Should I set parental-agents to localhost?

Sat Sep 23 02:52:17 UTC 2023

Hi Björn.

Not sure if my (late) reply is any use to you, but yes my understanding 
is that you could use localhost as the parental agent in the cases where 
(a) the local machine also hosts the parent zone, or (b) it is a 
recursive resolver. In the latter case the DNSSEC responses would be 
validated (assuming of course that the local resolver does DNSSEC 
validation).

As I understand there are two schools of thought for configuring 
parental-agents:

 1. You could explicitly specify all of the parent zone name servers. In
    that case all the servers are queried and the KSK rollover proceeds
    once all servers are publishing the new DS record.
 2. You could specify a validating recursive resolver. In that case only
    one authoritative name server will be queried (you won't know which)
    and the recursive resolver validates the response, and the KSK
    rollover proceeds if that server is publishing the new DS record.

I suppose the theoretical risk with #1 is that because the responses 
from the authoritative servers aren't validated, it would be possible 
for a MITM to trick BIND into thinking that the new DS records had been 
published before they actually had, which could lead to a situation 
where you complete the KSK roll-over early and invalidate your zone?

Also please note that BIND 9.19 introduces a new option:

/*checkds*/

    *Grammar: *|checkds ( explicit | <boolean> );|

    *Blocks: *zone (primary, secondary)

    *Tags: *dnssec

    Controls whether |DS| queries are sent to parental agents.

    If set to |yes|, DS queries are sent when a KSK rollover is in
    progress. The queries are sent to the servers listed in the parent
    zone’s NS records. This is the default if there are no
    |parental-agents|
    <https://bind9.readthedocs.io/en/latest/reference.html#namedconf-statement-parental-agents>
    configured for the zone.

    If set to |explicit|, DS queries are sent only to servers explicitly
    listed using |parental-agents|
    <https://bind9.readthedocs.io/en/latest/reference.html#namedconf-statement-parental-agents>.
    This is the default if there are parental agents configured.

    If set to |no|, no DS queries are sent. Users should manually run
    |rndc dnssec -checkds|
    <https://bind9.readthedocs.io/en/latest/manpages.html#cmdoption-rndc-arg-dnssec>
    with the appropriate parameters to signal that specific DS records
    are published and/or withdrawn.

Nick.

On 11/09/23 23:52, Björn Persson wrote:
> Hello, I'm trying to configure automatic KSK (or CSK) rollover. I'm
> confused about how to poll securely for DS records.
>
> Section 5.1.2.1 of the BIND 9 Administrator Reference Manual says:
>
> | [parental-agents] needs to be a trusted server, because BIND does not
> | validate the response.
>
> and section 8.2.26.1 says:
>
> | The DS response is not validated so it is recommended to set up a
> | trust relationship with the parental agent. For example, use TSIG to
> | authenticate the parental agent, or point to a validating resolver.
>
> I don't think the registry wants to exchange TSIG keys with every
> domain holder. A validating resolver seems much more achievable. My
> master server is also the validating resolver of its host. Can I set
> parental-agents to localhost to make BIND ask itself to validate the DS
> response? Or would it still do the lookup in the same non-validating
> way? Or would it enter infinite recursion? Must the validating resolver
> be a different name server from the master server that performs the key
> rollover?
>
> Björn Persson
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20230923/2a4b7a48/attachment-0001.htm>