Re: [Pdns-users] Setting up intentionally invalid DNSSEC record in auto-secure environment

[Pieter Lexis]

Hi Nick,

On Sat, 9 Jan 2016 14:48:12 -0600
Nicholas Williams  wrote:

> But the documentation says the opposite. It says NOT to create
> NSEC(3) records (in fact, zone2sql intentionally ignores them, even
> for presigned zones), because (again, it says) PowerDNS generates
> then automatically, even for presigned zones. It also says that
> manually inserting NSEC3 records could cause errors. So the
> documentation makes clear that, on presigned zones, it is still the
> authority. Indeed, PowerDNS IS generating the NSEC3 records (as I
> showed), just not signing them.

This is indeed the way this works. As the NXDOMAIN generation code
works as it should, the design choice was made to 'just' generate NSECs
on the fly. The signatures still have to be provided in the presigned
zone.

> How could I possibly presign records that PowerDNS generates? I
> can't. So why does PowerDNS prohibit me creating NSEC3 records,
> generate them for me, but not sign them?

This is because pre-signed zones (from e.g. opendnssec, ldns-signzone
or slaved from a master) contain the RRSIGs to the negative answers.

> That is, at best, poor design. But I'm confident it's a bug or I've
> configured something incorrectly. 

I agree this is and 'interesting' design choice made back in the day.
In normal operation (using other tools to generate DNSSEC records or
slaving the zone) this will never come up.

I agree that the docs are not very verbose on how presigned zone work,
we'll fix this in the coming weeks.

-- 
Pieter Lexis
PowerDNS.COM BV -- https://www.powerdns.com

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Setting up intentionally invalid DNSSEC record in auto-secure environment

[Nick Williams]

So, I think I’ve almost got this, but I’m having a problem with the pre-signed 
zone’s NSEC3 RRSIGs. Here’s what I did:

I already have a live-signed zone (my-zone.com) that works perfectly. A-records 
come with automatic RRSIGs, SOA record comes with an RRSIG, NS records come 
with an RRSIG, etc. I added a presigned delegated subzone by:

1. Creating a new domain d7e8ac.test-records.my-zone.com 
.
2. Running `pdnssec secure-zone d7e8ac.test-records.my-zone.com 
` and `pdnssec set-nsec3 
d7e8ac.test-records.my-zone.com  1 0 3 
B45550` so that the keys and NSEC3 params are automatically created for me by 
PowerDNS.
3. Creating the SOA, NS, and A (namely, good.d7e8ac.test-records.my-zone.com 
 and 
bad.d7e8ac.test-records.my-zone.com 
) records I want.
4. Running `pdnssec rectify-zone d7e8ac.test-records.my-zone.com 
`.
5. Copying down all of the RRSIG records that PowerDNS live-generates.
6. Running `pdnssec set-presigned d7e8ac.test-records.my-zone.com 
` to disable live-signing.
7. Inserting the RRSIG records that PowerDNS previously created into MySQL.
8. Creating the NS records in my-zone.com  for the 
d7e8ac.test-records.my-zone.com  
subzone pointing to the same servers.
9. Inserting the DS records in my-zone.com  for the 
d7e8ac.test-records.my-zone.com  
subzone using the DS records from `pdnssec show-zone`.

I have not yet munged the RRSIG for bad.d7e8ac.test-records.my-zone.com 
, so it is still correctly signed. 
In other words, d7e8ac.test-records.my-zone.com 
 should be just like any other 
pre-signed zone, except it’s a subzone.

So, I ran a thorough analysis of my-zone.com  using 
http://dnsviz.net , just to make sure it hadn’t been 
affected, and everything checked out perfectly. I can also query any and all 
records through my verifying recursors and they get returned. And, if I dig the 
non-existent dne.my-zone.com , I get back NXDOMAIN 
with NSEC3 and RRSIG records as show below. It’s all perfect:

my-zone.com.1800IN  SOA dns1.my-zone.com. 
noc.my-zone.com. 2016010608 10800 3600 604800 1800
my-zone.com.1800IN  RRSIG   SOA 8 2 86400 2016012100 
2015123100 33379 my-zone.com. I2AxpLVafoux...
8jioqnlor5460c8jk6s0uqnlqobfsad1.my-zone.com. 1800 IN NSEC3 1 0 3 D4AF00 
9T62A084PPEDCI0UGGCE6O1CBS88UP2G A NS SOA MX TXT RRSIG DNSKEY NSEC3PARAM
8jioqnlor5460c8jk6s0uqnlqobfsad1.my-zone.com. 1800 IN RRSIG NSEC3 8 3 1800 
2016012100 2015123100 33379 my-zone.com. IOUTkKrHTp...
0dfe8me5brlq9g3ap8itfpiugjajs2is.my-zone.com. 1800 IN NSEC3 1 0 3 D4AF00 
7RL9CKFSF6N7NQ3CJ78S9MVLPJB0T9G0 A RRSIG
0dfe8me5brlq9g3ap8itfpiugjajs2is.my-zone.com. 1800 IN RRSIG NSEC3 8 3 1800 
2016012100 2015123100 33379 my-zone.com. Hbr5ir8PlS+/...
hb7aqcuebqfhou10qfsgcbu83no1plbb.my-zone.com. 1800 IN NSEC3 1 0 3 D4AF00 
O7EF2SKIOJJKFASIIMVQGHUO03I2BNP5
hb7aqcuebqfhou10qfsgcbu83no1plbb.my-zone.com. 1800 IN RRSIG NSEC3 8 3 1800 
2016012100 2015123100 33379 my-zone.com. EljCuzDzUA…

I then ran a thorough analysis of d7e8ac.test-records.my-zone.com 
 using the same website and MOST 
things turned out perfectly. The NS, SOA, and A records all check out. However, 
I couldn’t query them through my verifying precursors—I get NXDOMAIN every 
time. (I could query through my verifying recursors before setting the zone to 
presigned.) That’s what led me to check the non-existent 
dne.d7e8ac.test-records.my-zone.com 
. And that revealed the problem. 
The documentation says presigned zones should NOT include NSEC3 records or 
their RRSIGs, because PowerDNS still automatically generates NSEC3 records and 
their RRSIGs for presigned zones. But it’s not. It’s only returning the NSEC3 
records, unsigned:

d7e8ac.test-records.my-zone.com. 1800 IN SOAdns1.my-zone.com. 
noc.my-zone.com. 2016010701 10800 3600 604800 1800
d7e8ac.test-records.my-zone.com. 1800 IN RRSIG SOA 8 4 86400 2016012100 
2015123100 34311 d7e8ac.test-records.my-zone.com. fJYArsO2S...
prhpl89qu0ncp23b3qhr10citsu7gs2n.d7e8ac.test-records.my-zone.com. 1800 IN NSEC3 
1 0 3 B45550 H09M6KE4HUPDK9Q1NMF53UTSDBFDIIIC NS SOA RRSIG DNSKEY NSEC3PARAM
h09m6ke4hupdk9q1nmf53utsdbfdiiic.d7e8ac.test-records.my-zone.com. 1800 IN NSEC3 
1 0 3 B45550 OV9D2N9BPO4FQVELB9H5O3SGSN329H1U A RRSIG

I can’t think of anything I missed. And, clearly, PowerDNS is correctly 

[Pdns-users] Setting up intentionally invalid DNSSEC record in auto-secure environment

[Nick Williams]

Hi all,

We're running a PowerDNS 3.4.6 installation with the MySQL backend, and we’re 
using pdnsutil secure-zone/set-nsec3/rectify-zone to automatically secure all 
of our domains (the least-effort method, instead of manually signing 
everything). It works great. Thanks for the excellent software!

To support an internal testing tool, I would like to set up a few DNS records 
on a subdomain of one of our signed domains, and have those DNS records 
//intentionally invalidly signed// so that verifying resolvers will flag them 
and not return them. What is the best way to do this? Can I simply manually 
enter an invalid RRSIG record for each record, and that manual record will take 
precedence over any automatic signing that PowerDNS preforms? Or do I need to 
take some other step (perhaps it requires a separate domain)? Or is what I want 
to do impossible with PowerDNS automatic signing enabled?

Thanks!

Nick Williams

smime.p7s
Description: S/MIME cryptographic signature
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Setting up intentionally invalid DNSSEC record in auto-secure environment

[Nicholas Williams]

Out of curiosity, what DOES PowerDNS do if it finds an both an A and an
RRSIG record for a.b.c.com in the database?

Nick

On Wed, Jan 6, 2016 at 12:33 PM, Aki Tuomi <cmo...@cmouse.fi> wrote:

> The code does not support this but you might be able to use postresolve
> Lua hook to break the reply signature.
>
> ---
> Aki Tuomi
>  Alkuperäinen viesti 
> Lähettäjä: Nick Williams <nicho...@nicholaswilliams.net>
> Päivämäärä: 6.1.2016 19.54 (GMT+02:00)
> Saaja: pdns-users Users <pdns-users@mailman.powerdns.com>
> Aihe: [Pdns-users] Setting up intentionally invalid DNSSEC record in
> auto-secure environment
>
> Hi all,
>
> We're running a PowerDNS 3.4.6 installation with the MySQL backend, and
> we’re using pdnsutil secure-zone/set-nsec3/rectify-zone to automatically
> secure all of our domains (the least-effort method, instead of manually
> signing everything). It works great. Thanks for the excellent software!
>
> To support an internal testing tool, I would like to set up a few DNS
> records on a subdomain of one of our signed domains, and have those DNS
> records //intentionally invalidly signed// so that verifying resolvers will
> flag them and not return them. What is the best way to do this? Can I
> simply manually enter an invalid RRSIG record for each record, and that
> manual record will take precedence over any automatic signing that PowerDNS
> preforms? Or do I need to take some other step (perhaps it requires a
> separate domain)? Or is what I want to do impossible with PowerDNS
> automatic signing enabled?
>
> Thanks!
>
> Nick Williams
> ___
> Pdns-users mailing list
> Pdns-users@mailman.powerdns.com
> http://mailman.powerdns.com/mailman/listinfo/pdns-users
>
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Setting up intentionally invalid DNSSEC record in auto-secure environment

[bert hubert]

On Wed, Jan 06, 2016 at 12:46:38PM -0600, Nicholas Williams wrote:
> Out of curiosity, what DOES PowerDNS do if it finds an both an A and an
> RRSIG record for a.b.c.com in the database?

Hi Nicholas,

To answer both your messages in one go, if you run with 'presigned zones',
PowerDNS will use the RRSIG from your database. So it will find the right
RRSIG that goes with your A record.

Secondly, if you use a pre-signed zone, you can also mess up your RRSIG by
hand to generate a 'broken' zone.

Bert

> 
> Nick
> 
> On Wed, Jan 6, 2016 at 12:33 PM, Aki Tuomi <cmo...@cmouse.fi> wrote:
> 
> > The code does not support this but you might be able to use postresolve
> > Lua hook to break the reply signature.
> >
> > ---
> > Aki Tuomi
> >  Alkuperäinen viesti 
> > Lähettäjä: Nick Williams <nicho...@nicholaswilliams.net>
> > Päivämäärä: 6.1.2016 19.54 (GMT+02:00)
> > Saaja: pdns-users Users <pdns-users@mailman.powerdns.com>
> > Aihe: [Pdns-users] Setting up intentionally invalid DNSSEC record in
> > auto-secure environment
> >
> > Hi all,
> >
> > We're running a PowerDNS 3.4.6 installation with the MySQL backend, and
> > we’re using pdnsutil secure-zone/set-nsec3/rectify-zone to automatically
> > secure all of our domains (the least-effort method, instead of manually
> > signing everything). It works great. Thanks for the excellent software!
> >
> > To support an internal testing tool, I would like to set up a few DNS
> > records on a subdomain of one of our signed domains, and have those DNS
> > records //intentionally invalidly signed// so that verifying resolvers will
> > flag them and not return them. What is the best way to do this? Can I
> > simply manually enter an invalid RRSIG record for each record, and that
> > manual record will take precedence over any automatic signing that PowerDNS
> > preforms? Or do I need to take some other step (perhaps it requires a
> > separate domain)? Or is what I want to do impossible with PowerDNS
> > automatic signing enabled?
> >
> > Thanks!
> >
> > Nick Williams
> > ___
> > Pdns-users mailing list
> > Pdns-users@mailman.powerdns.com
> > http://mailman.powerdns.com/mailman/listinfo/pdns-users
> >

> ___
> Pdns-users mailing list
> Pdns-users@mailman.powerdns.com
> http://mailman.powerdns.com/mailman/listinfo/pdns-users


___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Setting up intentionally invalid DNSSEC record in auto-secure environment

[Michael Loftis]

(inline)

On Wed, Jan 6, 2016 at 11:42 AM, Nicholas Williams
 wrote:
> I'll look into that other script. Thanks, Bert.
>
>> How about a creating a separate sub-zone with a broken presigned DNSSEC
>
>> You can set presigned for just that single zone using the PRESIGNED domain
>> metadata[1] int your database.
>
> I really like this idea in combination. That documentation that Pieter sent
> me should help me get set up with presigning. But, Leen, how would I set up
> a subzone delegated to the same authoritative server (or can I, even?)? Can
> you point me to that documentation?

B/C the server is the same you don't necessarily need to setup the
delegation in the zone with records table.  You just need to have it
in the domains table.  That said you *can* totally do a full
delegation.  You just insert NS records into the parent zone records
w/ the parent domain_id, and do SOA+NS/whatever you normally do
(synthetic SOA/generated SOA comes to mind) inside the delegated zone
(child) domain_id...there's no magic to delegations.  You'll have like
2x the NS records for a self delegated zone (as the parent zone will
have the same records with a the parent/delegating domain_id)


>
> Google really hasn't indexed this documentation very well at all...
>
> Thanks,
>
> Nick

-- Samuel Butler

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Setting up intentionally invalid DNSSEC record in auto-secure environment

[leen]

On 2016-01-06 20:42, Nicholas Williams wrote:

I'll look into that other script. Thanks, Bert.


 How about a creating a separate sub-zone with a broken presigned

DNSSEC


 You can set presigned for just that single zone using the

PRESIGNED domain metadata[1] int your database.

I really like this idea in combination. That documentation that 
Pieter

sent me should help me get set up with presigning. But, Leen, how
would I set up a subzone delegated to the same authoritative server
(or can I, even?)? Can you point me to that documentation?



It's just a domain & delegation like any other (this is the same thing 
the TLD does for you):


Just have both a autosigned-domain.tld and 
presigned-subzone.autosigned-domain.tld in the domains-table like any 
normal domain.


Both domains should have NS and SOA records in the records table like 
any normal domain.


Then create the delegation in the autosigned-domain.tld domain by 
adding the NS-records pointing to the 
presigned-subzone.autosigned-domain.tld


Domain_id: autosigned-domain.tld ; name: 
presigned-subzone.autosigned-domain.tld ; type: NS ; content: 
ns1.autosigned-domain.tld
Domain_id: autosigned-domain.tld ; name: 
presigned-subzone.autosigned-domain.tld ; type: NS ; content: 
ns2.autosigned-domain.tld


Now because it's DNSSEC you need to make it secure.

Assuming you want to sign the sub-zone for testing:

pdnssec secure-zone presigned-subzone.autosigned-domain.tld

The you can grab the DS-record which the needs to be added to the 
parent zone:


pdnssec show-zone presigned-subzone.autosigned-domain.tld

To know what the DS-record is.

Add the DNSSEC DS-record for presigned-subzone.autosigned-domain.tld in 
the autosigned-domain.tld domain.


domain_id: autosigned-domain.tld; name: 
presigned-subzone.autosigned-domain.tld	; type: DS	; content: '5725 8 2 
512fa6fe4d1f9ba974832e3456c4769db6c16ca1...'


Hope that makes it clear.

You should now be able to look up a DNSSEC-signed record for the 
presigned-subzone.autosigned-domain.tld for example the SOA-record.


Have a good day,
 Leen.


Google really hasn't indexed this documentation very well at all...

Thanks,

Nick




___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users