] int your database. I really like this idea in combination. That documentation that Pieter sent me should help me get set up with presigning. But, Leen, how would I set up a subzone delegated to the same authoritative server (or can I, even?)? Can you point me to that documentation? It's just a domain & delegation like any other (this is the same thing the TLD does for you): Just have both a autosigned-domain.tld and presigned-subzone.autosigned-domain.tld in the domains-table like any normal domain. Both domains should have NS and SOA records in the records table like any normal domain. Then create the delegation in the autosigned-domain.tld domain by adding the NS-records pointing to the presigned-subzone.autosigned-domain.tld Domain_id: autosigned-domain.tld ; name: presigned-subzone.autosigned-domain.tld ; type: NS ; content: ns1.autosigned-domain.tld Domain_id: autosigned-domain.tld ; name: presigned-subzone.autosigned-domain.tld ; type: NS ; content: ns2.autosigned-domain.tld Now because it's DNSSEC you need to make it secure. Assuming you want to sign the sub-zone for testing: pdnssec secure-zone presigned-subzone.autosigned-domain.tld The you can grab the DS-record which the needs to be added to the parent zone: pdnssec show-zone presigned-subzone.autosigned-domain.tld To know what the DS-record is. Add the DNSSEC DS-record for presigned-subzone.autosigned-domain.tld in the autosigned-domain.tld domain. domain_id: autosigned-domain.tld; name: presigned-subzone.autosigned-domain.tld ; type: DS ; content: '5725 8 2 512fa6fe4d1f9ba974832e3456c4769db6c16ca1...' Hope that makes it clear. You should now be able to look up a DNSSEC-signed record for the presigned-subzone.autosigned-domain.tld for example the SOA-record. Have a good day, Leen. Google really hasn't indexed this documentation very well at all... Thanks, Nick ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users