7

I have some doubts regarding DNSSEC. I have one server acting as an Authoritative Name Server and another one as a Cache/Resolver. I'm using Bind 9.7.1-P2 and these are my configuration files:

Named.conf (Authoritative Server)

// Opciones de configuracion del servidor

include "/etc/rndc.key";

controls {
  inet 127.0.0.1 allow { localhost; } keys { rndc-key; };
};

 options{
     version "Peticion no permitida/Query not allowed";
     hostname "Peticion no permitida/Query not allowed";
     server-id "Peticion no permitida/Query not allowed";
     directory "/etc/DNS_RIMA";
     pid-file "named.pid";
     notify yes;
    #files 65535;
    dnssec-enable yes;
    dnssec-validation yes;
    allow-transfer { 172.23.2.37; 172.23.3.39; };
    transfer-format many-answers;
    transfers-per-ns 5;
    transfers-in 10;
    max-transfer-time-in 120;
    check-names master ignore;
    listen-on {172.23.2.57; 80.58.102.13; 80.58.102.103; 127.0.0.1; };
};


zone "test.dnssec" {
  type master;
  key-directory "keys";
  file "db.test.dnssec.signed";
  also-notify { 172.23.2.37 ; 172.23.3.39 ; };
  allow-transfer { 172.23.2.37 ; 172.23.3.39 ; };
};

test.dnssec zone

test.dnssec.            86400   IN SOA  ns.test.dnssec. mxadmin.test.dnssec. (

                                    2010090902 ; serial
                                    21600      ; refresh (6 hours)
                                    3600       ; retry (1 hour)
                                    1814400    ; expire (3 weeks)
                                    172800     ; minimum (2 days)
                                    )
                    86400   RRSIG   SOA 5 2 86400 20101009062248 (
                                    20100909062248 40665 test.dnssec.
                                    eY99laB6PrtETaXLdCS+G8Uq1lIK7d5vxUB1
                                    pAQ9npv/YbvX1pdWZKGojDgPGw8V65Q0zKQo
                                    YW1VuBzvwfSRKax+yrjJzvHQGfCZPJWARehK
                                    hgLxHOfXLVH7tyndvLD49ZKcWtrop+Tuy4n9
                                    apWWfSJZxCOngwS7zUi0zCTKfPs= )
                    86400   NS      ns1.test.dnssec.
                    86400   RRSIG   NS 5 2 86400 20101009062248 (
                                    20100909062248 40665 test.dnssec.
                                    lmlP/Mb2qEXPSlajgSDn/CqWk/jokVCmqjeo
                                    idNuytxbiFnbCOunzvaYpgvDpEr0CPrwXaDL
                                    TSnb/w53tZl7GHRImJo50vwwNZljLzNT6CFw
                                    aaQXFc3rDLsXjCi+WF0/Z7meteM4jYdx5nrV
                                    Qx9pgur7VPbP88bJOqWCPBev2Ho= )
                    172800  NSEC    a.test.dnssec. NS SOA RRSIG NSEC DNSKEY
                    172800  RRSIG   NSEC 5 2 172800 20101009062248 (
                                    20100909062248 40665 test.dnssec.
                                    E76ayamsAAz8Zcj7060KY0nTFzHPztM/Pkc5
                                    OM0EcP7C5+ocn4L8M2J0rmR3jxfYvCpOk0BQ
                                    Zniqn9Aw41Qk068yJ2dfDPwV5zT0+te0nzwC
                                    /awJGPMXLzMj4JejYTlTiKfspGDJCG44F+lb
                                    lHXdcUhbjXf3loqMQadZFQ/eSn0= )
                    86400   DNSKEY  256 3 5 (
                                    AwEAAbQ8qrNN5vetx/7E1VOgXZ7fLqwG1y/i
                                    55hWGCeLbcS95ratT9A6UospOvPSwPTlrFgF
                                    RWP67Pubzbsy7/damS1F1+p4GgBQway52Hd1
                                    8HjdHKKC6kIxna9pOJBRfhCdzAsv9LnpRvrw
                                    mDpcFAqhdn5k5RqwcUF1eOZrKjxXjAOr
                                    ) ; key id = 40665
                    86400   DNSKEY  257 3 5 (
                                    AwEAAcd4dxWyTgOuqha0DJADUH0pk5jvnwdM
                                    ZhgZaqnayUdeTh8U9WOjOUHdVCGywZS6NTVp
                                    xXqhcegWzh2ZR5VN6thuhezt7kbzLNWbPe7m
                                    YF29/ZTXB6nmdSxruQlSvYhzkWTaPNtfrUnI
                                    UlbDRxUFWQkSHj9LA1TG76FpR6uqOj1sNrWX
                                    nPb/Hwp1Sb2Ik4FlifKb/Vu1+/UnclRJgfPm
                                    p2HGTeNYpfk15JHBPSYxJ1TuedXQIdkPGlQX
                                    ISmAeV1evGomCC/x9DNleDHCszJOptwurzRP
                                    Z7wRXcWnbXz1BU8rAqvUZL3M4UgdNRR5LLTz
                                    CkRnrlvXYJpgzDtgmQxE9Bs=
                                    ) ; key id = 59647
                    86400   RRSIG   DNSKEY 5 2 86400 20101009062248 (
                                    20100909062248 40665 test.dnssec.
                                    sa4W3tvl6n0TkIcq3xzhG17C2O0lRhllrpUd
                                    n5Hs6yVo8r7stewP6tm2XscQiAeseDgmv28w
                                    s6Mtiz8uPUbrgFRb6SJk7coH2n/2Y3//S9YP
                                    NldDFv3luPnnU1TBb3jDsBKIZWHU9yl/cLNA
                                    OKUhlMDd40txk+fQi3iiV5Ls9K8= )
                    86400   RRSIG   DNSKEY 5 2 86400 20101009062248 (
                                    20100909062248 59647 test.dnssec.
                                    b5fz0dEp2co2pVO7biY896XmsJanjQIR69vC
                                    MvSF104/9iZk6eGVFi6hsa4aZcXutEjUDESB
                                    ynPkDjMWWIIhN6K1jYKGIc/sFKv1IUONRYHF
                                    KXGgZhC6aI0B1E4NA9AXLjlBVF60nHdc3iw8
                                    5gTLDjypP3qAZrnzMvdiBopLnVdB25UZYKn8
                                    mGpOuzKqX02TGMCFMlEVtMX4FP/XKAE8UjiQ
                                    5ehC1JvIKIyg/2zM+ot3nmcqqtUfzp/Hweyc
                                    aIkl/9wPJPwMedfTqOjfUKFdB+GiZ0Zz16HZ
                                    5MfJui5IGh5Y6Q04kMrnap2V5U7mByTzx/ud
                                    V/eFYhmSHGtAXzBjMA== )
 a.test.dnssec.          86400   IN A    1.1.1.1
                    86400   RRSIG   A 5 3 86400 20101009062248 (

                                    20100909062248 40665 test.dnssec.
                                    P52N9ypCrYsgS4CFcUmII0xjyE6KNL9ndhzH
                                    oU63fHJHQHeQV+fc0Rx8cCmZSzuqk1lSBelV
                                    3Gcl9UNNuCAQ4ORQ/yJkiZ1zn7h93Mep9qsg
                                    YEUQJMfk4FLjYW67DHNcuoCnKbDJhZS0ndVf
                                    I474k7ZEZJsGslwk/vcIoFnTa4o= )
                    172800  NSEC    b.test.dnssec. A RRSIG NSEC
                    172800  RRSIG   NSEC 5 3 172800 20101009062248 (
                                    20100909062248 40665 test.dnssec.
                                    TCduf7xPSrWvEAzBO7Kx5haR85yA/lbsswkQ
                                    v0QxlskqAqo+9YedGQV+wGblbCIOmkomrYcq
                                    u/rXQ5yoQ3SDXd/bw6EFdoQmH8UJOjMc7SdR
                                    xY93MjawPB6XXlJsSlbBFPWJwEpILVRhdBFX
                                    czdS5VCa1KmhAYZYQp1FY9rMelA= )
b.test.dnssec.          86400   IN A    2.2.2.2
                    86400   RRSIG   A 5 3 86400 20101009062248 (

                                    20100909062248 40665 test.dnssec.
                                    f0M6Tcqe6B09ctaN3BGAit4u4cJE8x3Ik8sh
                                    gyMu0GN/lMv/Bo7PB6hgylLam3HXtF1pPAzX
                                    oYudXmhU8afPapHMXfUitC1lFQB5ZW052ZC7
                                    JXV9MnGULydz1blj2EdN+JL3Za8SJKM0LrLB
                                    XdQ+QUV+A/6N7hUV6usz5YmdBeI= )
                    172800  NSEC    ns1.test.dnssec. A RRSIG NSEC
                    172800  RRSIG   NSEC 5 3 172800 20101009062248 (
                                    20100909062248 40665 test.dnssec.
                                    sc6v19dcOFVa295/Xf1pKxBhbdpEErY8CTDQ
                                    fw2fjJf0Y3wL1Y1Mlr5zi5ShceQwgua+6YHE
                                    DWNbAPcXrJ0lLMU4DU5r0sAyBiBCgCavngGk
                                    i59W+nv11zuIpPMnlaMHpJVfJrQ+c4z7H9MH
                                    77B0fMRFTUnvAXoq6ag8Q5POITI= )
ns1.test.dnssec.        86400   IN A    3.3.3.3
                    86400   RRSIG   A 5 3 86400 20101009062248 (

                                    20100909062248 40665 test.dnssec.
                                    UQ3hR/++ta1GokxGz8Yh+GomMcA+xhd3z2Ke
                                    z0tdFiNfxvGbm85XyCtSqJIo2S/ZLVJUv/mG
                                    nGJbicTfJSziKzYZsD7dp0WJiUK3l7lQ/HpP
                                    5FL8SbjlovVYYAG5woW4p3+os28mmCAJA8gP
                                    JTywbcREEhFB4cir2M/QVP+9h+Y= )
                    172800  NSEC    test.dnssec. A RRSIG NSEC
                    172800  RRSIG   NSEC 5 3 172800 20101009062248 (
                                    20100909062248 40665 test.dnssec.
                                    i7F/ezGl/pGXCC6JyVDaxuwdZMAgv9QLxwzi
                                    PTgjCG8Sj6pTIxaQkSLwXsoB9gF77WWBANow
                                    R2SWdz0Zai2vWnv/NYoNm9ZfRJEQ9NuExeYp
                                    rvX/+lLOHvZXN6tUerIQbWAxO2GwdzHoejSn
                                    wReUNVr9MxzZUvuJ33Z7X/7s9VQ= )

Named.conf (Cache/Resolver)

include "/etc/rndc.key";

controls {
   inet 127.0.0.1 allow { localhost; } keys { rndc-key; };
};


options{

    version "Peticion no permitida/Query not allowed";
    hostname "Peticion no permitida/Query not allowed";
    server-id "Peticion no permitida/Query not allowed";
    directory "/etc/DNS_RIMA";
    pid-file "named.pid";
    recursion yes;
    notify no;
    #DNSSEC
    dnssec-enable yes;
    dnssec-validation yes;
    listen-on {127.0.0.1; 172.23.2.87; 80.58.102.37; 80.58.102.115; };
    #listen-on {127.0.0.1; 80.58.102.37; 80.58.102.115; };
    allow-query { telefonica; };
    allow-transfer { none; };
    recursive-clients 40000;
    max-cache-size 838860800;
    rrset-order { order fixed;};
    max-ncache-ttl 600;
};


trusted-keys {

"test.dnssec." 257 3 5  "AwEAAcd4dxWyTgOuqha0DJADUH0pk5jvnwdMZhgZaqnayUdeTh8U9WOjOUHdVCGywZS6NTVpxXqhcegWzh2ZR5VN6thuhezt7kbzLNWbPe7mYF29/ZT     XB6nmdSxruQlSvYhzkWTaPNtfrUnIUlbDRxUFWQkSHj9LA1TG76FpR6uqOj1sNrWXnPb/Hwp1Sb2Ik4FlifKb/Vu1+/UnclRJgfPmp2HGTeNYpfk15JHBPSYxJ1TuedXQIdkPGlQXIS
mAeV1evGomCC/x9DNleDHCszJOptwurzRPZ7wRXcWnbXz1BU8rAqvUZL3M4UgdNRR5LLTzCkRnrlvXYJpgzDtgmQxE9Bs=";

 };

I have configured a secure zone (test.dnssec) and I'm trying to perform some queries from the resolver to the Name server (172.23.2.57):

/usr/local/bin/dig @172.23.2.57 a.test.dnssec +dnssec

; <<>> DiG 9.7.1-P2 <<>> @172.23.2.57 a.test.dnssec +dnssec
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2654
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 3

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;a.test.dnssec. IN A

;; ANSWER SECTION:
a.test.dnssec. 86400 IN A 1.1.1.1
a.test.dnssec. 86400 IN RRSIG A 5 3 86400 20101009062248 20100909062248 40665       test.dnssec. P52N9ypCrYsgS4CFcUmII0xjyE6KNL9ndhzHoU63fHJHQHeQV+ fc0Rx8 cCmZSzuqk1lSBelV3Gcl9UNNuCAQ4ORQ/yJkiZ1zn7h93Mep9qsgYEUQ JMfk4FLjYW67DHNcuoCnKbDJhZS0ndVfI474k7ZEZJsGslwk/vcIoFnT a4o=

;; AUTHORITY SECTION:
test.dnssec. 86400 IN NS ns1.test.dnssec.
test.dnssec. 86400 IN RRSIG NS 5 2 86400 20101009062248 20100909062248 40665 test.dnssec. lmlP/Mb2qEXPSlajgSDn/CqWk/jokVCmqjeoidNuytxbiFnbCOunzvaY pgvDpEr0CPrwXaDLTSnb/w53tZl7GHRImJo50vwwNZljLzNT6CFwaaQX Fc3rDLsXjCi+WF0/Z7meteM4jYdx5nrVQx9pgur7VPbP88bJOqWCPBev 2Ho=

;; ADDITIONAL SECTION:
ns1.test.dnssec. 86400 IN A 3.3.3.3
ns1.test.dnssec. 86400 IN RRSIG A 5 3 86400 20101009062248 20100909062248 40665    test.dnssec. UQ3hR/++ta1GokxGz8Yh+GomMcA+xhd3z2Kez0tdFiNfxvGbm85XyCtS qJIo2S/ZLVJUv/mGnGJbicTfJSziKzYZsD7dp0WJiUK3l7lQ/HpP5FL8 SbjlovVYYAG5woW4p3+os28mmCAJA8gPJTywbcREEhFB4cir2M/QVP+9 h+Y=

;; Query time: 1 msec
;; SERVER: 172.23.2.57#53(172.23.2.57)
;; WHEN: Thu Sep 9 09:47:14 2010
;; MSG SIZE rcvd: 605

I obtain the right answer along with the RRSIG records, but the problem is that I'm not seeing the ad flag activated.

Any idea about what is wrong????

3 Answers3

10

You won't. AD is not set by authoritative servers, only recursive resolvers which have validated the chain of trust. I know that seems stupid, since the authoritative server has the keys - but that's how it is.

user53814
  • 376
  • 1
  • 9
  • Ok, thanks. So I should prompt the query from an stub resolver to the recursive resolver, in order to obtain a response with the AD bit, right? –  Sep 13 '10 at 09:58
4

Per user53814's answer, you won't get the AD bit from an authoritative server. This is by design - just because the server has keys doesn't prove it has the right keys.

Your recursive resolver will perform validation, but it won't send back the AD bit unless the client has indicated DNSSEC awareness by sending the DO bit in the query (i.e. with the +dnssec option to dig). This is how DNSSEC maintains backwards compatibility, by ensuring that unexpected DNSSEC data isn't sent to clients that aren't expecting it.

Note however that your validating recursive resolver will still indicate validation failure by returning a SERVFAIL error code. Hence a stub that is not DNSSEC-aware can still be protected from receiving bad answers just by talking to a a DNSSEC-aware recursor.

Alnitak
  • 20,901
  • 3
  • 48
  • 81
2

I had the same problem. And solved it by updating to the bind contained in Debian jessie (1:9.9.5.dfsg-7) and put the following in dnssec-validation auto; in /etc/bind/named.conf.options. Now the ad flag is set for all but the authoritative domains.

Thomas
  • 41
  • 4