bind9
Contents
-
bind9
- See Also
- About
- Directories
- Docs
- Install
-
Configure
- Create directories for journals and zones
- Main configuration file
- Logging
- Options
- ACLs
- Auth
- Local
- Changing a dynamic zone with views
- Debugging
-
DNSsec
- ISC's BIND 9 DNSSEC Webinar Series
- Be sure
- The process
- Links
- Bind9 tools
- Create key-directory
- dnssec-keygen - create keys
- dnssec-keymgr
- dnssec-signzone - manually
- dnssec-settime - manually
- DNSsec options
- Validation
- Inline signing
- Signing with local updates
- NextSECure
- dnssec-dsfromkey
- dnssec-checkds
- dnssec-coverage
- dnssec-verify
- less frequently used tools
- Miscandelous commands
- Trouble shooting
- fail2ban
- dnsutils
See Also
About
BIND 9 has evolved to be a very flexible, full-featured DNS system. Whatever your application is, BIND 9 probably has the required features. As the first, oldest, and most commonly deployed solution, there are more network engineers who are already familiar with BIND 9 than with any other system.
BIND 9 is transparent open source, licensed under the MPL 2.0 license. Users are free to add functionality to BIND 9 and contribute back to the community through our open Gitlab.
Bundy
Bind10 was ceased and is now named Bundy. The BUNDY project is currently in hibernation status. It is not dead, but it is also not alive either.
Directories
Directory |
Description |
/etc/bind |
config |
/var/log/named |
logs |
/var/lib/bind |
persistent data |
/var/cache/bind |
current working directory |
/run/named |
pidfile and local session.key |
Docs
Uploaded Bv9ARM
Current ARM
Determine the current version of bind in Debian
Install
Without DHCP-Server
1 aptitude install bind9 dnsutils
With DHCP-Server
1 aptitude install autodns-dhcp
This is a lightweight package that pulls the following dependencies:
- bind9
- dnsutils
- isc-dhcp-server
- perl
The cronjob that comes with the package may be easily deactivated.
/etc/cron.d/autodns-dhcp
Important commands
Get current daemon status
1 rndc status
Print running config (but oscure secrets)
1 named-checkconf -px
Flush complete cache
1 rndc flush
You actually may want to be more specific
1 rndc flushtree example.com
Configure
Create directories for journals and zones
Main configuration file
I decided to move acls, auth and logging configuration to their own files and include them in the main configuration file. They may be reused on other servers as well.
/etc/bind/named.conf
1 //
2 // Please read /usr/share/doc/bind9/README.Debian.gz for information on the
3 // structure of BIND configuration files in Debian, *BEFORE* you customize
4 // this configuration file.
5 //
6 // If you are just adding zones, please do that in /etc/bind/named.conf.local
7
8 include "/etc/bind/named.conf.logging";
9 include "/etc/bind/named.conf.options";
10 include "/etc/bind/named.conf.acls";
11 include "/etc/bind/named.conf.auth";
12 include "/etc/bind/named.conf.local";
13 //DEFAULT ZONES CANNOT BE INCLUDED HERE SINCE WE ARE USING VIEWS
14 // SEE: named.conf.local
15 //include "/etc/bind/named.conf.default-zones";
16
Logging
Basic logging
Default logging got extended by some info for debugging dynamic updates.
To use the path /var/log/bind you must extend the apparmor profile, otherwise leave it to /var/log/named. It's much easier to just create a symlink.
Create the directory
/etc/bind/named.conf.logging
1 logging {
2 channel null {
3 null;
4 };
5 channel update_debug {
6 file "/var/log/named/update-debug.log" versions 10 size 10m;
7 severity debug 3;
8 print-category yes;
9 print-severity yes;
10 print-time yes;
11 };
12 channel security_info {
13 file "/var/log/named/security.info" versions 10 size 10m;
14 severity info;
15 print-category yes;
16 print-severity yes;
17 print-time yes;
18 //stderr;
19 };
20 channel general_info {
21 file "/var/log/named/general.info" versions 10 size 10m;
22 severity info;
23 print-category yes;
24 print-severity yes;
25 print-time yes;
26 //stderr;
27 };
28 channel general_warn {
29 severity warning;
30 syslog local7;
31 print-category yes;
32 print-severity yes;
33 print-time yes;
34 //stderr;
35 };
36
37 // BIND9 LOGGING CATEGORIES
38 //client cname config database default delegation-only dispatch dnssec dnstap
39 //edns-disabled general lame-servers network notify queries query-errors
40 //rate-limit resolver rpz security spill trust-anchor-telemetry unmatched update
41 //update-security xfer-in xfer-out
42
43 category general { general_warn; };
44 category general { general_info; };
45 category rate-limit { security_info; };
46 category security { security_info; };
47 category update { update_debug; };
48 category update-security { security_info;
49 update_debug; };
50 category notify { update_debug; };
51 };
52
53 // vim: set syntax=named:
54
Adjust apparmor profile
In retrospective it may be easier to simply set a symlink than extending the apparmor config.
1 ln -s /var/log/named /var/log/bind
Extend apparmor profile /etc/apparmor.d/local/usr.sbin.named
This path must match the named apparmor-profile /etc/apparmor.d/{,local/}usr.sbin.named or bind will not start with the following error:
Jun 18 15:04:18 kvm2 named[6707]: isc_stdio_open '/var/log/bind/update-debug.log' failed: permission denied Jun 18 15:04:18 kvm2 named[6707]: configuring logging: permission denied Jun 18 15:04:18 kvm2 named[6707]: loading configuration: permission denied Jun 18 15:04:18 kvm2 named[6707]: exiting (due to fatal error)
1 install -o bind -g adm -m 750 -d /var/log/bind
Query Log
During a migration it may be necessary to determine, which clients are using the server. This can be accomplished using the query log. You should not forget the versions and size limit, it grows rapidly.
/etc/bind/named.conf.logging
Regular-expression magic from
https://www.regular-expressions.info/ip.html
Determine RFC1918 client
Logrotate
Just remove versions 10 size 10m from the file config in /etc/bind/named.conf.logging
Please also take a look on ISC logrotate settings in bind-9
/etc/logrotate.d/named_custom
Options
Some common options to all instances of bind9 around in the infrastructure.
- rate limit
- max-cache-size
- disable IPv6
/etc/bind/named.conf.options
1 options {
2 // attach-cache cache_name;
3 // version version_string;
4 // hostname hostname_string;
5 // server-id server_id_string;
6 directory "/var/cache/bind"; # path_name;
7 // key-directory "/var/lib/bind/keys"; # path_name;
8 // managed-keys-directory "/var/lib/bind/managed_keys"; # path_name;
9 // named-xfer "/var/cache/bind"; # path_name; // obsolete
10
11 // If there is a firewall between you and nameservers you want
12 // to talk to, you may need to fix the firewall to allow multiple
13 // ports to talk. See http://www.kb.cert.org/vuls/id/800113
14
15 // If your ISP provided one or more IP addresses for stable
16 // nameservers, you probably want to use them as forwarders.
17 // Uncomment the following block, and insert the addresses replacing
18 // the all-0's placeholder.
19
20 // forwarders {
21 // 0.0.0.0;
22 // };
23
24 //========================================================================
25 // If BIND logs error messages about the root key being expired,
26 // you will need to update your keys. See https://www.isc.org/bind-keys
27 //========================================================================
28 dnssec-validation auto;
29
30 auth-nxdomain no; # conform to RFC1035
31 dump-file "/var/cache/bind/named_dump.db";
32 listen-on { any; }; # Default "any;"
33 listen-on-v6 { none; }; # Default
34 allow-transfer { rockstable_dns; }; # { address_match_list };
35 empty-zones-enable yes ; # Default no
36 // empty-zones-enable no ; # Default no
37 // disable-empty-zone zone_name ;
38 allow-recursion { any; }; # Default with 9.4.1 { localhost; localnets; };
39 // allow-query { any; };
40 // allow-query-cache { any; };
41 rate-limit {
42 all-per-second 80; # integer;
43 //errors-per-second # integer default responses-per-second;
44 exempt-clients {
45 localhost; # address_match_element;
46 kvm2_nets_int;
47 kvm2_nets_ext;
48 };
49 //ipv4-prefix-length # integer default 24;
50 //ipv6-prefix-length # integer default 56;
51 //log-only boolean;
52 max-table-size 20480; # integer default 20000;
53 min-table-size 512; # integer default 500;
54 //nodata-per-second # integer default responses-per-second;
55 //nxdomains-per-second # integer default responses-per-second;
56 qps-scale 200; # integer;
57 //referrals-per-second # integer default responses-per-second;
58 responses-per-second 15; # integer default 0 (no-limit);
59 slip 3; # integer default 2;
60 window 15; # integer default 15;
61 };
62 // listen-on-v6 { any; };
63 //PER VIEW - DEFAULT: 90%
64 max-cache-size 256m;
65 };
66
67 // vim: set syntax=named:
68
Rate-limit
The rate-limit above is applied at the options (and not the view) level to be committed to the recursion. A whitelist has been applied to leave internal clients without restrictions. Therefore more aggressive limits can be set. Additionally i'm using a #fail2ban jail on udp/domain to block very aggressive sources aggressivly. TCP should not be blocked to allow slipped truncated queries TC=1 to be answered via tcp.
This will throttle single clients and networks to mask of 24 or 56 effectivly But this won't stop DDoS with a high amount of sources that stay under the radar.
Statistics
Statistics options
Get current working directory
View the statistics
ACLs
Using ACLs is a good idea
Define ACLs for your networks and ip-interfaces. This will simplify your configuration and make it more readable.
- address_match_list
- A list of one or more ip_addr, ip_prefix, key_id, or acl_name elements, see ARM Section 6.1.
Only IPs - no DNS-Names or DNS resolution in ACLs.
/etc/bind/named.conf.acls
1 // ACCESS CONTROL LISTS
2
3 // ROCKSTABLE DNS-SERVERS
4
5 acl ns2.rockstable.org { kvm1_eth0; };
6 acl ns3.rockstable.org { kvm2_enp0s31f6; };
7 acl ns4.rockstable.org { ns4_eth0; };
8 // GROUP THEM TOGETHER
9 acl rockstable_dns {
10 ns2.rockstable.org;
11 ns3.rockstable.org;
12 ns4.rockstable.org;
13 };
14
15 // NETWORKS
16
17 acl rockstable_org { 176.9.178.16/29; };
18 acl rockstable_it { 178.63.149.224/28; };
19
20 acl kvm2_nets_int { …; …; };
21 acl kvm2_nets_ext { rockstable_it; rockstable_org; };
22
23 // Exotic networks, client networks, …
24 // …
25
26 // INTERFACES
27 acl kvm1_eth0 { 176.9.99.233; };
28 acl kvm2_enp0s31f6 { 195.201.246.253; };
29 acl ns4_eth0 { 78.47.38.48; };
30
31 // Exotic clients, name-server interfaces in client networks, …
32 // …
33
34 // vim: set syntax=named:
35
Auth
This file contains the secrets for TSIG (Transaction SIGnature) authentication and deserves some protection.
Make sure this file has correct unix-permissions!
/etc/bind/named.conf.auth
1 // KEYS
2 key DNS_REPLICATOR_INTERNAL {
3 algorithm HMAC-SHA512;
4 secret "ENDLESS_LONG_SECRET_KEY_FOR_INTERNAL_VIEW";
5 };
6
7 key DNS_REPLICATOR_EXTERNAL {
8 algorithm HMAC-SHA512;
9 secret "ENDLESS_LONG_SECRET_KEY_FOR_EXTERNAL_VIEW";
10 };
11
12 // MASTERS
13 // INTERNAL
14 masters masters_rockstable_org_internal port 53 {
15 176.9.99.233 port 53 key DNS_REPLICATOR_INTERNAL;
16 };
17
18 masters masters_rockstable_it_internal port 53 {
19 195.201.246.253 port 53 key DNS_REPLICATOR_INTERNAL;
20 };
21
22 // EXTERNAL
23 masters masters_rockstable_org_external port 53 {
24 176.9.99.233 port 53 key DNS_REPLICATOR_EXTERNAL;
25 };
26
27 masters masters_rockstable_it_external port 53 {
28 195.201.246.253 port 53 key DNS_REPLICATOR_EXTERNAL;
29 };
30
31 // vim: set syntax=named:
32
Local
A slave-only setup authenticated using TSIG with only a view "external".
/etc/bind/named.conf.local
1 //
2 // Do any local configuration here
3 //
4
5 // Consider adding the 1918 zones here, if they are not used in your
6 // organization
7 //include "/etc/bind/zones.rfc1918";
8
9 // be authoritative for the rockstable.org forward and reverse zones, and for
10 // broadcast zones
11
12 view external {
13 // TAKEN FROM named.conf.default-zones
14 include "/etc/bind/named.conf.default-zones";
15
16 match-clients {
17 key DNS_REPLICATOR_EXTERNAL;
18 !key DNS_REPLICATOR_INTERNAL;
19 any;
20 };
21
22 //REVERSE ZONE DEFINITIONS (INTERNAL)
23 //-> NONE
24
25 //FORWARD ZONE DEFINITIONS
26 zone "rockstable.org" {
27 type slave;
28 masters { masters_rockstable_org_external; };
29 masterfile-format text; # (text|raw)
30 file "/var/lib/bind/zones/db.org.rockstable";
31 journal "/var/lib/bind/journal/db.org.rockstable.jnl"; # string ;
32
33 check-names warn; # (warn|fail|ignore) ;
34 notify yes; # yes_or_no | explicit | master-only ;
35 zone-statistics yes; # yes_or_no ;
36 };
37
38 zone "rockstable.it" {
39 type slave;
40 masters { masters_rockstable_it_external; };
41 masterfile-format text; # (text|raw)
42 file "/var/lib/bind/zones/db.it.rockstable";
43 journal "/var/lib/bind/journal/db.it.rockstable.jnl"; # string ;
44 check-names warn; # (warn|fail|ignore) ;
45 notify yes; # yes_or_no | explicit | master-only ;
46 zone-statistics yes; # yes_or_no ;
47 };
48 };
49
50 // vim: syntax=named:
51
Forwarding
From bind ARM 9.17
Forwarding
The forwarding facility can be used to create a large site-wide cache on a few servers, reducing traffic over links to external name servers. It can also be used to allow queries by servers that do not have direct access to the Internet, but wish to look up exterior names anyway. Forwarding occurs only on those queries for which the server is not authoritative and does not have the answer in its cache.
- forward
- This option is only meaningful if the forwarders list is not empty. A value of first is the default and causes the server to query the forwarders first; if that does not answer the question, the server then looks for the answer itself. If only is specified, the server only queries the forwarders.
- forwarders
- This specifies a list of IP addresses to which queries are forwarded. The default is the empty list (no forwarding). Each address in the list can be associated with an optional port number and/or DSCP value, and a default port number and DSCP value can be set for the entire list. Forwarding can also be configured on a per-domain basis, allowing for the global forwarding options to be overridden in a variety of ways. Particular domains can be set to use different forwarders, or have a different forward only/first behavior, or not forward at all; see zone Statement Grammar.
In the example reverse zones are resolved using forwarders only.
/etc/bind/named.conf.local
Changing a dynamic zone with views
When you are using a dynamic zones with views there are some steps you need to walk through to update a zone.
1 ZONE="rockstable.org"
2 ### "IN" IS SIMPLY THE CLASS OF ZONE (CASE INSENSITIVE)
3 VIEW="external"
4
5 ### FREEZE A DYNAMIC ZONE
6 rndc freeze "$ZONE" IN "$VIEW"
7 ### EDIT THE ZONE AND INCREMENT THE SERIAL
8 vim /etc/bind/zones/db.org.rockstable
9 ### Don't forget to increment the serial in SOA Record!
10 ### CHECK NAMED CONFIG
11 #named-checkconf /etc/bind/named.conf
12 ### CHECK ZONE SYNTAX
13 named-checkzone "$ZONE" /etc/bind/zones/db.org.rockstable
14 ### RELOAD THE ZONE LOCALLY
15 rndc reload "$ZONE" IN "$VIEW"
16 ### UNFREEZE THE ZONE AND NOTIFY
17 rndc thaw "$ZONE" IN "$VIEW"
18 ### NOTIFY SLAVES EXPLICITLY (IF NECESSARY)
19 #rndc notify "$ZONE" IN "$VIEW"
20 ### CHECK ZONE STATUS
21 rndc zonestatus rockstable.org
22 ### FLUSH CACHES TO OVERCOME TTLs (IF NECESSARY)
23 #rndc flush
24
Debugging
Check config
1 named-checkconf
Check zone
1 # named-checkzone rockstable.org /etc/bind/zones/db.org.rockstable
2 zone rockstable.org/IN: _matrix._tcp.rockstable.org/SRV 'matrix.rockstable.org' is a CNAME (illegal)
3 zone rockstable.org/IN: _stun._tcp.rockstable.org/SRV 'jabber.rockstable.org' is a CNAME (illegal)
4 zone rockstable.org/IN: _stuns._tcp.rockstable.org/SRV 'jabber.rockstable.org' is a CNAME (illegal)
5 zone rockstable.org/IN: _turn._tcp.rockstable.org/SRV 'jabber.rockstable.org' is a CNAME (illegal)
6 zone rockstable.org/IN: _turns._tcp.rockstable.org/SRV 'jabber.rockstable.org' is a CNAME (illegal)
7 zone rockstable.org/IN: _stun._udp.rockstable.org/SRV 'jabber.rockstable.org' is a CNAME (illegal)
8 zone rockstable.org/IN: _turn._udp.rockstable.org/SRV 'jabber.rockstable.org' is a CNAME (illegal)
9 zone rockstable.org/IN: _stun._tcp.jabber.rockstable.org/SRV 'jabber.rockstable.org' is a CNAME (illegal)
10 zone rockstable.org/IN: _stuns._tcp.jabber.rockstable.org/SRV 'jabber.rockstable.org' is a CNAME (illegal)
11 zone rockstable.org/IN: _turn._tcp.jabber.rockstable.org/SRV 'jabber.rockstable.org' is a CNAME (illegal)
12 zone rockstable.org/IN: _turns._tcp.jabber.rockstable.org/SRV 'jabber.rockstable.org' is a CNAME (illegal)
13 zone rockstable.org/IN: _xmpp-client._tcp.jabber.rockstable.org/SRV 'jabber.rockstable.org' is a CNAME (illegal)
14 zone rockstable.org/IN: _xmpp-server._tcp.jabber.rockstable.org/SRV 'jabber.rockstable.org' is a CNAME (illegal)
15 zone rockstable.org/IN: _xmpps-client._tcp.jabber.rockstable.org/SRV 'jabber.rockstable.org' is a CNAME (illegal)
16 zone rockstable.org/IN: _xmpps-client._tcp.jabber.rockstable.org/SRV 'jabber.rockstable.org' is a CNAME (illegal)
17 zone rockstable.org/IN: _stun._udp.jabber.rockstable.org/SRV 'jabber.rockstable.org' is a CNAME (illegal)
18 zone rockstable.org/IN: _turn._udp.jabber.rockstable.org/SRV 'jabber.rockstable.org' is a CNAME (illegal)
19 zone rockstable.org/IN: _xmpp-server._tcp.conference.jabber.rockstable.org/SRV 'jabber.rockstable.org' is a CNAME (illegal)
20 zone rockstable.org/IN: loaded serial 2020030301
21 OK
I should think about the advisory of named-checkzone one day. Seems like i'm doing illegal things with DNS. 
DNSsec
ISC's BIND 9 DNSSEC Webinar Series
This series of 10 lectures will take you through a full-day class on DNSSEC theory, history, implementation and troubleshooting, using BIND.
By Alan Clegg Initial presentation on 2020-02-05
Be sure
Once you upload your DS record to the parent zone you need to serve DNSsec or it will cause failure.
The process
Links
Thanks to the Leibniz-Rechenzentrum (LRZ) for it's nice tutorial (in german).
Bind9 tools
man -k dnssec
1 dnssec-checkds (8) - DNSSEC delegation consistency checking tool
2 dnssec-coverage (8) - checks future DNSKEY coverage for a zone
3 dnssec-dsfromkey (8) - DNSSEC DS RR generation tool
4 dnssec-importkey (8) - import DNSKEY records from external systems so they can be managed
5 dnssec-keyfromlabel (8) - DNSSEC key generation tool
6 dnssec-keygen (8) - DNSSEC key generation tool
7 dnssec-keymgr (8) - Ensures correct DNSKEY coverage for a zone based on a defined policy
8 dnssec-revoke (8) - set the REVOKED bit on a DNSSEC key
9 dnssec-settime (8) - set the key timing metadata for a DNSSEC key
10 dnssec-signzone (8) - DNSSEC zone signing tool
11 dnssec-trust-anchors.d (5) - DNSSEC trust anchor configuration files
12 dnssec-verify (8) - DNSSEC zone verification tool
13 systemd.negative (5) - DNSSEC trust anchor configuration files
14 systemd.positive (5) - DNSSEC trust anchor configuration files
Create key-directory
Create key directory
Ensure user bind can read the files!
dnssec-keygen - create keys
key-directory needs to be already created.
Create keys
1 DIR_KEY="/var/lib/bind/keys"
2 declare -a ZONES
3 ZONES=(
4 "rockstable.org" "rockstable.it"
5 "dyna.rockstable.org" "dyna.rockstable.it"
6 )
7 for ZONE in ${ZONES[@]}; do
8 ### CREATE KEY SIGNING KEY (KSK)
9 dnssec-keygen -a RSASHA256 -b 4096 -3 -f KSK "$ZONE"
10 ### CREATE ZONE SIGNING KEY (ZSK)
11 dnssec-keygen -a RSASHA256 -b 2048 -3 "$ZONE"
12 done
13 ### ADJUST PERMISSIONS
14 chown bind:bind "$DIR_KEY"/K*{.key,.private}
15 chmod 644 "$DIR_KEY"/K*.key
16 chmod 600 "$DIR_KEY"/K*.private
dnssec-keymgr
Ensures correct DNSKEY coverage for a zone based on a defined policy.
The man-page also contains info for /etc/dnssec-policy.conf
man dnssec-keymgr
key-directory needs to be created.
/etc/dnssec-policy.conf
1 ### ROCKSTABLE DNSSEC POLICY
2 policy default {
3 directory "/var/lib/bind/keys"; # DIRECTORY TO STORE THE KEYS IN
4 algorithm RSASHA256; # SIGNATURE ALGORITHM
5
6 ### KEY PARAMETERS
7 keyttl 86400; # TTL OF THE KEYS
8 key-size ksk 4096; # 4096BIT KEY-SIGNING KEY (KSK)
9 key-size zsk 2048; # 2048BIT ZONE-SIGNING KEY (ZSK)
10
11 ### ROLL-OVER PARAMETERS
12 #roll-period ksk 2y; # MANUAL INTERACTION WITH PARENT ZONE;
13 # KSK AUTO-ROLOVER IS NOT RECOMMENDED
14 # AND DISABLED BY DEFAULT
15 roll-period zsk 6mo; # DEFAULT: 1 YEAR
16
17 pre-publish zsk 1 month; # PRE-PUBLISH ZSK (DEFAULT: 1 MONTH)
18 post-publish zsk 1 month; # POST-PUBLISH ZSK (DEFAULT: 1 MONTH)
19 pre-publish ksk 1 month;
20 post-publish ksk 1 month;
21
22 ### STANDBY KEYS - NOT YET IMPLEMENTED
23 #standby ksk 1; # PROVISION 1 KSK AS STANDBY PER ZONE
24 #standby zsk 1; # PROVISION 1 ZSK AS STANDBY PER ZONE
25
26 ### LENGTH OF TIME TO ENSURE THAT KEYS WILL BE CORRECT
27 coverage 1y;
28 };
29
30 ### ZONE SPECIFIC PARAMETERS
31 #zone rockstable.it {
32 # coverage 1y; # coverage-Periode für die Schlüssel erzeugt werden
33 # policy default; # "default"-Policy für diese Zone anwenden
34 #};
35
Activation via systemd
/etc/dnssec-policy.conf
1 ### ROCKSTABLE DNSSEC POLICY
2 policy default {
3 directory "/var/lib/bind/keys"; # DIRECTORY TO STORE THE KEYS IN
4 algorithm RSASHA256; # SIGNATURE ALGORITHM
5
6 ### KEY PARAMETERS
7 keyttl 86400; # TTL OF THE KEYS
8 key-size ksk 4096; # 4096BIT KEY-SIGNING KEY (KSK)
9 key-size zsk 2048; # 2048BIT ZONE-SIGNING KEY (ZSK)
10
11 ### ROLL-OVER PARAMETERS
12 #roll-period ksk 2y; # MANUAL INTERACTION WITH PARENT ZONE;
13 # KSK AUTO-ROLOVER IS NOT RECOMMENDED
14 # AND DISABLED BY DEFAULT
15 roll-period ksk 6mo; # 6 MONTH
16
17 ### STANDBY KEYS - NOT YET IMPLEMENTED
18 #standby ksk 1; # PROVISION 1 KSK AS STANDBY PER ZONE
19 #standby zsk 1; # PROVISION 1 ZSK AS STANDBY PER ZONE
20
21 pre-publish zsk 1 month; # PRE-PUBLISH ZSK (DEFAULT 1 MONTH)
22 post-publish zsk 1 month; # POST-PUBLISH ZSK (DEFAULT 1 MONTH)
23 pre-publish ksk 1 month;
24 post-publish ksk 1 month;
25
26 ### length of time to ensure that keys will be correct
27 coverage 1y;
28 };
29
30 ### ZONE SPECIFIC PARAMETERS
31 #zone rockstable.it {
32 # coverage 1y; # coverage-Periode für die Schlüssel erzeugt werden
33 # policy default; # "default"-Policy für diese Zone anwenden
34 #};
35
/lib/systemd/system/dnssec-keymgr.service
/lib/systemd/system/dnssec-keymgr.timer
Reload systemd and enable the timer
Activation via cron
/etc/cron.d/dnssec-keymgr
dnssec-signzone - manually
DNSSEC zone signing tool
dnssec-signzone signs a zone. It generates NSEC and RRSIG records and produces a signed version of the zone. The security status of delegations from the signed zone (that is, whether the child zones are secure or not) is determined by the presence or absence of a keyset file for each child zone.
man dnssec-signzone
Used options
1 -g
2 Generate DS records for child zones from dsset- or keyset-
3 file. Existing DS records will be removed.
4 -K directory
5 Key repository: Specify a directory to search for DNSSEC
6 keys. If not specified, defaults to the current directory.
7 -o origin
8 The zone origin. If not specified, the name of the zone file
9 is assumed to be the origin.
10 -S
11 Smart signing: Instructs dnssec-signzone to search the key
12 repository for keys that match the zone being signed, and to
13 include them in the zone if appropriate.
14 -T ttl
15 Specifies a TTL to be used for new DNSKEY records imported
16 into the zone from the key repository. If not specified, the
17 default is the TTL value from the zone's SOA record. This
18 -v level
19 Sets the debugging level.
#failed to find keys at the zone apex
dnssec-settime - manually
set the key timing metadata for a DNSSEC key
dnssec-settime reads a DNSSEC private key file and sets the key timing metadata as specified by the -P, -A, -R, -I, and -D options. The metadata can then be used by dnssec-signzone or other signing software to determine when a key is to be published, whether it should be used for signing a zone, etc.
If none of these options is set on the command line, then dnssec-settime simply prints the key timing metadata already stored in the key.
When key metadata fields are changed, both files of a key pair (Knnnn.+aaa+iiiii.key and Knnnn.+aaa+iiiii.private) are regenerated. Metadata fields are stored in the private file. A human-readable description of the metadata is also placed in comments in the key file. The private file's permissions are always set to be inaccessible to anyone other than the owner (mode 0600).
Options
1 -f
2 Force an update of an old-format key with no metadata
3 fields. Without this option, dnssec-settime will fail when
4 attempting to update a legacy key. With this option, the key
5 will be recreated in the new format, but with the original
6 key data retained. The key's creation date will be set to
7 the present time. If no other values are specified, then the
8 key's publication and activation dates will also be set to
9 the present time.
10
11 -K directory
12 Sets the directory in which the key files are to reside.
13
14 -L ttl
15 Sets the default TTL to use for this key when it is
16 converted into a DNSKEY RR. If the key is imported into a
17 zone, this is the TTL that will be used for it, unless there
18 was already a DNSKEY RRset in place, in which case the
19 existing TTL would take precedence. If this value is not set
20 and there is no existing DNSKEY RRset, the TTL will default
21 to the SOA TTL. Setting the default TTL to 0 or none removes
22 it from the key.
23
24 -h
25 Emit usage message and exit.
26
27 -V
28 Prints version information.
29
30 -v level
31 Sets the debugging level.
32
33 -E engine
34 Specifies the cryptographic hardware to use, when
35 applicable.
36
37 When BIND is built with OpenSSL PKCS#11 support, this
38 defaults to the string "pkcs11", which identifies an OpenSSL
39 engine that can drive a cryptographic accelerator or
40 hardware service module. When BIND is built with native
41 PKCS#11 cryptography (--enable-native-pkcs11), it defaults
42 to the path of the PKCS#11 provider library specified via
43 "--with-pkcs11".
Timing options
1 Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
2 If the argument begins with a '+' or '-', it is interpreted as
3 an offset from the present time. For convenience, if such an
4 offset is followed by one of the suffixes 'y', 'mo', 'w', 'd',
5 'h', or 'mi', then the offset is computed in years (defined as
6 365 24-hour days, ignoring leap years), months (defined as 30
7 24-hour days), weeks, days, hours, or minutes, respectively.
8 Without a suffix, the offset is computed in seconds. To unset a
9 date, use 'none' or 'never'.
10
11 -P date/offset
12 Sets the date on which a key is to be published to the zone.
13 After that date, the key will be included in the zone but
14 will not be used to sign it.
15
16 -P sync date/offset
17 Sets the date on which CDS and CDNSKEY records that match
18 this key are to be published to the zone.
19
20 -A date/offset
21 Sets the date on which the key is to be activated. After
22 that date, the key will be included in the zone and used to
23 sign it.
24
25 -R date/offset
26 Sets the date on which the key is to be revoked. After that
27 date, the key will be flagged as revoked. It will be
28 included in the zone and will be used to sign it.
29
30 -I date/offset
31 Sets the date on which the key is to be retired. After that
32 date, the key will still be included in the zone, but it
33 will not be used to sign it.
34
35 -D date/offset
36 Sets the date on which the key is to be deleted. After that
37 date, the key will no longer be included in the zone. (It
38 may remain in the key repository, however.)
39
40 -D sync date/offset
41 Sets the date on which the CDS and CDNSKEY records that
42 match this key are to be deleted.
43
44 -S predecessor key
45 Select a key for which the key being modified will be an
46 explicit successor. The name, algorithm, size, and type of
47 the predecessor key must exactly match those of the key
48 being modified. The activation date of the successor key
49 will be set to the inactivation date of the predecessor. The
50 publication date will be set to the activation date minus
51 the prepublication interval, which defaults to 30 days.
52
53 -i interval
54 Sets the prepublication interval for a key. If set, then the
55 publication and activation dates must be separated by at
56 least this much time. If the activation date is specified
57 but the publication date isn't, then the publication date
58 will default to this much time before the activation date;
59 conversely, if the publication date is specified but
60 activation date isn't, then activation will be set to this
61 much time after publication.
62
63 If the key is being set to be an explicit successor to
64 another key, then the default prepublication interval is 30
65 days; otherwise it is zero.
66
67 As with date offsets, if the argument is followed by one of
68 the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi', then the
69 interval is measured in years, months, weeks, days, hours,
70 or minutes, respectively. Without a suffix, the interval is
71 measured in seconds.
Printing options
1 dnssec-settime can also be used to print the timing metadata
2 associated with a key.
3
4 -u
5 Print times in UNIX epoch format.
6
7 -p C/P/Psync/A/R/I/D/Dsync/all
8 Print a specific metadata value or set of metadata values.
9 The -p option may be followed by one or more of the
10 following letters or strings to indicate which value or
11 values to print: C for the creation date, P for the
12 publication date, Psync for the CDS and CDNSKEY publication
13 date, A for the activation date, R for the revocation date,
14 I for the inactivation date, D for the deletion date, and
15 Dsync for the CDS and CDNSKEY deletion date To print all of
16 the metadata, use -p all.
DNSsec options
1 //auto-dnssec ( allow | maintain | off );
2
3 //dnssec-accept-expired boolean;
4 //dnssec-dnskey-kskonly boolean;
5 //dnssec-enable boolean;
6 //dnssec-loadkeys-interval integer;
7 //dnssec-lookaside ( string trust-anchor string | auto | no );
8 //dnssec-must-be-secure string boolean;
9 //dnssec-secure-to-insecure boolean;
10 //dnssec-update-mode ( maintain | no-resign );
11 //dnssec-validation ( yes | no | auto );
12
13 //inline-signing boolean;
14 //key-directory path_name;
15 //managed-keys-directory path_name;
16 //update-check-ksk boolean;
17
auto-dnssec
- Zones configured for dynamic DNS may use this option to allow varying levels of automatic DNSSEC key management. There are three possible settings:
auto-dnssec allow; permits keys to be updated and the zone fully re-signed whenever the user issues the command rndc sign zonename.
auto-dnssec maintain; includes the above, but also automatically adjusts the zone’s DNSSEC keys on a schedule, according to the keys’ timing metadata (see dnssec-keygen: DNSSEC key generation tool and dnssec-settime: set the key timing metadata for a DNSSEC key). The command rndc sign zonename causes named to load keys from the key repository and sign the zone with all keys that are active. rndc loadkeys zonename causes named to load keys from the key repository and schedule key maintenance events to occur in the future, but it does not sign the full zone immediately. Note: once keys have been loaded for a zone the first time, the repository is searched for changes periodically, regardless of whether rndc loadkeys is used. The recheck interval is defined by dnssec-loadkeys-interval.
The default setting is auto-dnssec off.
dnssec-accept-expired
- Accept expired signatures when verifying DNSSEC signatures. The default is no. Setting this option to yes leaves named vulnerable to replay attacks.
dnssec-dnskey-kskonly
- When this option and update-check-ksk are both set to yes, only key-signing keys (that is, keys with the KSK bit set) will be used to sign the DNSKEY, CDNSKEY, and CDS RRsets at the zone apex. Zone-signing keys (keys without the KSK bit set) will be used to sign the remainder of the zone, but not the DNSKEY RRset.
This is similar to the dnssec-signzone -x command line option.
The default is no. If update-check-ksk is set to no, this option is ignored.
dnssec-enable
- This indicates whether DNSSEC-related resource records are to be returned by named. If set to no, named will not return DNSSEC-related resource records unless specifically queried for. The default is yes. This option is obsolete and has no effect. (9.16+)
dnssec-loadkeys-interval
When a zone is configured with auto-dnssec maintain; its key repository must be checked periodically to see if any new keys have been added or any existing keys’ timing metadata has been updated (see dnssec-keygen: DNSSEC key generation tool and dnssec-settime: set the key timing metadata for a DNSSEC key). The dnssec-loadkeys-interval option sets the frequency of automatic repository checks, in minutes. The default is 60 (1 hour),
the minimum is 1 (1 minute),
and the maximum is 1440 (24 hours);
any higher value is silently reduced.
dnssec-lookaside
- When set, dnssec-lookaside provides the validator with an alternate method to validate DNSKEY records at the top of a zone. When a DNSKEY is at or below a domain specified by the deepest dnssec-lookaside, and the normal DNSSEC validation has left the key untrusted, the trust-anchor will be appended to the key name and a DLV record will be looked up to see if it can validate the key. If the DLV record validates a DNSKEY (similarly to the way a DS record does)
the DNSKEY RRset is deemed to be trusted.
If dnssec-lookaside is set to no, then dnssec-lookaside is not used.
Note- The ISC-provided DLV service at dlv.isc.org, has been shut down. The dnssec-lookaside auto; configuration option, which set named up to use ISC DLV with minimal configuration, has accordingly been removed.
dnssec-must-be-secure
- Specify hierarchies which must be or may not be secure (signed and validated). If yes, then named will only accept answers if they are secure. If no, then normal DNSSEC validation applies allowing for insecure answers to be accepted. The specified domain must be defined as a trust anchor, for instance in a dnssec-keys statement, or dnssec-validation auto must be active.
dnssec-update-mode
- If this option is set to its default value of maintain in a zone of type master which is DNSSEC-signed and configured to allow dynamic updates (see Dynamic Update Policies), and if named has access to the private signing key(s) for the zone, then named will automatically sign all new or changed records and maintain signatures for the zone by regenerating RRSIG records
whenever they approach their expiration date.
If the option is changed to no-resign, then named will sign all new or changed records,but scheduled maintenance of signatures is disabled.
With either of these settings, named will reject updates to a DNSSEC-signed zone when the signing keys are inactive or unavailable to named. (A planned third option, external, will disable all automatic signing and allow DNSSEC data to be submitted into a zone via dynamic update; this is not yet implemented.)
dnssec-validation
This option enables DNSSEC validation in named.
If set to auto, DNSSEC validation is enabled and a default trust anchor for the DNS root zone is used.
If set to yes, DNSSEC validation is enabled, but a trust anchor must be manually configured using a trust-anchors statement (or the managed-keys or trusted-keys statements, both deprecated). If there is no configured trust anchor, validation does not take place.
If set to no, DNSSEC validation is disabled.
The default is auto, unless BIND is built with configure --disable-auto-validation, in which case the default is yes.
The default root trust anchor is stored in the file bind.keys. named loads that key at startup if dnssec-validation is set to auto. A copy of the file is installed along with BIND 9, and is current as of the release date. If the root key expires, a new copy of bind.keys can be downloaded from https://www.isc.org/bind-keys.
(To prevent problems if bind.keys is not found, the current trust anchor is also compiled in named. Relying on this is not recommended, however, as it requires named to be recompiled with a new key when the root key expires.)
Note
named loads only the root key from bind.keys. The file cannot be used to store keys for other zones. The root key in bind.keys is ignored if dnssec-validation auto is not in use. Whenever the resolver sends out queries to an EDNS-compliant server, it always sets the DO bit indicating it can support DNSSEC responses,
even if dnssec-validation is off.
inline-signing
- If yes, this enables “bump in the wire” signing of a zone, where a unsigned zone is transferred in or loaded from disk and a signed version of the zone is served, with possibly, a different serial number. This behavior is disabled by default.
key-directory
- When performing dynamic update of secure zones, the directory where the public and private DNSSEC key files should be found, if different than the current working directory. (Note that this option has no effect on the paths for files containing non-DNSSEC keys
such as bind.keys, rndc.key or session.key.)
Just for completeness and reasons of comparision managed-keys-directory
- This specifies the directory in which to store the files that track managed DNSSEC keys
(i.e., those configured using the initial-key or initial-ds keywords in a trust-anchors statement). By default, this is the working directory. The directory must be writable by the effective user ID of the named process.
If named is not configured to use views, managed keys for the server are tracked in a single file called managed-keys.bind. Otherwise, managed keys are tracked in separate files, one file per view; each file name is the view name (or, if it contains characters that are incompatible with use as a file name, the SHA256 hash of the view name), followed by the extension .mkeys. (Note: in earlier releases, file names for views always used the SHA256 hash of the view name. To ensure compatibility after upgrading, if a file using the old name format is found to exist, it is used instead of the new format.)
update-check-ksk
- When set to the default value of yes, check the KSK bit in each key to determine how the key should be used when generating
RRSIGs for a secure zone.
Ordinarily, zone-signing keys (that is, keys without the KSK bit set) are used to sign the entire zone, while key-signing keys (keys with the KSK bit set) are only used to sign the DNSKEY RRset at the zone apex. However, if this option is set to no, then the KSK bit is ignored; KSKs are treated as if they were ZSKs and are used to sign the entire zone.This is similar to the dnssec-signzone -z command line option.
When this option is set to yes, there must be at least two active keys for every algorithm represented in the DNSKEY RRset: at least one KSK and one ZSK per algorithm. If there is any algorithm for which this requirement is not met, this option will be ignored for that algorithm.
Validation
/etc/bind/named.conf.options
You should use dnssec-validation auto;. Or you will need to configure trust-anchors via managed-keys or trusted-keys.
Inline signing
Probaly the way to go.
- Parallel setup for testing
- Editing possible on master or in ounsigned master file
- The signed file is always of type raw to speed up loading
Internet Systems Consortium - BIND and Inline Signing
Global options
/etc/bind/named.conf.options
Inline signing with local file
Zone specific options
/etc/bind/named.conf.local
This will generate a corresponding signed file "/etc/bind/zones/db.it.rockstable.signed" and journal file "/etc/bind/zones/db.it.rockstable.jnl".
The master-file is untouched.
Inline signing with a master
Zone specific options
/etc/bind/named.conf.local
Changed are received by AXFR updates and signed in-line. The master-file will be updated dynamically. This way also the DNSSEC records are inserted and updated.
To see the signed file's content convert the zone to a text file
Signing with local updates
No editing in zone files anymore, only dynamic updates to the zone.
Zone specific options
/etc/bind/named.conf.local
To see the signed file's content convert the zone to a text file
NextSECure
Info about records
Migrations NSEC to NSEC3
rndc signing -nsec3param sets the NSEC3 parameters for a zone. This is the only supported mechanism for using NSEC3 with inline-signing zones. Parameters are specified in the same format as an NSEC3PARAM resource record: hash algorithm, flags, iterations, and salt, in that order.
Currently, the only defined value for hash algorithm is 1, representing SHA-1. The flags may be set to 0 or 1, depending on whether you wish to set the opt-out bit in the NSEC3 chain. iterations defines the number of additional times to apply the algorithm when generating an NSEC3 hash. The salt is a string of data expressed in hexadecimal, a hyphen (`-') if no salt is to be used, or the keyword auto, which causes named to generate a random 64-bit salt.
So, for example, to create an NSEC3 chain using the SHA-1 hash algorithm, no opt-out flag, 10 iterations, and a salt value of "FFFF", use:
rndc signing -nsec3param 1 0 10 FFFF zone. To set the opt-out flag, 15 iterations, and no salt, use:
rndc signing -nsec3param 1 1 15 - zone.
1 rndc signing -nsec3param 1 0 10 auto rockstable.it
Create NSEC3PARAMs for specified views and specified zones with automatically generated seed
1 VIEWS=( "internal" "external" )
2 ZONES=( "rockstable.it" "rockstable.org" )
3 for VIEW in "${VIEWS[@]}"; do
4 for ZONE in "${ZONES[@]}"; do
5 rndc loadkeys "$ZONE." IN "$VIEW"
6 rndc signing -list "$ZONE." IN "$VIEW"
7 ### USED WITH "inline-signing" IN "$VIEW"
8 rndc signing -nsec3param 1 0 10 auto "$ZONE." IN "$VIEW"
9 done
10 done
11
12 rndc: 'loadkeys' failed: not found
13 no matching zone 'rockstable.it.' in view 'internal'
14 rndc: 'signing' failed: not found
15 no matching zone 'rockstable.it.' in view 'internal'
16 rndc: 'signing' failed: not found
17 no matching zone 'rockstable.it.' in view 'internal'
18 Done signing with key 30825/RSASHA256
19 Done signing with key 45742/RSASHA256
20 nsec3param request queued
21 No signing records found
22 nsec3param request queued
23 Done signing with key 30825/RSASHA256
24 Done signing with key 45742/RSASHA256
25 nsec3param request queued
Create NSEC3PARAMs with alternative pseudo random seed
1 ZONES=( "rockstable.it" )
2 for ZONE in "${ZONES[@]}"; do
3 rndc loadkeys "$ZONE."
4 #NSECSEED="$(printf "%04x%04x" "$RANDOM" "$RANDOM")"
5 NSECSEED="$(head -c 300 /dev/random | sha1sum | cut -b 1-16)"
6 rndc signing -list "$ZONE."
7 ### USED WITH "inline-signing"
8 rndc signing -nsec3param 1 0 10 "$NSECSEED" "$ZONE."
9 done
Check it
dig -t ANY +dnssec +multiline kamehameha.rockstable.it|less
1 ; <<>> DiG 9.11.5-P4-5.1+deb10u1-Debian <<>> -t ANY +dnssec +multiline kamehameha.rockstable.it
2 ;; global options: +cmd
3 ;; Got answer:
4 ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 48417
5 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 8, ADDITIONAL: 1
6
7 ;; OPT PSEUDOSECTION:
8 ; EDNS: version: 0, flags: do; udp: 4096
9 ; COOKIE: 1405a603363fae4a2e04ee205f36412ce512467b8a3c171c (good)
10 ;; QUESTION SECTION:
11 ;kamehameha.rockstable.it. IN ANY
12
13 ;; AUTHORITY SECTION:
14 rockstable.it. 10800 IN SOA ns3.rockstable.org. hostmaster.rockstable.it. (
15 2020101261 ; serial
16 86400 ; refresh (1 day)
17 3600 ; retry (1 hour)
18 2419200 ; expire (4 weeks)
19 21600 ; minimum (6 hours)
20 )
21 rockstable.it. 10800 IN RRSIG SOA 8 2 86400 (
22 20200913073840 20200814063840 51513 rockstable.it.
23 AjuwTRzMecBqBBuRcYu9uoqC/7Nu+m9ZknbJ78mCnNYb
24 FyeCtSet39AiqFatyIgz2bH3AzvVgqZhlg4EYuuWOI8Y
25 o4WdNxl+w0nvJjJY8YffRuqSlI1AsPTIhTsmSUKFB25A
26 HSTKwJ91jrcFt4dPEgEWpePFoWYYUEB9tD2DSp0WMunr
27 G37x6Pc977orb98v5FsvKpOQy2d+tnqk+j5DI5fMUZUd
28 spLG3Dt+bIzivvQA/R6PRfH8nzWWWNzSiN3e0KYO8mDO
29 YRs7ow5akFGLkVPmHA8m1nYJDaGu6D/gh7aiT/O0KPlL
30 Tf5dXbV2fqG+3y0K8OKN+LrIF6mOnf5RTgwpt/n2oZhF
31 l2YsIidwWZPhEV0mfyRRQyy9vkxPBsDozhP9r9Qkulej
32 2H1KvcWJ30IaZSfam34Lz7VrUUqEQNFinVcPmrm9xCs+
33 ABou5SDeQmVJCAOHVs8CMmudHVpXxbFVuvzz1tJ8nkMY
34 1Wp8if+mvtHL09kkN/JEvaZipPhyYcb6k5NQE4IaIgmH
35 PTMjkmQqabd9YZmHLksyncek/XywrFF9JbSiJ4f0Xc6g
36 EaVIVSj4MgwegpHl3GcC16rukwcZC4yWzWP4rO+YcQDg
37 MCXAas4Vstxn+4W/QngJCjB8OuR8s8rKtRKzgEJBGT17
38 mY8fpDeJEbDgQIoU2jO/Y6o= )
39 9LRD21TUPMDFAMBGDOHEFIVR98EV9SQ7.rockstable.it. 10800 IN RRSIG NSEC3 8 3 21600 (
40 20200913072423 20200814063836 51513 rockstable.it.
41 W0BJ1xGImFnulmhhB4PL09lfdUpuNkmO5TRDrFe7lYqa
42 orctYc1pB3J52a6AfQLtoCgfdeOH60g33waKNANAzpN8
43 eIRXKc/TjLKHMBm9eLE8+hGvv2RaQ5zBZXeJY/ldZOAo
44 HGGZwRFu04txj5vBXWMs9eDT3ogH4RjvVxx/KMrcMIem
45 SjFRI5RRnZuYuYzBD6Kvv+566fYV0D49cEBQwVgU/yCJ
46 H1GK/nVwkTjmSNzZyXVJHzuWUdWUeh4ZHyH6obRqRnSZ
47 MtyqB3K6b+M4kNtrSo9CclCQY+usSENyY20GKPorvxUO
48 XeVUKdmZr+roqpcmxAdCCh7dXw//H7GEH73mW6YHpge0
49 QcJQfI6K7jrMM4RDF9lb0I4TqKNM+0VppgpmywVe3hAf
50 GOBqhcLCg5tyqTNoelveAsM7HC/TRvAbjzT8MLp5r4x3
51 b8lSmm4kszZnXaYOSG8ULAcrlt4StjTz8WVHWDBCfTVe
52 W85SV4xkDWltp8ARRQ/usHTq4qZr3RZywnV2Gcit5goG
53 8RTKOEobghovf+9qH1e4cR6fNE9yWbGP3VUcvafIpfT7
54 i3VkmtWj1oo0uCKf/tEJoaCMgOMj/yOiAM2f1IIn3pt8
55 gXppSGH8dnUqlM9hATvriQAIxcTWqFnMEs5jEN8rUhLS
56 bKzxID7fM9AvBdHm6P7pQ7I= )
57 9LRD21TUPMDFAMBGDOHEFIVR98EV9SQ7.rockstable.it. 10800 IN NSEC3 1 0 10 F08863C214B64A6F (
58 A436TN6I9T04KNJ5GTN0I36E60KQCBAH )
59 IV5DV56V5CANU92EFECH103VFSV7ESN9.rockstable.it. 10800 IN RRSIG NSEC3 8 3 21600 (
60 20200913073258 20200814063840 51513 rockstable.it.
61 nnMYSMo2C+os0XqyCgMIAMpJLEvTVPuPo22Q4BqdO+kd
62 kadIszimTlu659eRqNwG+Vl33bcbd5EhqPG0l2GK0FiZ
63 RDoW1k0gaBtaPdF72ZYwxtinz4/sg6V18CmZii4NsS/Y
64 jwiO8VDw0g5C1nCOFmNBvIU5bPWxNSHvRQNyzvbw+mI6
65 qA7IfnYJEn/L4sfcETrC+OCtS687rqhVK+UThnaCSpYE
66 RkW0zXhCyBmhhTnczYjNnUdoaI1pJHoxBSXoGSptDMTg
67 D9mVq4+6SH8JC70vTZkznH6H/N5eANYqLDH8lEadu6Fb
68 uiDXt66RfS5g5Y7LANj0EJg7PHvs2RsG1SEsIJTsGvWW
69 JgNgdh70oS7L571AWY20mJEWNL5XYu7oyYOfQ489ZkDv
70 Ld7TQDnBKiKt/fmY80zJf7Nk8U8mVlaCP74GA+EBeyFu
71 sTpNiYn6HkEbzxkQAluH4LsVlPUNoUMNi0VghJFxOXn5
72 ViXUTBTilh/uAlfNmu6A2a7T08EmIKueH1aX/GBz6xMR
73 p0qQCH+/dpaR+13Q2mFeWaJDhvWaEz8uRAYsNunhyJWj
74 a1Qu1e2n6nmlGC0EtnGQXxSuzL1vGXkqXFDlW7YIxSeA
75 rlBq/gTqA5AhxDyIiu6N71dPFY8S7ChjOY3mXDWn/qdh
76 bE5brnA4pMdtwuKMtYLJuVA= )
77 IV5DV56V5CANU92EFECH103VFSV7ESN9.rockstable.it. 10800 IN NSEC3 1 0 10 F08863C214B64A6F (
78 J1HV88UIU5K4GFPRK834A7JSOVEVE8CO
79 A NS SOA MX TXT RRSIG DNSKEY NSEC3PARAM
80 CAA )
81 J1HV88UIU5K4GFPRK834A7JSOVEVE8CO.rockstable.it. 10800 IN RRSIG NSEC3 8 3 21600 (
82 20200913065143 20200814063837 51513 rockstable.it.
83 EutnXOn9qwr1YNc27+JeIj7zIl68xsvFxqEH5yx8HpW6
84 Mtzc8yDQTOHVo7lSmSqz8jikteloOK+ZWgd7dnQ3WV/I
85 F34hPo/HBOi14vvdiRoZdgibuUmYa5dytgR3FLvB/PJg
86 Tkevdczi+K7OA1y9IQv7skoeh9+YHlkzFjMUJdgkEZ0W
87 3LjwJ/dxRElrApcEH2uwUHU37tUFZ/62eo8cEI9fNQZr
88 IZPdMb6xU/Rlwj0vXgPZNEebzlSooPC6RDcVdk7m5ayV
89 UrMIcPXI4aU2Wx2eFhRsNHyLePUFDeJepitAq1b8sxut
90 mxknXPGQyAbvmHUqaJeIrRbjeZW3K5xk4nhqZ34CH7vJ
91 vuaev57IcRNnE8tlLAS/bsr+jDwGZdJAEjxhT7U/DjW9
92 qa95Kg2CBRWdYpFF0KQLuX9TM7LbPCs/qt1cqh7poxOj
93 mF3WN9ggDfUoK3obWJIoacYa1TkeOT0QVcAlPx3kOURT
94 XURc3HwLARd0wkcdFWzZK7X9KCoTPb0I4JBoiNNmT0uI
95 JikBI3ikjOOHkQGMFoUEF9+Q1ghc0Mkes6N1boYYooej
96 oA556mAqQGNfwrW8Wlr2DrCpHEUn1DnIBpQ6zlxMvSXn
97 yDOj+0u9+K6ipzN9arj0cnczTQLbpAumX+JgPia6rIY7
98 2+gTAekRJSGaM/Suv2Z3NZY= )
99 J1HV88UIU5K4GFPRK834A7JSOVEVE8CO.rockstable.it. 10800 IN NSEC3 1 0 10 F08863C214B64A6F (
100 J8QMRUROP13CSDNGL5Q57TP8JPBL9TLH
101 SRV RRSIG )
102
103 ;; Query time: 2 msec
104 ;; SERVER: 127.0.0.1#53(127.0.0.1)
105 ;; WHEN: Fr Aug 14 09:45:48 CEST 2020
106 ;; MSG SIZE rcvd: 2631
Migrations NSEC3 to NSEC
rndc signing -nsec3param none removes an existing NSEC3 chain and replaces it with NSEC.
Migrating from NSEC3 back to NSEC is easy, just use the rndc command like this:
1 $ rndc signing -nsec3param none rockstable.it
dnssec-dsfromkey
DNSSEC DS RR generation tool
dnssec-dsfromkey outputs the Delegation Signer (DS) resource record (RR), as defined in RFC 3658 and RFC 4509, for the given key(s).
1 dnssec-dsfromkey \
2 -2 -a SHA256 -K "/var/lib/bind/keys" -v 1 \
3 Krockstable.it.+008+20989.key
4
5 while read KEY; do
6 dnssec-dsfromkey -2 -a SHA256 -K "/var/lib/bind/keys" -v 1 "$KEY"
7 done <<< "$(grep -l "key-signing key" /var/lib/bind/keys/*.key)"
8 rockstable.it. IN DS 20989 8 2 2EF63365CA2643123CF124F10DF1B34DF72217480109DB44F49CBD5FAD58215A
9 rockstable.org. IN DS 45742 8 2 416BBE751C64EA46552EE58FCADDF85A82055208F3033CECC262A205B48F3A77
Zone file mode piped from dig
Options
1 -1
2 Use SHA-1 as the digest algorithm
3 (the default is to use both SHA-1 and SHA-256).
4
5 -2
6 Use SHA-256 as the digest algorithm.
7
8 -a algorithm
9 Select the digest algorithm. The value of algorithm must be
10 one of SHA-1 (SHA1), SHA-256 (SHA256), GOST or SHA-384
11 (SHA384). These values are case insensitive.
12
13 -C
14 Generate CDS records rather than DS records. This is
15 mutually exclusive with generating lookaside records.
16
17 -T TTL
18 Specifies the TTL of the DS records.
19
20 -K directory
21 Look for key files (or, in keyset mode, keyset- files) in
22 directory.
23
24 -f file
25 Zone file mode: in place of the keyfile name, the argument
26 is the DNS domain name of a zone master file, which can be
27 read from file. If the zone name is the same as file, then
28 it may be omitted.
29
30 If file is set to "-", then the zone data is read from the
31 standard input. This makes it possible to use the output of
32 the dig command as input, as in:
33
34 dig dnskey example.com | dnssec-dsfromkey -f - example.com
35
36 -A
37 Include ZSKs when generating DS records. Without this
38 option, only keys which have the KSK flag set will be
39 converted to DS records and printed. Useful only in zone
40 file mode.
41
42 -l domain
43 Generate a DLV set instead of a DS set. The specified domain
44 is appended to the name for each record in the set. The
45 DNSSEC Lookaside Validation (DLV) RR is described in RFC
46 4431. This is mutually exclusive with generating CDS
47 records.
48
49 -s
50 Keyset mode: in place of the keyfile name, the argument is
51 the DNS domain name of a keyset file.
52
53 -c class
54 Specifies the DNS class (default is IN). Useful only in
55 keyset or zone file mode.
56
57 -v level
58 Sets the debugging level.
59
60 -h
61 Prints usage information.
62
63 -V
64 Prints version information.
These DS-RR may now be uploaded to the parent zone via the domain management whois update.
This sets DNSsec in action.
dnssec-checkds
DNSSEC delegation consistency checking tool
dnssec-checkds verifies the correctness of Delegation Signer (DS) or DNSSEC Lookaside Validation (DLV) resource records for keys in a specified zone.
1 ### USE DNS TO LOOKUP DS RECORD IN PARENT ZONE
2 # dnssec-checkds rockstable.it
3 DS for KSK rockstable.it/008/20989 (SHA-1) missing from parent
4 DS for KSK rockstable.it/008/20989 (SHA-256) missing from parent
5 No DS records were found for any DNSKEY
6
7 ### UNTESTED:
8 ### CHECK LOCAL FILE OF PARENT ZONE
9 ### FOR CORRECT DS RECORD OF KSK OF SUBDOMAIN
10 # dnssec-checkds \
11 -f /etc/bind/zones/db.it.rockstable.signed \
12 dyna.rockstable.it
13
14 ### OR AS A LOOP
15 declare -a DOMAINS
16 DOMAINS=( "rockstable.it" "rockstable.org" )
17 for DOMAIN in "${DOMAINS[@]}"; do
18 echo -e "\\n$DOMAIN"
19 dnssec-checkds "$DOMAIN"
20 done
OPTIONS
1 -f file
2 If a file is specified, then the zone is read from that file
3 to find the DNSKEY records. If not, then the DNSKEY records
4 for the zone are looked up in the DNS.
5
6 -l domain
7 Check for a DLV record in the specified lookaside domain,
8 instead of checking for a DS record in the zone's parent.
9
10 -d dig path
11 Specifies a path to a dig binary. Used for testing.
12
13 -D dsfromkey path
14 Specifies a path to a dnssec-dsfromkey binary. Used for
15 testing.
dnssec-coverage
checks future DNSKEY coverage for a zone
dnssec-coverage verifies that the DNSSEC keys for a given zone or a set of zones have timing metadata set properly to ensure no future lapses in DNSSEC coverage.
1 dnssec-coverage -K "/var/lib/bind/keys" -l 2y
2 WARNING: Maximum TTL value was not specified. Using 1 week
3 (604800 seconds); re-run with the -m option to get more
4 accurate results.
5 PHASE 1--Loading keys to check for internal timing problems
6
7 PHASE 2--Scanning future key events for coverage failures
8 Checking scheduled KSK events for zone rockstable.org, algorithm RSASHA256...
9 Thu Aug 13 18:39:24 UTC 2020:
10 Publish: rockstable.org/RSASHA256/45742 (KSK)
11 Activate: rockstable.org/RSASHA256/45742 (KSK)
12
13 No errors found
14
15 Checking scheduled ZSK events for zone rockstable.org, algorithm RSASHA256...
16 Thu Aug 13 18:39:24 UTC 2020:
17 Publish: rockstable.org/RSASHA256/30825 (ZSK)
18 Activate: rockstable.org/RSASHA256/30825 (ZSK)
19
20 No errors found
21
22 Checking scheduled KSK events for zone rockstable.it, algorithm RSASHA256...
23 Wed Aug 12 16:28:51 UTC 2020:
24 Publish: rockstable.it/RSASHA256/20989 (KSK)
25 Activate: rockstable.it/RSASHA256/20989 (KSK)
26
27 No errors found
28
29 Checking scheduled ZSK events for zone rockstable.it, algorithm RSASHA256...
30 Wed Aug 12 16:59:30 UTC 2020:
31 Publish: rockstable.it/RSASHA256/51513 (ZSK)
32 Activate: rockstable.it/RSASHA256/51513 (ZSK)
33
34 No errors found
1 -K directory
2 Sets the directory in which keys can be found. Defaults to
3 the current working directory.
4
5 -f file
6 If a file is specified, then the zone is read from that
7 file; the largest TTL and the DNSKEY TTL are determined
8 directly from the zone data, and the -m and -d options do
9 not need to be specified on the command line.
10
11 -l duration
12 The length of time to check for DNSSEC coverage. Key events
13 scheduled further into the future than duration will be
14 ignored, and assumed to be correct.
15
16 The value of duration can be set in seconds, or in larger
17 units of time by adding a suffix: 'mi' for minutes, 'h' for
18 hours, 'd' for days, 'w' for weeks, 'mo' for months, 'y' for
19 years.
20
21 -m maximum TTL
22 Sets the value to be used as the maximum TTL for the zone or
23 zones being analyzed when determining whether there is a
24 possibility of validation failure. When a zone-signing key
25 is deactivated, there must be enough time for the record in
26 the zone with the longest TTL to have expired from resolver
27 caches before that key can be purged from the DNSKEY RRset.
28 If that condition does not apply, a warning will be
29 generated.
30
31 The length of the TTL can be set in seconds, or in larger
32 units of time by adding a suffix: 'mi' for minutes, 'h' for
33 hours, 'd' for days, 'w' for weeks, 'mo' for months, 'y' for
34 years.
35
36 This option is not necessary if the -f has been used to
37 specify a zone file. If -f has been specified, this option
38 may still be used; it will override the value found in the
39 file.
40
41 If this option is not used and the maximum TTL cannot be
42 retrieved from a zone file, a warning is generated and a
43 default value of 1 week is used.
44
45 -d DNSKEY TTL
46 Sets the value to be used as the DNSKEY TTL for the zone or
47 zones being analyzed when determining whether there is a
48 possibility of validation failure. When a key is rolled
49 (that is, replaced with a new key), there must be enough
50 time for the old DNSKEY RRset to have expired from resolver
51 caches before the new key is activated and begins generating
52 signatures. If that condition does not apply, a warning will
53 be generated.
54
55 The length of the TTL can be set in seconds, or in larger
56 units of time by adding a suffix: 'mi' for minutes, 'h' for
57 hours, 'd' for days, 'w' for weeks, 'mo' for months, 'y' for
58 years.
59
60 This option is not necessary if -f has been used to specify
61 a zone file from which the TTL of the DNSKEY RRset can be
62 read, or if a default key TTL was set using ith the -L to
63 dnssec-keygen. If either of those is true, this option may
64 still be used; it will override the values found in the zone
65 file or the key file.
66
67 If this option is not used and the key TTL cannot be
68 retrieved from the zone file or the key file, then a warning
69 is generated and a default value of 1 day is used.
70
71 -r resign interval
72 Sets the value to be used as the resign interval for the
73 zone or zones being analyzed when determining whether there
74 is a possibility of validation failure. This value defaults
75 to 22.5 days, which is also the default in named. However,
76 if it has been changed by the sig-validity-interval option
77 in named.conf, then it should also be changed here.
78
79 The length of the interval can be set in seconds, or in
80 larger units of time by adding a suffix: 'mi' for minutes,
81 'h' for hours, 'd' for days, 'w' for weeks, 'mo' for months,
82 'y' for years.
83
84 -k
85 Only check KSK coverage; ignore ZSK events. Cannot be used
86 with -z.
87
88 -z
89 Only check ZSK coverage; ignore KSK events. Cannot be used
90 with -k.
91
92 -c compilezone path
93 Specifies a path to a named-compilezone binary. Used for
94 testing.
dnssec-verify
DNSSEC zone verification tool
dnssec-verify verifies that a zone is fully signed for each algorithm found in the DNSKEY RRset for the zone, and that the NSEC / NSEC3 chains are complete.
Verify files
1 # dnssec-verify -v 1 -o rockstable.it /etc/bind/zones/db.it.rockstable
2 Loading zone 'rockstable.it' from file '/etc/bind/zones/db.it.rockstable'
3 dnssec-verify: fatal: Zone contains no DNSSEC keys
4
5 # dnssec-verify -v 1 -I raw -o rockstable.it /etc/bind/zones/db.it.rockstable.signed
6 Loading zone 'rockstable.it' from file '/etc/bind/zones/db.it.rockstable.signed'
7 Verifying the zone using the following algorithms: RSASHA256.
8 Zone fully signed:
9 Algorithm: RSASHA256: KSKs: 1 active, 0 stand-by, 0 revoked
10 ZSKs: 1 active, 0 stand-by, 0 revoked
Options
1 -c class
2 Specifies the DNS class of the zone.
3
4 -E engine
5 Specifies the cryptographic hardware to use, when
6 applicable.
7
8 When BIND is built with OpenSSL PKCS#11 support, this
9 defaults to the string "pkcs11", which identifies an OpenSSL
10 engine that can drive a cryptographic accelerator or
11 hardware service module. When BIND is built with native
12 PKCS#11 cryptography (--enable-native-pkcs11), it defaults
13 to the path of the PKCS#11 provider library specified via
14 "--with-pkcs11".
15
16 -I input-format
17 The format of the input zone file. Possible formats are
18 "text" (default) and "raw". This option is primarily
19 intended to be used for dynamic signed zones so that the
20 dumped zone file in a non-text format containing updates can
21 be verified independently. The use of this option does not
22 make much sense for non-dynamic zones.
23
24 -o origin
25 The zone origin. If not specified, the name of the zone file
26 is assumed to be the origin.
27
28 -v level
29 Sets the debugging level.
30
31 -V
32 Prints version information.
33
34 -x
35 Only verify that the DNSKEY RRset is signed with key-signing
36 keys. Without this flag, it is assumed that the DNSKEY RRset
37 will be signed by all active keys. When this flag is set, it
38 will not be an error if the DNSKEY RRset is not signed by
39 zone-signing keys. This corresponds to the -x option in
40 dnssec-signzone.
41
42 -z
43 Ignore the KSK flag on the keys when determining whether the
44 zone if correctly signed. Without this flag it is assumed
45 that there will be a non-revoked, self-signed DNSKEY with
46 the KSK flag set for each algorithm and that RRsets other
47 than DNSKEY RRset will be signed with a different DNSKEY
48 without the KSK flag set.
49
50 With this flag set, we only require that for each algorithm,
51 there will be at least one non-revoked, self-signed DNSKEY,
52 regardless of the KSK flag state, and that other RRsets will
53 be signed by a non-revoked key for the same algorithm that
54 includes the self-signed key; the same key may be used for
55 both purposes. This corresponds to the -z option in
56 dnssec-signzone.
57
58 zonefile
59 The file containing the zone to be signed.
less frequently used tools
dnssec-revoke
set the REVOKED bit on a DNSSEC key
dnssec-revoke reads a DNSSEC key file, sets the REVOKED bit on the key as defined in RFC 5011, and creates a new pair of key files containing the now-revoked key.
1 dnssec-revoke -v 1 -K "/var/lib/bind/keys" KEYFILE_NAME
1 -h
2 Emit usage message and exit.
3 -K directory
4 Sets the directory in which the key files are to reside.
5 -r
6 After writing the new keyset files remove the original
7 keyset files.
8 -v level
9 Sets the debugging level.
10 -V
11 Prints version information.
12 -E engine
13 Specifies the cryptographic hardware to use, when
14 applicable.
15 When BIND is built with OpenSSL PKCS#11 support, this
16 defaults to the string "pkcs11", which identifies an OpenSSL
17 engine that can drive a cryptographic accelerator or
18 hardware service module. When BIND is built with native
19 PKCS#11 cryptography (--enable-native-pkcs11), it defaults
20 to the path of the PKCS#11 provider library specified via
21 "--with-pkcs11".
22 -f
23 Force overwrite: Causes dnssec-revoke to write the new key
24 pair even if a file already exists matching the algorithm
25 and key ID of the revoked key.
26 -R
27 Print the key tag of the key with the REVOKE bit set but do
28 not revoke the key.
dnssec-importkey
import DNSKEY records from external systems so they can be managed
FAKE A .private KEY FILE WITH TIMING DATA
dnssec-importkey reads a public DNSKEY record and generates a pair of .key/.private files. The DNSKEY record may be read from an existing .key file, in which case a corresponding .private file will be generated, or it may be read from any other file or from the standard input, in which case both .key and .private files will be generated.
The newly-created .private file does not contain private key data, and cannot be used for signing. However, having a .private file makes it possible to set publication (-P) and deletion (-D) times for the key, which means the public key can be added to and removed from the DNSKEY RRset on schedule even if the true private key is stored offline.
Options
1 -f filename
2 Zone file mode: instead of a public keyfile name, the
3 argument is the DNS domain name of a zone master file, which
4 can be read from file. If the domain name is the same as
5 file, then it may be omitted.
6
7 If file is set to "-", then the zone data is read from the
8 standard input.
9
10 -K directory
11 Sets the directory in which the key files are to reside.
12
13 -L ttl
14 Sets the default TTL to use for this key when it is
15 converted into a DNSKEY RR. If the key is imported into a
16 zone, this is the TTL that will be used for it, unless there
17 was already a DNSKEY RRset in place, in which case the
18 existing TTL would take precedence. Setting the default TTL
19 to 0 or none removes it.
20
21 -h
22 Emit usage message and exit.
23
24 -v level
25 Sets the debugging level.
26
27 -V
28 Prints version information.
Timing Options
1 Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
2 If the argument begins with a '+' or '-', it is interpreted as
3 an offset from the present time. For convenience, if such an
4 offset is followed by one of the suffixes 'y', 'mo', 'w', 'd',
5 'h', or 'mi', then the offset is computed in years (defined as
6 365 24-hour days, ignoring leap years), months (defined as 30
7 24-hour days), weeks, days, hours, or minutes, respectively.
8 Without a suffix, the offset is computed in seconds. To
9 explicitly prevent a date from being set, use 'none' or 'never'.
10
11 -P date/offset
12 Sets the date on which a key is to be published to the zone.
13 After that date, the key will be included in the zone but
14 will not be used to sign it.
15
16 -P sync date/offset
17 Sets the date on which CDS and CDNSKEY records that match
18 this key are to be published to the zone.
19
20 -D date/offset
21 Sets the date on which the key is to be deleted. After that
22 date, the key will no longer be included in the zone. (It
23 may remain in the key repository, however.)
24
25 -D sync date/offset
26 Sets the date on which the CDS and CDNSKEY records that
27 match this key are to be deleted.
dnssec-keyfromlabel
DNSSEC key generation tool
dnssec-keyfromlabel generates a key pair of files that referencing a key object stored in a cryptographic hardware service module (HSM). The private key file can be used for DNSSEC signing of zone data as if it were a conventional signing key created by dnssec-keygen, but the key material is stored within the HSM, and the actual signing takes place there.
The name of the key is specified on the command line. This must match the name of the zone for which the key is being generated.
Miscandelous commands
Convert zone formats
https://kb.isc.org/docs/aa-00608
named-compilezone and named-checkzone is acuelly the same programm.
Conversion to text to STDOUT and into vim
Activate vim syntax highlighting (if not detected automatically)
1 :set syntax=bindzone
Change zone format from raw to text
Used options
1 -D
2 Dump zone file in canonical format. This is always enabled
3 for named-compilezone.
4 -f format
5 Specify the format of the zone file. Possible formats are
6 "text" (default), "raw", and "map".
7 -F format
8 Specify the format of the output file specified. For
9 named-checkzone, this does not cause any effects unless it
10 dumps the zone contents.
11
12 Possible formats are "text" (default), which is the standard
13 textual representation of the zone, and "map", "raw", and
14 "raw=N", which store the zone in a binary format for rapid
15 loading by named. "raw=N" specifies the format version of
16 the raw zone file: if N is 0, the raw file can be read by
17 any version of named; if N is 1, the file can be read by
18 release 9.9.0 or higher; the default is 1.
19 -o filename
20 Write zone output to filename. If filename is - then write
21 to standard out. This is mandatory for named-compilezone.
22 -s style
23 Specify the style of the dumped zone file. Possible styles
24 are "full" (default) and "relative". The full format is most
25 suitable for processing automatically by a separate script.
26 On the other hand, the relative format is more
27 human-readable and is thus suitable for editing by hand. For
28 named-checkzone this does not cause any effects unless it
29 dumps the zone contents. It also does not have any meaning
30 if the output format is not text.
Trouble shooting
journal out of sync
A dynamic zone and its journal can get out of sync like in the following example /var/log/bind/general.info
In this case a reload or thaw operation logs following error to the console:
You can sync the zone and purge the journal
Corresponding log
1 06-Apr-2020 14:40:21.896 general: info: received control channel command 'sync -clean 0.16.172.in-addr.arpa'
2 06-Apr-2020 14:40:21.896 general: info: sync: dumping zone '0.16.172.in-addr.arpa/IN' internal, removing journal file: success
3 06-Apr-2020 14:40:31.721 general: info: zone 0.16.172.in-addr.arpa/IN/internal: loaded serial 2020032200
4 06-Apr-2020 14:40:31.721 general: info: received control channel command 'reload'
name not in use
Dynamic DNS update fails with
1 06-Apr-2020 15:16:51.501 update: info: client @0x7f10c4104640 127.0.0.1#51809/key dhcp_updater: view internal: updating zone 'subdom.rockstable.it/IN': update unsuccessful: host1.subdom.rockstable.it: 'name not in use' prerequisite not satisfied (YXDOMAIN)
2 06-Apr-2020 15:16:51.502 update: info: client @0x7f10c40e7720 127.0.0.1#41651/key dhcp_updater: view internal: updating zone 'subdom.rockstable.it/IN': update unsuccessful: host1.subdom.rockstable.it/DHCID: 'RRset exists (value dependent)' prerequisite not satisfied (NXRRSET)
Delete record and increment serial
failed to find keys at the zone apex
If you receive the following error
dnssec-signzone: fatal: failed to find keys at the zone apex: not found
The DNSKEYs (KSK, ZSK) is missing from the apex (top = @/$ORIGIN) of the zone. You may either
$include keyfile.key in the zone file.
use Smart Signing (-S) to search and include the keys.
I chose the second option. Doing the stuff manually… well, i've got other stuff to be done.
dns_master_load: file format mismatch (not raw)
If you start bind a zone may not get loaded with the following error
1 Aug 13 17:16:26 kvm2 named[9124]: 13-Aug-2020 17:16:26.701 general: error: dns_master_load: file format mismatch (not raw)
2 Aug 13 17:16:26 kvm2 named[9124]: 13-Aug-2020 17:16:26.701 general: error: zone rockstable.it/IN/external (signed): loading from master file /var/lib/bind/zones/db.it.rockstable.signed failed: not implemented
3 Aug 13 17:16:26 kvm2 named[9124]: 13-Aug-2020 17:16:26.701 general: error: zone rockstable.it/IN/external (signed): not loaded due to errors.
In /etc/bind/named.conf.local you may have missed the statement masterfile-format text; # (text|raw) or set explicitly to the opposite to the file format.
- You enabled DNSsec and tried to leave the signed file in text-format to be human-readable.
Maybe you even created it with dnssec-signzone. But this is unfortunately not supported.
fail2ban
If you have a open DNS server, that recurses for everybody, rate-limiting the responses may not be enough.
When rogues exxagerate the service (3 fails in 10 min), they get banned for 10min.
TCP should not be blocked to allow slipped truncated queries TC=1 to be answered via tcp.
Extent bind9 logging
Provide a datasource that fail2ban may parse.
Especially channel security_info and category rate-limit must be provided.
Take a look at bind9#Basic logging.
Ban rogues based on binds decisions
I adjusted the filter-configuration of fail2ban to match DDOS-UDP patterns.
Change _daemon to include rate-limiting.
Introduce regex __log_level to make it configurable.
Modularize __line_prefix to be not monolithic but keep optionality.
Don't start prefregex with a ^ caret or date won't be matched.
Add regex failregex to match rate-limits.
- The failregex been proven to be working.
/etc/fail2ban/filter.d/named-refused.conf
1 # Fail2Ban filter file for named (bind9).
2 #
3
4 # This filter blocks attacks against named (bind9) however it requires special
5 # configuration on bind.
6 #
7 # By default, logging is off with bind9 installation.
8 #
9 # You will need something like this in your named.conf to provide proper logging.
10 #
11 # logging {
12 # channel security_file {
13 # file "/var/log/named/security.log" versions 3 size 30m;
14 # severity dynamic;
15 # print-time yes;
16 # };
17 # category security {
18 # security_file;
19 # };
20 # };
21
22 [Definition]
23
24 # Daemon name
25 #_daemon=named
26 _daemon=(named|rate-limit)
27
28 # Shortcuts for easier comprehension of the failregex
29
30 __pid_re=(?:\[\d+\])
31 __daemon_re=\(?%(_daemon)s(?:\(\S+\))?\)?:?
32 #__daemon_re=\(?(named|rate-limit)(?:\(\S+\))?\)?:?
33 __log_level=((error|info):)
34
35 ### PID:DAEMON OR DAEMON:PID
36 __daemon_combs_re=(?:%(__pid_re)s?:\s+%(__daemon_re)s|%(__daemon_re)s%(__pid_re)s?:)
37 #__daemon_combs_re=(?:(?:\[\d+\])?:\s+\(?(named|rate-limit)(?:\(\S+\))?\)?:?|\(?(named|rate-limit)(?:\(\S+\))?\)?:?(?:\[\d+\])?:)
38
39 # hostname daemon_id spaces
40 # this can be optional (for instance if we match named native log files)
41 #__line_prefix=(?:\s\S+ %(__daemon_combs_re)s\s+)?
42 __line_prefix=(?:\s\S+\s+)?(%(__daemon_combs_re)s)?\s*
43
44 #prefregex = ^%(__line_prefix)s( error:)?\s*client <HOST>#\S+( \([\S.]+\))?: <F-CONTENT>.+</F-CONTENT>$
45 prefregex = %(__line_prefix)s%(__log_level)s?\s*client @\S+ <HOST>#\S+( \([\S.]+\))?: <F-CONTENT>.+</F-CONTENT>$
46
47 failregex = ^(view (internal|external): )?query(?: \(cache\))? '.*' denied\s*$
48 ^zone transfer '\S+/AXFR/\w+' denied\s*$
49 ^bad zone transfer request: '\S+/IN': non-authoritative zone \(NOTAUTH\)\s*$
50 ^(view (internal|external): )?rate limit (drop|slip) response to \S+ for \S+ IN ANY\s+\(\S+\)$
51
52 ignoreregex =
53
54 # DEV Notes:
55 # Trying to generalize the
56 # structure which is general to capture general patterns in log
57 # lines to cover different configurations/distributions
58 #
59 # Author: Yaroslav Halchenko
Test your filter with fail2ban-regex
Looks good, so far. Effectivly this rule only drops the queries from rate-limited requestors. This may be a DDOS-victim. The victim will also not be able to query this DNS-Server.
You may check your regex with the great webtool https://regex101.com/.
Make sure you servers are configured correctly!!1!
Once you're confident, enable the configuration. /etc/fail2ban/jail.d/named-refused.conf
1 ### SEE ../filter.d/named-refused.conf
2 ### ADDED REGEX TO failregex TO SUPPRESS DDOS ATTACKS
3 ### ^(view (internal|external): )?rate limit (drop|slip) response to \S+ for \. IN ANY$
4
5 [named-refused-udp]
6
7 enabled = true
8 filter = named-refused
9 port = domain,953
10 protocol = udp
11 logpath = /var/log/bind/security.info
12 findtime = 10m
13 maxretry = 3
14
15 [named-refused]
16
17 enabled = true
18 #port = domain,953
19 port = 953
20 logpath = /var/log/bind/security.info
21 findtime = 10m
22 maxretry = 3
Ban rogues based on list
Get rid of all of these type ANY queries that occur to often to ".", "peacecorps.gov", …
/etc/fail2ban/jail.d/named-refused-list.conf
/etc/fail2ban/filter.d/named-refused-list.conf
1 # Fail2Ban filter file for named (bind9).
2 #
3
4 [Definition]
5
6 # Daemon name
7 #_daemon=named
8 _daemon=(named|rate-limit|queries)
9
10 # Shortcuts for easier comprehension of the failregex
11
12 __pid_re=(?:\[\d+\])
13 __daemon_re=\(?%(_daemon)s(?:\(\S+\))?\)?:?
14 #__daemon_re=\(?(named|rate-limit)(?:\(\S+\))?\)?:?
15 __log_level=((error|info):)
16
17 ### PID:DAEMON OR DAEMON:PID
18 __daemon_combs_re=(?:%(__pid_re)s?:\s+%(__daemon_re)s|%(__daemon_re)s%(__pid_re)s?:)
19 #__daemon_combs_re=(?:(?:\[\d+\])?:\s+\(?(named|rate-limit)(?:\(\S+\))?\)?:?|\(?(named|rate-limit)(?:\(\S+\))?\)?:?(?:\[\d+\])?:)
20
21 # hostname daemon_id spaces
22 # this can be optional (for instance if we match named native log files)
23 #__line_prefix=(?:\s\S+ %(__daemon_combs_re)s\s+)?
24 __line_prefix=(?:\s\S+\s+)?(%(__daemon_combs_re)s)?\s*
25
26 #prefregex = ^%(__line_prefix)s( error:)?\s*client <HOST>#\S+( \([\S.]+\))?: <F-CONTENT>.+</F-CONTENT>$
27 prefregex = %(__line_prefix)s%(__log_level)s?\s*client @\S+ <HOST>#\S+( \([\S.]+\))?: <F-CONTENT>.+</F-CONTENT>$
28
29 __query_any = (\.|ripe\.net|isc\.org|peacecorps\.gov|aids\.gov|paypal\.com)
30
31 failregex = ^(view (internal|external): )?query: %(__query_any)s IN ANY\s+(\+E\(0\))?\s\(\S+\)$
32
33 ignoreregex =
Check jail status
1 watch -n1 -- 'fail2ban-client status named-refused-udp |fold -s'
2 Status for the jail: named-refused-udp
3 |- Filter
4 | |- Currently failed: 4
5 | |- Total failed: 25502
6 | `- File list: /var/log/bind/security.info
7 `- Actions
8 |- Currently banned: 20
9 |- Total banned: 1702
10 `- Banned IP list: …
Well, it saves bandwidth! I guess, it attenuates a DDOS, but is not free of side effects!
1 watch -n 1 -- '
2 fail2ban-client status named-refused-udp |fold -s;echo
3 fail2ban-client status named-refused-list|fold -s'
4
5 Status for the jail: named-refused-udp
6 |- Filter
7 | |- Currently failed: 0
8 | |- Total failed: 0
9 | `- File list: /var/log/bind/security.info
10 `- Actions
11 |- Currently banned: 0
12 |- Total banned: 0
13 `- Banned IP list:
14
15 Status for the jail: named-refused-list
16 |- Filter
17 | |- Currently failed: 33
18 | |- Total failed: 388
19 | `- File list: /var/log/bind/query.log
20 `- Actions
21 |- Currently banned: 53
22 |- Total banned: 78
23 `- Banned IP list: …
I'm back to only a few KiB/s.
Unban
Very specific to one jail
or an IP globally
or unban all
1 fail2ban-client unban --all
dnsutils
ISC bind9-dnsutils is a "Must have"!
1 aptitude install dnsutils
dig
DNS lookup utility
dig is a flexible tool for interrogating DNS name servers. It performs DNS lookups and displays the answers that are returned from the name server(s) that were queried. Most DNS administrators use dig to troubleshoot DNS problems because of its flexibility, ease of use and clarity of output. Other lookup tools tend to have less functionality than dig.
Although dig is normally used with command-line arguments, it also has a batch mode of operation for reading lookup requests from a file. A brief summary of its command-line arguments and options is printed when the -h option is given. Unlike earlier versions, the BIND 9 implementation of dig allows multiple lookups to be issued from the command line.
Unless it is told to query a specific name server, dig will try each of the servers listed in /etc/resolv.conf. If no usable server addresses are found, dig will send the query to the local host.
When no command line arguments or options are given, dig will perform an NS query for "." (the root).
It is possible to set per-user defaults for dig via ${HOME}/.digrc. This file is read and any options in it are applied before the command line arguments.
The IN and CH class names overlap with the IN and CH top level domain names. Either use the -t and -c options to specify the type and class, use the -q the specify the domain name, or use "IN." and "CH." when looking up these top level domains.
Test zone transfer
1 dig -t AXFR rockstable.it @ns3.rockstable.org
Request short answer from local dns-server listening on non standard port
1 dig rockstable.it @127.0.0.1 -p5302
Request DS records
1 dig -t DS rockstable.org +multiline @ns3.rockstable.org
2
3 ; <<>> DiG 9.16.4-Debian <<>> -t DS rockstable.org +multiline @ns3.rockstable.org
4 ;; global options: +cmd
5 ;; Got answer:
6 ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53488
7 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
8
9 ;; OPT PSEUDOSECTION:
10 ; EDNS: version: 0, flags:; udp: 4096
11 ; COOKIE: 60d95246df6ea1224f464fbe5f3f807d72a14e770a8dca94 (good)
12 ;; QUESTION SECTION:
13 ;rockstable.org. IN DS
14
15 ;; ANSWER SECTION:
16 rockstable.org. 86400 IN DS 45742 8 2 (
17 416BBE751C64EA46552EE58FCADDF85A82055208F303
18 3CECC262A205B48F3A77 )
19
20 ;; Query time: 28 msec
21 ;; SERVER: 195.201.246.253#53(195.201.246.253)
22 ;; WHEN: Fri Aug 21 10:06:21 CEST 2020
23 ;; MSG SIZE rcvd: 119
24 dig -t DS rockstable.it +multiline @ns3.rockstable.org
25
26 ; <<>> DiG 9.16.4-Debian <<>> -t DS rockstable.it +multiline @ns3.rockstable.org
27 ;; global options: +cmd
28 ;; Got answer:
29 ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 38899
30 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
31
32 ;; OPT PSEUDOSECTION:
33 ; EDNS: version: 0, flags:; udp: 4096
34 ; COOKIE: c22999af2e5971c4bd0a5c6e5f3f80523044b0874537c7ab (good)
35 ;; QUESTION SECTION:
36 ;rockstable.it. IN DS
37
38 ;; ANSWER SECTION:
39 rockstable.it. 10800 IN DS 20989 8 2 (
40 2EF63365CA2643123CF124F10DF1B34DF72217480109
41 DB44F49CBD5FAD58215A )
42
43 ;; Query time: 124 msec
44 ;; SERVER: 195.201.246.253#53(195.201.246.253)
45 ;; WHEN: Fri Aug 21 10:05:38 CEST 2020
46 ;; MSG SIZE rcvd: 118
So the DS record got returned and the DNS flag ad (authenticated data) is set.
Rockstable DNS is authenticated data 
delv
DNS lookup and validation utility
delv is a tool for sending DNS queries and validating the results, using the same internal resolver and validator logic as named.
delv will send to a specified name server all queries needed to fetch and validate the requested data; this includes the original requested query, subsequent queries to follow CNAME or DNAME chains, and queries for DNSKEY, DS and DLV records to establish a chain of trust for DNSSEC validation. It does not perform iterative resolution, but simulates the behavior of a name server configured for DNSSEC validating and forwarding.
By default, responses are validated using built-in DNSSEC trust anchor for the root zone ("."). Records returned by delv are either fully validated or were not signed. If validation fails, an explanation of the failure is included in the output; the validation process can be traced in detail. Because delv does not rely on an external server to carry out validation, it can be used to check the validity of DNS responses in environments where local name servers may not be trustworthy.
Unless it is told to query a specific name server, delv will try each of the servers listed in /etc/resolv.conf. If no usable server addresses are found, delv will send queries to the localhost addresses (127.0.0.1 for IPv4, ::1 for IPv6).
When no command line arguments or options are given, delv will perform an NS query for "." (the root zone).
Request DS records
1 delv rockstable.org DS +multiline
2 ; fully validated
3 rockstable.org. 86400 IN DS 45742 8 2 (
4 416BBE751C64EA46552EE58FCADDF85A82055208F303
5 3CECC262A205B48F3A77 )
6 rockstable.org. 86400 IN RRSIG DS 7 2 86400 (
7 20200911055000 20200821045000 21869 org.
8 LVcSK+nSsQQ4b4vlEjb7cnnunjMXcTgHWq3OGowxZu4y
9 zlvWqsYN23NP3r9F3Y32OzHCQ+WISMMXoKatUVw86+sx
10 MTZhbFW9XROiiyA9uGmSHuTn1IV2uWSf9GrC91E7bVkq
11 4l7JmSpV4zoxhmTteiXSjMYAXiz4kNgbx4tZgKY= )
12 delv rockstable.it DS +multiline
13 ; fully validated
14 rockstable.it. 10535 IN DS 20989 8 2 (
15 2EF63365CA2643123CF124F10DF1B34DF72217480109
16 DB44F49CBD5FAD58215A )
17 rockstable.it. 10535 IN RRSIG DS 10 2 10800 (
18 20200920060319 20200821060319 18395 it.
19 ZzBr1DPtEC1FJrEUXGyXJ/2ZGLsmIarLWgdatSqQ4Vsw
20 ekYF0GXIb0oA5U1FyW7jJO0OXjt8CSWIKGdwRH9lm/M7
21 wm3RouaX58M8EwiRJb5bSpWP4725Cx+5y9CtM60M31vj
22 zzgGN3nJHMvL9n8P/ELM5xJP2IsE+uSt54/fs2oYE229
23 9nOMjM8yFUTFez/o6GcdbANqZKd6QYpE64nmecsWH/yd
24 GibZCRvfAbUs3mLUXyB/pfuWqpMSYqWrZ/Th+ymbecKn
25 Qx3L/fUyhPYG6DkIVqmRHleGnmzMYmT8I6B+SaqiJajX
26 3lOvVPDWLqVoXS3pBC5As4pcxBjgjen0eQ== )
Rockstable DNS is fully validated