Should I set parental-agents to localhost?
Nick Tait
nick at tait.net.nz
Sat Sep 23 02:52:17 UTC 2023
Hi Björn.
Not sure if my (late) reply is any use to you, but yes my understanding
is that you could use localhost as the parental agent in the cases where
(a) the local machine also hosts the parent zone, or (b) it is a
recursive resolver. In the latter case the DNSSEC responses would be
validated (assuming of course that the local resolver does DNSSEC
validation).
As I understand there are two schools of thought for configuring
parental-agents:
1. You could explicitly specify all of the parent zone name servers. In
that case all the servers are queried and the KSK rollover proceeds
once all servers are publishing the new DS record.
2. You could specify a validating recursive resolver. In that case only
one authoritative name server will be queried (you won't know which)
and the recursive resolver validates the response, and the KSK
rollover proceeds if that server is publishing the new DS record.
I suppose the theoretical risk with #1 is that because the responses
from the authoritative servers aren't validated, it would be possible
for a MITM to trick BIND into thinking that the new DS records had been
published before they actually had, which could lead to a situation
where you complete the KSK roll-over early and invalidate your zone?
Also please note that BIND 9.19 introduces a new option:
/*checkds*/
*Grammar: *|checkds ( explicit | <boolean> );|
*Blocks: *zone (primary, secondary)
*Tags: *dnssec
Controls whether |DS| queries are sent to parental agents.
If set to |yes|, DS queries are sent when a KSK rollover is in
progress. The queries are sent to the servers listed in the parent
zone’s NS records. This is the default if there are no
|parental-agents|
<https://bind9.readthedocs.io/en/latest/reference.html#namedconf-statement-parental-agents>
configured for the zone.
If set to |explicit|, DS queries are sent only to servers explicitly
listed using |parental-agents|
<https://bind9.readthedocs.io/en/latest/reference.html#namedconf-statement-parental-agents>.
This is the default if there are parental agents configured.
If set to |no|, no DS queries are sent. Users should manually run
|rndc dnssec -checkds|
<https://bind9.readthedocs.io/en/latest/manpages.html#cmdoption-rndc-arg-dnssec>
with the appropriate parameters to signal that specific DS records
are published and/or withdrawn.
Nick.
On 11/09/23 23:52, Björn Persson wrote:
> Hello, I'm trying to configure automatic KSK (or CSK) rollover. I'm
> confused about how to poll securely for DS records.
>
> Section 5.1.2.1 of the BIND 9 Administrator Reference Manual says:
>
> | [parental-agents] needs to be a trusted server, because BIND does not
> | validate the response.
>
> and section 8.2.26.1 says:
>
> | The DS response is not validated so it is recommended to set up a
> | trust relationship with the parental agent. For example, use TSIG to
> | authenticate the parental agent, or point to a validating resolver.
>
> I don't think the registry wants to exchange TSIG keys with every
> domain holder. A validating resolver seems much more achievable. My
> master server is also the validating resolver of its host. Can I set
> parental-agents to localhost to make BIND ask itself to validate the DS
> response? Or would it still do the lookup in the same non-validating
> way? Or would it enter infinite recursion? Must the validating resolver
> be a different name server from the master server that performs the key
> rollover?
>
> Björn Persson
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20230923/2a4b7a48/attachment-0001.htm>
More information about the bind-users
mailing list