[Pdns-users] Setting up intentionally invalid DNSSEC record in auto-secure environment

[Nick Williams]

Hi all,

We're running a PowerDNS 3.4.6 installation with the MySQL backend, and we’re 
using pdnsutil secure-zone/set-nsec3/rectify-zone to automatically secure all 
of our domains (the least-effort method, instead of manually signing 
everything). It works great. Thanks for the excellent software!

To support an internal testing tool, I would like to set up a few DNS records 
on a subdomain of one of our signed domains, and have those DNS records 
//intentionally invalidly signed// so that verifying resolvers will flag them 
and not return them. What is the best way to do this? Can I simply manually 
enter an invalid RRSIG record for each record, and that manual record will take 
precedence over any automatic signing that PowerDNS preforms? Or do I need to 
take some other step (perhaps it requires a separate domain)? Or is what I want 
to do impossible with PowerDNS automatic signing enabled?

Thanks!

Nick Williams

smime.p7s
Description: S/MIME cryptographic signature
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Setting up intentionally invalid DNSSEC record in auto-secure environment

[Nicholas Williams]

Out of curiosity, what DOES PowerDNS do if it finds an both an A and an
RRSIG record for a.b.c.com in the database?

Nick

On Wed, Jan 6, 2016 at 12:33 PM, Aki Tuomi  wrote:

> The code does not support this but you might be able to use postresolve
> Lua hook to break the reply signature.
>
> ---
> Aki Tuomi
>  Alkuperäinen viesti 
> Lähettäjä: Nick Williams 
> Päivämäärä: 6.1.2016 19.54 (GMT+02:00)
> Saaja: pdns-users Users 
> Aihe: [Pdns-users] Setting up intentionally invalid DNSSEC record in
> auto-secure environment
>
> Hi all,
>
> We're running a PowerDNS 3.4.6 installation with the MySQL backend, and
> we’re using pdnsutil secure-zone/set-nsec3/rectify-zone to automatically
> secure all of our domains (the least-effort method, instead of manually
> signing everything). It works great. Thanks for the excellent software!
>
> To support an internal testing tool, I would like to set up a few DNS
> records on a subdomain of one of our signed domains, and have those DNS
> records //intentionally invalidly signed// so that verifying resolvers will
> flag them and not return them. What is the best way to do this? Can I
> simply manually enter an invalid RRSIG record for each record, and that
> manual record will take precedence over any automatic signing that PowerDNS
> preforms? Or do I need to take some other step (perhaps it requires a
> separate domain)? Or is what I want to do impossible with PowerDNS
> automatic signing enabled?
>
> Thanks!
>
> Nick Williams
> ___
> Pdns-users mailing list
> Pdns-users@mailman.powerdns.com
> http://mailman.powerdns.com/mailman/listinfo/pdns-users
>
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Setting up intentionally invalid DNSSEC record in auto-secure environment

[bert hubert]

On Wed, Jan 06, 2016 at 12:46:38PM -0600, Nicholas Williams wrote:
> Out of curiosity, what DOES PowerDNS do if it finds an both an A and an
> RRSIG record for a.b.c.com in the database?

Hi Nicholas,

To answer both your messages in one go, if you run with 'presigned zones',
PowerDNS will use the RRSIG from your database. So it will find the right
RRSIG that goes with your A record.

Secondly, if you use a pre-signed zone, you can also mess up your RRSIG by
hand to generate a 'broken' zone.

Bert

> 
> Nick
> 
> On Wed, Jan 6, 2016 at 12:33 PM, Aki Tuomi  wrote:
> 
> > The code does not support this but you might be able to use postresolve
> > Lua hook to break the reply signature.
> >
> > ---
> > Aki Tuomi
> >  Alkuperäinen viesti 
> > Lähettäjä: Nick Williams 
> > Päivämäärä: 6.1.2016 19.54 (GMT+02:00)
> > Saaja: pdns-users Users 
> > Aihe: [Pdns-users] Setting up intentionally invalid DNSSEC record in
> > auto-secure environment
> >
> > Hi all,
> >
> > We're running a PowerDNS 3.4.6 installation with the MySQL backend, and
> > we’re using pdnsutil secure-zone/set-nsec3/rectify-zone to automatically
> > secure all of our domains (the least-effort method, instead of manually
> > signing everything). It works great. Thanks for the excellent software!
> >
> > To support an internal testing tool, I would like to set up a few DNS
> > records on a subdomain of one of our signed domains, and have those DNS
> > records //intentionally invalidly signed// so that verifying resolvers will
> > flag them and not return them. What is the best way to do this? Can I
> > simply manually enter an invalid RRSIG record for each record, and that
> > manual record will take precedence over any automatic signing that PowerDNS
> > preforms? Or do I need to take some other step (perhaps it requires a
> > separate domain)? Or is what I want to do impossible with PowerDNS
> > automatic signing enabled?
> >
> > Thanks!
> >
> > Nick Williams
> > ___
> > Pdns-users mailing list
> > Pdns-users@mailman.powerdns.com
> > http://mailman.powerdns.com/mailman/listinfo/pdns-users
> >

> ___
> Pdns-users mailing list
> Pdns-users@mailman.powerdns.com
> http://mailman.powerdns.com/mailman/listinfo/pdns-users


___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Setting up intentionally invalid DNSSEC record in auto-secure environment

[Michael Loftis]

(inline)

On Wed, Jan 6, 2016 at 11:42 AM, Nicholas Williams
 wrote:
> I'll look into that other script. Thanks, Bert.
>
>> How about a creating a separate sub-zone with a broken presigned DNSSEC
>
>> You can set presigned for just that single zone using the PRESIGNED domain
>> metadata[1] int your database.
>
> I really like this idea in combination. That documentation that Pieter sent
> me should help me get set up with presigning. But, Leen, how would I set up
> a subzone delegated to the same authoritative server (or can I, even?)? Can
> you point me to that documentation?

B/C the server is the same you don't necessarily need to setup the
delegation in the zone with records table.  You just need to have it
in the domains table.  That said you *can* totally do a full
delegation.  You just insert NS records into the parent zone records
w/ the parent domain_id, and do SOA+NS/whatever you normally do
(synthetic SOA/generated SOA comes to mind) inside the delegated zone
(child) domain_id...there's no magic to delegations.  You'll have like
2x the NS records for a self delegated zone (as the parent zone will
have the same records with a the parent/delegating domain_id)


>
> Google really hasn't indexed this documentation very well at all...
>
> Thanks,
>
> Nick

-- Samuel Butler

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Setting up intentionally invalid DNSSEC record in auto-secure environment

[leen]

On 2016-01-06 20:42, Nicholas Williams wrote:

I'll look into that other script. Thanks, Bert.


 How about a creating a separate sub-zone with a broken presigned

DNSSEC


 You can set presigned for just that single zone using the

PRESIGNED domain metadata[1] int your database.

I really like this idea in combination. That documentation that 
Pieter

sent me should help me get set up with presigning. But, Leen, how
would I set up a subzone delegated to the same authoritative server
(or can I, even?)? Can you point me to that documentation?



It's just a domain & delegation like any other (this is the same thing 
the TLD does for you):


Just have both a autosigned-domain.tld and 
presigned-subzone.autosigned-domain.tld in the domains-table like any 
normal domain.


Both domains should have NS and SOA records in the records table like 
any normal domain.


Then create the delegation in the autosigned-domain.tld domain by 
adding the NS-records pointing to the 
presigned-subzone.autosigned-domain.tld


Domain_id: autosigned-domain.tld ; name: 
presigned-subzone.autosigned-domain.tld ; type: NS ; content: 
ns1.autosigned-domain.tld
Domain_id: autosigned-domain.tld ; name: 
presigned-subzone.autosigned-domain.tld ; type: NS ; content: 
ns2.autosigned-domain.tld


Now because it's DNSSEC you need to make it secure.

Assuming you want to sign the sub-zone for testing:

pdnssec secure-zone presigned-subzone.autosigned-domain.tld

The you can grab the DS-record which the needs to be added to the 
parent zone:


pdnssec show-zone presigned-subzone.autosigned-domain.tld

To know what the DS-record is.

Add the DNSSEC DS-record for presigned-subzone.autosigned-domain.tld in 
the autosigned-domain.tld domain.


domain_id: autosigned-domain.tld; name: 
presigned-subzone.autosigned-domain.tld	; type: DS	; content: '5725 8 2 
512fa6fe4d1f9ba974832e3456c4769db6c16ca1...'


Hope that makes it clear.

You should now be able to look up a DNSSEC-signed record for the 
presigned-subzone.autosigned-domain.tld for example the SOA-record.


Have a good day,
 Leen.


Google really hasn't indexed this documentation very well at all...

Thanks,

Nick




___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users