Trying to understand DNSSEC and BIND versions better
Mark Andrews
marka at isc.org
Tue Jun 9 01:22:12 UTC 2009
In message <99E6A67A9DA87041A8020FBC11F480B3031CCEE4 at EXVS01.dsw.net>, "Jeff Lig
htner" writes:
> BIND versions on RHEL (e.g. 9.3.4-6.0.3.P1.el5_2) have backported
> patches from later BIND versions so it isn't exactly the same animal as
> the EOL 9.3 which is why it isn't listed simply as 9.3
I've yet to see a vendor back port every bug fix and that is what
would be required to really support a product in a OS which is at
EOL by the producer.
Mark
> -----Original Message-----
> From: bind-users-bounces at lists.isc.org
> [mailto:bind-users-bounces at lists.isc.org] On Behalf Of Mark Andrews
> Sent: Friday, June 05, 2009 12:23 AM
> To: Chris Adams
> Cc: comp-protocols-dns-bind at isc.org
> Subject: Re: Trying to understand DNSSEC and BIND versions better=20
>
>
> In message <eYSdnVoGu5EsGrXXnZ2dnUVZ_vudnZ2d at posted.hiwaay2>, Chris
> Adams write
> s:
> > Since I read that the root is supposed to be signed by the end of the
> > year, I am just trying to understand DNSSEC support and the various
> > versions of BIND a little better here, so please don't throw too many
> > rocks if I ask something stupid...
> >=20
> > I run the nameservers for an ISP. For the recursive servers, what are
> > the hazzards in enabling DNSSEC (once the root is signed, so no DLV
> > necessary I guess)?
>
> Once the root is signed you will be able to validation answers
> where there is a unbroken chaing of trust. DLV will still be
> useful for zones were the TLD isn't yet signed or there is
> another break in the chain of trust.
>
> > I know the things that generally break with
> > "regular" DNS, but I don't know that with DNSSEC (I know there have
> been
> > DLV troubles but that's it).
>
> Not having a clean EDNS path between the validator and
> authoritative server can result in validation failures.
> EDNS responses are bigger that plain DNS and may result in
> fagmented responses. You need to ensure that any NAT's and
> firewalls are configured to handle fragments UDP responses
> up 4096 bytes with a modern BIND. Any forwarders used
> should also support EDNS and preferably be performing
> validation as well.
>
> Failure to re-sign a zone will cause lookups to fail.
> Failure to update DS records on DNSKEY changes will cause
> lookups to fail. Failure to update DLV records on DNSKEY
> changes will cause lookups to fail.
>
> "dig +cd +dnssec <query>" is your friend. This will let
> you see what is failing to validate.
>
> "dig +cd +multi DNSKEY <zone>" will provide you with the
> keyids necessary to check the signatures.
>
> "dig +cd +multi DS <zone>" will provide you with the DS
> records so you can check the linkage between parent and
> child. Look at the key id field.
>
> "dig +cd +multi DLV <zone>.<dlvroot>" will provide you with the
> DS
> records so you can check the linkage between parent and
> child. Look at the key id field.
>
> If the zone is using NSEC3 then nsec3hash can be used to
> check workout in the NSEC3 records are sane.
>
> "date -u +%Y%m%d%H%M%S" returns the system date in a form
> that is easy to comare to the dates in the RRSIG records.
>
> A understand of how DNSSEC works is useful.
>
> Checking if you get a DNSKEY returned, without +cd, at each zone
> cut is useful for working out where to examine more closely.
>
> dig, date and a understanding of DNSSEC is all you should
> need to identify a configuration error. If the keyid match
> and timestamps are good and associated NSEC/NSEC3 appear
> to be sane the you will most probably have found a
> implementation bug.
>
> > Currently, my servers run BIND 9.3.4-10.P1 (as patched by Red Hat in
> > RHEL; we typically stick with their security patched version, since
> > that's what we pay them for). What does that mean with .ORG for
> > example, where NSEC3 is used? Would we just not see NXDOMAIN
> responses
> > as validated (and what happens to unvalidated responses)? I've put in
> a
> > request to Red Hat to update to a version that supports NSEC3 but I
> > don't know what their response will be yet.
>
> BIND 9.3 is already at EOL.
>
> > For our authoritative servers, we'll need to set up a system to sign
> the
> > zones. Is it expected that ISPs will sign every zone they serve, or
> > just the domains we consider "important"? What kind of problems might
> > be expected here?
> >=20
> > In both cases, what kind of CPU and/or RAM overhead will large-scale
> use
> > of DNSSEC add?
> > --=20
> > Chris Adams <cmadams at hiwaay.net>
> > Systems and Network Administrator - HiWAAY Internet Services
> > I don't speak for anybody but myself - that's enough trouble.
> > _______________________________________________
> > bind-users mailing list
> > bind-users at lists.isc.org
> > https://lists.isc.org/mailman/listinfo/bind-users
> --=20
> Mark Andrews, ISC
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
> _______________________________________________
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
> =20
> Please consider our environment before printing this e-mail or =
> attachments.
> ----------------------------------
> CONFIDENTIALITY NOTICE: This e-mail may contain privileged or =
> confidential information and is for the sole use of the intended =
> recipient(s). If you are not the intended recipient, any disclosure, =
> copying, distribution, or use of the contents of this information is =
> prohibited and may be unlawful. If you have received this electronic =
> transmission in error, please reply immediately to the sender that you =
> have received the message in error, and delete it. Thank you.
> ----------------------------------
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the bind-users
mailing list