dnssec KSK rollover

Discussion:

dnssec KSK rollover

project722

2018-08-22 20:26:01 UTC

Hey guys,

We received an email today about one of our recursive DNS servers that did
not support the new KSK for DNSSEC.

################################
On 11 October 2018, ICANN will change or "roll over" the DNSSEC key
signing key (KSK) of the DNS root zone. Based on information from your
network received at the DNS root name servers [1], we believe that
there may be at least one recursive resolver (also referred to as a
recursive name server or caching name server) with DNSSEC validation
enabled in AS11272 that is unprepared for the KSK rollover. If that
resolver is not updated before 11 October 2018, users of that resolver
will not be able to resolve any DNS queries, resulting in an outage
for them.
#################################

So, I followed the instructions here:

https://www.icann.org/dns-resolvers-updating-latest-trust-anchor

In my named.conf I changed:

dnssec-validation yes;

to

dnssec-validation auto;

I then moved my bind.keys file (which does have the latest keys) into the
named working directory. Chown'd it so that named could have group
ownership and could write to it. I then restarted named. I started seeing
these in the logs:

*dnssec: info: validating x.com <http://x.com>: no valid signature found*

*So I tried a different approach:*

*I moved the "managed keys" section into my named.conf file. managed-keys {
. initial-key 257 3 8
"AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF
FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX
bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD
X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz
W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS
Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq QxA+Uk1ihz0="; .
initial-key 257 3 8
"AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3
+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kv
ArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF
0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+e
oZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfd
RUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwN R1AkUTV74bU=";
};Restarted bind and still started seeing validation errors in the logs. *

*Can someone tell me what I am doing wrong?*

Tony Finch

2018-08-23 11:33:07 UTC

Permalink

Post by project722
dnssec-validation yes;
to
dnssec-validation auto;

Good :-)

Next thing to do is delete all trace of managed-keys or mkeys files or
trusted-keys configuration, then restart `named`. It will automatically
create managed-keys files with the correct contents - it has the current
root KSKs built in, so you don't need the bind.keys file.

Tony.
--
f.anthony.n.finch <***@dotat.at> http://dotat.at/
South Fitzroy: Northerly or northeasterly 5 or 6. Slight or moderate.
Occasional drizzle. Good, occasionally poor at first.
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
bind-***@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

project722

2018-08-23 12:20:01 UTC

Permalink

Hi Tony,

I've removed the config for managed keys out of my named.conf, moved any
files called bind.keys out from my named working directory, and restarted
Bind. I see where Bind created to files - managed-keys.bind and
managed-keys.bind.jnl. So, I think I'm on the right track. That said, two
things:

1) I am still seeing the "no valid signature found" messages in my
bind.log. However, **I don't think* * this is a problem because when I
query a hostname against my server that produces one of these errors, it
still resolves. for instance,

# ***@fccore 07:01:07 0 jobs ~ > delv @x.x.x.x ncentral.teklinks.com A
+multiline +rtrace
;; fetch: ncentral.teklinks.com/A
;; fetch: teklinks.com/DNSKEY
;; fetch: teklinks.com/DS
;; fetch: com/DNSKEY
;; fetch: com/DS
;; fetch: ./DNSKEY
;; fetch: teklinks.com.dlv.isc.org/DLV
;; fetch: dlv.isc.org/DNSKEY
;; validating ncentral.teklinks.com/A: no valid signature found
; unsigned answer
ncentral.teklinks.com. 2482 IN A 104.245.194.14
ncentral.teklinks.com. 2482 IN RRSIG A 5 3 43200 (
20180915012340 20180816012340 46266 teklinks.com.
k2Q0WFrwuC8ouvapXp8XIgTznwJ3VS1Ag+b8/8ajSKBe
6qLal+hYqc96WmIfYvz1fkM5Oze+WXZifeohO7ZEwlLn
8RJCXlGEEtgZ6Phr44fBbjHg7wAGxaG0KLw3JNJJVDWq
48/sB7Qftat8Hp1M/56qi6OjI22bbyBA8nYQ03kc84c6
MjCBSJfrum78AJXMFD69wXERDz6GCcaLgL3jJlIH9vZg
mB5EquQtZmxU/6izQJGqZs3Ht+3NkhcKYnqpRFyHrEmo
VPqiuEBmGhVyJJChLpbLvOwFvjTZEaedoMXv5pQ8Ys9d
sg4y1gokR+HXkeTKHr8RWayElh8gu5QKoQ== )

So, I can see here that it still resolves BUT something fails to validate a
signature. Where is the breakdown here? It was able to fetch the DHSKEY for
teklinks.com:

;; fetch: teklinks.com/DNSKEY

but not ncentral.teklinks.com:

;; validating ncentral.teklinks.com/A: no valid signature found

Shouldn't this validate? I mean, if teklinks.com can validate, shouldn't
the stub "ncentral" as well, since its in the zonefile? What am I missing
here?

2) There is one other scenario that confuses me. When I test against a URL
that's purposely setup to fail dnssec, I get a servfail.

***@fccore 07:14:57 0 jobs ~ > delv @x.x.x.x www.dnssec-failed.org A
+multiline +rtrace
;; fetch: www.dnssec-failed.org/A
;; resolution failed: SERVFAIL

So, what's the difference here and with the scenario above in #1? My
concern is that our customers will get servfails when they try to access
sites like this one.

Post by Tony Finch

Post by project722
dnssec-validation yes;
to
dnssec-validation auto;

Tony Finch

2018-08-23 13:01:05 UTC

Permalink

Post by project722
1) I am still seeing the "no valid signature found" messages in my
bind.log.
;; validating ncentral.teklinks.com/A: no valid signature found

In this case that's because ncentral.teklinks.com is signed but there's no
DS in the parent zone, so it's insecure. If you run delv +vtrace you'll
see a lot of verbiage between these lines which is the major clue.

;; validating teklinks.com/DS: attempting negative response validation

;; validating teklinks.com/DS: nonexistence proof(s) found

Or you can look at dnsviz.net :-)

Post by project722
2) There is one other scenario that confuses me. When I test against a URL
that's purposely setup to fail dnssec, I get a servfail.

dnssec-failed.org has DS records, so it should be secure, but the DS
records in the parent don't match the DNSKEY records in the child zone.
You can see this by comparing:

$ dig +noall +answer dnssec-failed.org ds

$ dig +cd dnssec-failed.org dnskey |
dnssec-dsfromkey -f /dev/stdin dnssec-failed.org

Tony.

--
f.anthony.n.finch <***@dotat.at> http://dotat.at/
protect and enlarge the conditions of liberty and social justice
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
bind-***@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

project722

2018-08-23 14:43:15 UTC

Permalink

Thanks Tony! This was very helpful.

Post by Tony Finch

Post by project722
1) I am still seeing the "no valid signature found" messages in my
bind.log.
;; validating ncentral.teklinks.com/A: no valid signature found

In this case that's because ncentral.teklinks.com is signed but there's no
DS in the parent zone, so it's insecure. If you run delv +vtrace you'll
see a lot of verbiage between these lines which is the major clue.
;; validating teklinks.com/DS: attempting negative response validation
;; validating teklinks.com/DS: nonexistence proof(s) found
Or you can look at dnsviz.net :-)

Post by project722
2) There is one other scenario that confuses me. When I test against a

URL

Post by project722
that's purposely setup to fail dnssec, I get a servfail.

dnssec-failed.org has DS records, so it should be secure, but the DS
records in the parent don't match the DNSKEY records in the child zone.
$ dig +noall +answer dnssec-failed.org ds
$ dig +cd dnssec-failed.org dnskey |
dnssec-dsfromkey -f /dev/stdin dnssec-failed.org
Tony.
--
protect and enlarge the conditions of liberty and social justice

project722

2018-08-23 22:58:51 UTC

Permalink

Actually I have one more question just to make sure I'm not overlooking
anything for the KSK rollover. The instructions here:

https://www.icann.org/dns-resolvers-checking-current-trust-anchors

say that I need to, in addition to setting validation to "auto" run:

rndc secroots.

Well, I did that and it created the named.secroots file with the correct
contents:

secure roots as of 23-Aug-2018 17:27:15.420:

Start view _default
Secure roots:

./RSASHA256/20326 ; managed
./RSASHA256/19036 ; managed

Negative trust anchors:

Does BIND automatically know to use this file or do I need to point
named.conf to it? Do I even need this file at all?

Post by project722
Thanks Tony! This was very helpful.

Post by Tony Finch

Post by project722
1) I am still seeing the "no valid signature found" messages in my
bind.log.
;; validating ncentral.teklinks.com/A: no valid signature found

In this case that's because ncentral.teklinks.com is signed but there's no
DS in the parent zone, so it's insecure. If you run delv +vtrace you'll
see a lot of verbiage between these lines which is the major clue.
;; validating teklinks.com/DS: attempting negative response validation
;; validating teklinks.com/DS: nonexistence proof(s) found
Or you can look at dnsviz.net :-)

Post by project722
2) There is one other scenario that confuses me. When I test against a

URL

Post by project722
that's purposely setup to fail dnssec, I get a servfail.