From post at ralfj.de Tue Oct 14 20:06:44 2014 From: post at ralfj.de (Ralf Jung) Date: Tue, 14 Oct 2014 22:06:44 +0200 Subject: [Dnssec-trigger] dnssec-trigger and local-zone Message-ID: <543D8254.5040806@ralfj.de> Hi, I am currently experimenting wit the DNS setup in our local hackerspace. Our router does not support DNSSEC as cache, so I set up an unbound on a server in our space, and configured DHCP appropriately. dnssec-trigger detects that our local cache supports DNSSEC. That's generally working fine. However, we do have a "local-zone" configured to manage the names of machines in the space. And when I run dnssec-trigger on my machine, these names fail to resolve with a SERVFAIL. I assume that's because our local TLD is not properly signed by the root zone - and in fact, how could it be. Is there a way to set up local zones in a way that still works with DNSSEC-validating resolvers? I tried using the ".local" TLD, but that doesn't seem to work either. Kind regards Ralf From wouter at nlnetlabs.nl Wed Oct 15 06:40:47 2014 From: wouter at nlnetlabs.nl (W.C.A. Wijngaards) Date: Wed, 15 Oct 2014 08:40:47 +0200 Subject: [Dnssec-trigger] dnssec-trigger and local-zone In-Reply-To: <543D8254.5040806@ralfj.de> References: <543D8254.5040806@ralfj.de> Message-ID: <543E16EF.7010002@nlnetlabs.nl> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Ralf, On 10/14/2014 10:06 PM, Ralf Jung wrote: > Hi, > > I am currently experimenting wit the DNS setup in our local > hackerspace. Our router does not support DNSSEC as cache, so I set > up an unbound on a server in our space, and configured DHCP > appropriately. dnssec-trigger detects that our local cache supports > DNSSEC. That's generally working fine. > > However, we do have a "local-zone" configured to manage the names > of machines in the space. And when I run dnssec-trigger on my > machine, these names fail to resolve with a SERVFAIL. I assume > that's because our local TLD is not properly signed by the root > zone - and in fact, how could it be. Is there a way to set up local > zones in a way that still works with DNSSEC-validating resolvers? I > tried using the ".local" TLD, but that doesn't seem to work > either. You need a trust anchor for your local zone. Because it is not DNSSEC signed this trust anchor is a negative trust anchor, disabling DNSSEC for this domain. domain-insecure: "local-zone" in unbound.conf (you can include config files from unbound.conf if you want to separate management for it, include: "other.conf"). Best regards, Wouter -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBAgAGBQJUPhbvAAoJEJ9vHC1+BF+NqbIP/2iUP4j6SdV7kDurmEfPsANT /XXzZeLZs7khtiZL/uI5d878tGp/UO3/UFixqq5q82sP4a/Bak7oEp2y5gNzHV23 rMyA3XsXZeZDUGAz3wZVNu8tOm9j2OWL1y20WNLW4Pf0QCb2PTNT+z6JJ212P23J 24Mrx2o9yy9oGjs623A7I/yJak48Xaly99Orm9YXOrtPVdEOvLI0GcsRozsYi0PU m3Wo9eQIMQBjEwe+Sm/7eSPBDZQXk6Ri+h98XTn4KJOw1+q67YoUQuOCObz64ehD W5m49l/rWGNhels6P6ZrE5H6MpUYFUWndydJRKIQcCBow30pY2mCSnz4h88onLLw G6F0f53uvvSZFob/UFHcD/xEzkmbP5IdOl+MA0oqrfLO8KWeJj0P4ejAJz5w9TCM qDfhNA/MQkqb9WDEcduRNkFcsQK9qCaoad4L+9iwm77hIt3JXFqd8BK1N00SZoSD MVHSaljQMAda0zHR80BBHleJ6YCbrHXcmRiWRgvaqlcHDkaa8iE1bf5pWCSALUpy yyIAqsVKrwvLJvK+t50rLlGQ5Qw3mQ5H/BUSNNfA1A2UmrSWe8/yspRvKWGWlclL kMfW3hIpr4KQiXRIMfcCK1el7LkRLFDqszf35CKH68IJ+8PGYkHlsmG0pjqVBZ8L T70MN6ZmMjij6xvfBOqX =WBu4 -----END PGP SIGNATURE----- From post at ralfj.de Wed Oct 15 08:25:03 2014 From: post at ralfj.de (Ralf Jung) Date: Wed, 15 Oct 2014 10:25:03 +0200 Subject: [Dnssec-trigger] dnssec-trigger and local-zone In-Reply-To: <543E16EF.7010002@nlnetlabs.nl> References: <543D8254.5040806@ralfj.de> <543E16EF.7010002@nlnetlabs.nl> Message-ID: <543E2F5F.2090903@ralfj.de> Hi, >> I am currently experimenting wit the DNS setup in our local >> hackerspace. Our router does not support DNSSEC as cache, so I set >> up an unbound on a server in our space, and configured DHCP >> appropriately. dnssec-trigger detects that our local cache supports >> DNSSEC. That's generally working fine. > >> However, we do have a "local-zone" configured to manage the names >> of machines in the space. And when I run dnssec-trigger on my >> machine, these names fail to resolve with a SERVFAIL. I assume >> that's because our local TLD is not properly signed by the root >> zone - and in fact, how could it be. Is there a way to set up local >> zones in a way that still works with DNSSEC-validating resolvers? I >> tried using the ".local" TLD, but that doesn't seem to work >> either. > > You need a trust anchor for your local zone. Because it is not DNSSEC > signed this trust anchor is a negative trust anchor, disabling DNSSEC > for this domain. domain-insecure: "local-zone" in unbound.conf (you > can include config files from unbound.conf if you want to separate > management for it, include: "other.conf"). That would be configuration in the unbound running on my local machine, right? That doesn't really help, unfortunately - I can't ask everybody who's using dnssec-trigger to manually configure their machine. I was hoping that there would be a TLD that had a non-trusted delegation from the root, or similar, such that one can easily create "fake" answers below that TLD. If nothing like that exists, I will have to use a subdomain of our domain, and manually create a non-trusted delegation. Kind regards Ralf From thozza at redhat.com Wed Oct 15 15:10:37 2014 From: thozza at redhat.com (Tomas Hozza) Date: Wed, 15 Oct 2014 11:10:37 -0400 (EDT) Subject: [Dnssec-trigger] dnssec-trigger and local-zone In-Reply-To: <543E2F5F.2090903@ralfj.de> References: <543D8254.5040806@ralfj.de> <543E16EF.7010002@nlnetlabs.nl> <543E2F5F.2090903@ralfj.de> Message-ID: <2080062651.32528457.1413385837930.JavaMail.zimbra@redhat.com> Hi. ----- Original Message ----- > Hi, > > >> I am currently experimenting wit the DNS setup in our local > >> hackerspace. Our router does not support DNSSEC as cache, so I set > >> up an unbound on a server in our space, and configured DHCP > >> appropriately. dnssec-trigger detects that our local cache supports > >> DNSSEC. That's generally working fine. > > > >> However, we do have a "local-zone" configured to manage the names > >> of machines in the space. And when I run dnssec-trigger on my > >> machine, these names fail to resolve with a SERVFAIL. I assume > >> that's because our local TLD is not properly signed by the root > >> zone - and in fact, how could it be. Is there a way to set up local > >> zones in a way that still works with DNSSEC-validating resolvers? I > >> tried using the ".local" TLD, but that doesn't seem to work > >> either. > > > > You need a trust anchor for your local zone. Because it is not DNSSEC > > signed this trust anchor is a negative trust anchor, disabling DNSSEC > > for this domain. domain-insecure: "local-zone" in unbound.conf (you > > can include config files from unbound.conf if you want to separate > > management for it, include: "other.conf"). > > That would be configuration in the unbound running on my local machine, > right? That doesn't really help, unfortunately - I can't ask everybody > who's using dnssec-trigger to manually configure their machine. > > I was hoping that there would be a TLD that had a non-trusted delegation > from the root, or similar, such that one can easily create "fake" > answers below that TLD. If nothing like that exists, I will have to use > a subdomain of our domain, and manually create a non-trusted delegation. I think setting an "insecure" forward zone for your hacker-space domain to the local DNS server (unbound) could help. You could set up your local DHCP server to propagate that domain as a search domain. Then the dnssec-trigger dispatcher script should set up the forward zone automatically on the client. I'm not sure which version of the trigger you're running, but if it is the latest, just adjust the /etc/dnssec.conf, set up the search domain in your DHCP server and it should work. Regards, -- Tomas Hozza Software Engineer - EMEA ENG Developer Experience PGP: 1D9F3C2D Red Hat Inc. http://cz.redhat.com From post at ralfj.de Wed Oct 15 15:36:34 2014 From: post at ralfj.de (Ralf Jung) Date: Wed, 15 Oct 2014 17:36:34 +0200 Subject: [Dnssec-trigger] dnssec-trigger and local-zone In-Reply-To: <2080062651.32528457.1413385837930.JavaMail.zimbra@redhat.com> References: <543D8254.5040806@ralfj.de> <543E16EF.7010002@nlnetlabs.nl> <543E2F5F.2090903@ralfj.de> <2080062651.32528457.1413385837930.JavaMail.zimbra@redhat.com> Message-ID: <543E9482.3080407@ralfj.de> Hi, > I think setting an "insecure" forward zone for your hacker-space domain > to the local DNS server (unbound) could help. > > You could set up your local DHCP server to propagate that domain as a search > domain. Then the dnssec-trigger dispatcher script should set up the forward > zone automatically on the client. I'm not sure which version of the trigger > you're running, but if it is the latest, just adjust the /etc/dnssec.conf, > set up the search domain in your DHCP server and it should work. I am using the version in Debian: . Do you mean /etc/dnssec-trigger/dnssec.conf? That file contains "validate_connection_provided_zones=yes", I guess that's what I have to change. I'll try it ASAP, thanks for the pointer! What will happen if the DHCP server sets up "." as search domain? Will DNSSEC be effectively disabled? Kind regards Ralf From post at ralfj.de Wed Oct 15 17:09:26 2014 From: post at ralfj.de (Ralf Jung) Date: Wed, 15 Oct 2014 19:09:26 +0200 Subject: [Dnssec-trigger] dnssec-trigger and local-zone In-Reply-To: <2080062651.32528457.1413385837930.JavaMail.zimbra@redhat.com> References: <543D8254.5040806@ralfj.de> <543E16EF.7010002@nlnetlabs.nl> <543E2F5F.2090903@ralfj.de> <2080062651.32528457.1413385837930.JavaMail.zimbra@redhat.com> Message-ID: <543EAA46.9020809@ralfj.de> Hi again, > I think setting an "insecure" forward zone for your hacker-space domain > to the local DNS server (unbound) could help. > > You could set up your local DHCP server to propagate that domain as a search > domain. Then the dnssec-trigger dispatcher script should set up the forward > zone automatically on the client. I'm not sure which version of the trigger > you're running, but if it is the latest, just adjust the /etc/dnssec.conf, > set up the search domain in your DHCP server and it should work. I ended up using a subdomain of our own domain, which has an insecure delegation, so that people don't have to configure their dnssec-trigger. That seems to work, "host name.local.our-domain" works fine. However, "host name" does not work because the DHCP-provided search name is not put into /etc/resolv.conf. Is that expected? It seems like a bug to me. Kind regards Ralf From arne at arnested.dk Wed Oct 15 05:15:00 2014 From: arne at arnested.dk (=?iso-8859-1?Q?Arne_J=F8rgensen?=) Date: Wed, 15 Oct 2014 07:15:00 +0200 Subject: [Dnssec-trigger] Help diagnose DNSSEC hostile network References: <5412C56F.2020809@ralfj.de> Message-ID: Ralf Jung writes: > Hi, > >> Recently something changed in the network at my work and now >> Dnssec-Trigger bails out with "The Network Fails to Support DNSSEC". >> >> Dnssec-Trigger still works fine on other networks so it seems obvious >> that something changed somewhere in the network at work or at my >> workplaces internet supplier. >> >> If I am to report this as a problem I would like to supply them with a >> more precise description of what they changed and how they could fix it >> (otherwise the report will most likely be shelved). >> >> What should I look for? What is the best way to diagnose such a problem? >> >> The probe results contain this info: > [...] > > I am getting similar results in my university wireless network. The > problem (in my case) seems to be related to the firewall (or something) > dropping large UDP/DNS packets. The following two commands fail with a > timeout in that network: > > dig @ns.ralfj.de ralfj.de A +dnssec > dig @8.8.8.8 debian.org DNSKEY +dnssec > > The first is a direct query to an authoritative nameserver, the second > uses Google's recursive resolver. Both return replies larger than 1KiB. > > Kind regards > Ralf Thank you. UDP packets size appears to be the problem (small DNSSEC signed packages works fine). Before I got around to reporting this to internet supplier they changed something again and it started working again. Kind regards, Arne From thozza at redhat.com Thu Oct 16 09:33:14 2014 From: thozza at redhat.com (Tomas Hozza) Date: Thu, 16 Oct 2014 11:33:14 +0200 Subject: [Dnssec-trigger] dnssec-trigger and local-zone In-Reply-To: <543EAA46.9020809@ralfj.de> References: <543D8254.5040806@ralfj.de> <543E16EF.7010002@nlnetlabs.nl> <543E2F5F.2090903@ralfj.de> <2080062651.32528457.1413385837930.JavaMail.zimbra@redhat.com> <543EAA46.9020809@ralfj.de> Message-ID: <543F90DA.4090003@redhat.com> On 10/15/2014 07:09 PM, Ralf Jung wrote: > Hi again, > > > I think setting an "insecure" forward zone for your hacker-space domain > > to the local DNS server (unbound) could help. > > > > You could set up your local DHCP server to propagate that domain as a search > > domain. Then the dnssec-trigger dispatcher script should set up the forward > > zone automatically on the client. I'm not sure which version of the trigger > > you're running, but if it is the latest, just adjust the /etc/dnssec.conf, > > set up the search domain in your DHCP server and it should work. > > I ended up using a subdomain of our own domain, which has an insecure > delegation, so that people don't have to configure their dnssec-trigger. > That seems to work, "host name.local.our-domain" works fine. However, > "host name" does not work because the DHCP-provided search name is not > put into /etc/resolv.conf. Is that expected? It seems like a bug to me. > > Kind regards > Ralf > Yes, that is expected. Someone correct me if I'm wrong, but AFAIK it is considered a security feature. The reason is to forbid any network to intentionally add some malicious domain into your resolv.conf. Regards, -- Tomas Hozza Software Engineer - EMEA ENG Developer Experience PGP: 1D9F3C2D Red Hat Inc. http://cz.redhat.com