I am trying to make a caching / forwarding only DNS server using Bind9 with DNSSEC validation being enabled by default.
Assume you have the following informations from my config file:
acl "home-net"
{
127.0.0.1;
::1;
192.168.1.0/24;
2000:db8:cafe:100::/64;
};
options
{
forwarders
{
# Use Google DNS either by IPv6 or IPv4 is fine.
2001:4860:4860::8888;
2001:4860:4860::8844;
8.8.8.8;
8.8.4.4;
};
dnssec-enable yes;
dnssec-validation auto;
allow-query { any; };
allow-query-cache { home-net; };
allow-recursion { home-net; };
};
zone "subdomain.example.net" {
type forward;
forward only;
forwarders
{
# SAMBA PDC1 (Active Directory)
2000:db8:cafe:100::1;
# SAMBA PDC2 (Active Directory)
2000:db8:cafe:100::2;
};
};
As far as I understand:
Whenever I want to lookup a host registered un the subdomain subdomain.example.net the nameserver would then contact one of the two SAMBA PDC that I have listed in the forwarders section in the zone configuration.
The nameserver would in turn do DNSSEC validation to ensure that the two SAMBA PDC's is actually authorized to reply for requests to the domain subdomain.example.net.
If the reply from SAMBA PDC's cannot be validated through DNSSEC, then the name server will turn to Google DNS and ask if they can provide a DNSSEC validated response.
Now here is the problem:
As I understand there are no DNSSEC support in SAMBA neither through using SAMBA INTERNAL_DNS or through BIND9_DLZ hence you cannot ever do DNSSEC validation on any zones maintained by SAMBA.
As far I understand there are 3 options:
- Disable DNSSEC validation globally.
- Use negative trust anchors.
- Use the 'validate-except' option.
I will handle them one by one.
Disable DNSSEC
It is not really an option in my book. It basically reduces your setup to "works worldwide" ... except you particular small corner of the world, so better disable it alltogether.
It can be done by just changing the value of dnssec-enable and dnssec-validation to no.
I will only use it as a temporary fix until I can activate DNSSEC again.
Use negative trust anchors
At first my interest was peaked. The idea is you register a special encrypted key with rndc and then it won't do any DNSSEC validation for the domain you want.
However it is a temporary fix, since the key has a lifetime of at most one week.
That means you have todo the same kind of sourcery as certificates from Let's Encrypt - only that the cron job have to be triggered more often.
Use the 'validate-except' option
In theory this should be the easiest solution of them all.
I just have to add a new section to options called validate-except.
Like so:
options
{
dnssec-enable yes;
dnssec-validation auto;
validate-except
{
"subdomain.example.net";
"another.example.net";
};
};
Sounds simple enough - right? :-)
... Except my nameserver didn't start due to "unknown option - validate-except".
EDIT: Turn out Raspberry OS uses Bind version 9.11 while the validate-except option was only implemented in Bind version 9.13.
For reference sake Ubuntu 20.04 for Raspberry uses Bind version 9.16.
So does anyone out there have experience with a mixed mode setup regarding DNSSEC?
... or would the easiest solution be admit failure and install Ubuntu 20.04? :-)
