randy/randy
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
randy/itch.md

9.1 KiB
Raw Permalink Blame History

Randy Does Not Understand DNSSec

But we knew that already

TL;DR

OpenDNSsec works, Bind inline-signing does not. Yet.

Static Data

parent zone DS

ryuu.rg.net:/Users/randy/git-randy> dig +short @j.gtld-servers.net ymbk.com. ds
53482 8 2 2508D45AAC3422FA5DCD9DE58929E6A4A784A85C123B2FBB63C7A41C 6D642E90

The Config for inline-signing

dnssec-policy "sepksk8" {
keys {
    ksk lifetime unlimited algorithm 8;
    zsk lifetime P90d algorithm 8;
    };
};
...
zone "ymbk.com" { type master; file "primary/com.ymbk.rg";
 key-directory "/usr/home/dns/dkeys";
 dnssec-policy sepksk8;
 inline-signing yes;
 allow-transfer { 
    globnix_keys; }; };

Extracting the Keys

Keys were extracted from opendnssec's openhsm by

rip.psg.com:/usr/home/Fixed# softhsm --export foo.pem --slot 0 --pin secret --id foo
rip.psg.com:/usr/home/Fixed# softhsm-keyconv --tobind --in foo.pem --pin secret --name example.org --algorithm RSASHA256

Upgrading Keys to v1.3

Mark gave me the hint that the keys from extraction from OpenHSM were v1, and needed to be converted to v1.3, and to look at the page on DNSSEC Key and Signing Policy. So I used this dnssec-settime hack ``` #!/bin/sh

ZONE=$1 FNAME=$2

ZSK=grep -l "256 " K$ZONE+*.key KSK=grep -l "257 " K$ZONE+*.key

dnssec-settime
-f
-P 20040301
-A 20040301
$KSK

dnssec-settime
-f
-P 20240301
-A 20240301
-I 20240610
-D 20240610
$ZSK

mv K$ZONE+.key K$ZONE+.private ./old

KSK=grep -l "key-signing key" K$ZONE.+*.key ZSK=grep -l "zone-signing key" K$ZONE.+*.key chown bind:bind $ZSK $KSK


Which produced

    rip.psg.com:/usr/home/dns/dkeys# ls -l *ymbk*
    -rw-r--r--  1 bind  bind   711 Mar 11 22:10 Kymbk.com.+008+30069.key
    -rw-------  1 bind  bind  1824 Mar 11 22:10 Kymbk.com.+008+30069.private
    -rw-r--r--  1 bind  bind   604 Mar 11 22:10 Kymbk.com.+008+53482.key
    -rw-------  1 bind  bind  1776 Mar 11 22:10 Kymbk.com.+008+53482.private

And this looks reasonable

    rip.psg.com:/usr/home/dns/dkeys# dnssec-settime -p all Kymbk.com.+008+53482.key
    Created: Mon Mar 11 22:10:49 2024
    Publish: Mon Mar  1 00:00:00 2004
    Activate: Mon Mar  1 00:00:00 2004
    Revoke: UNSET
    Inactive: UNSET
    Delete: UNSET
    SYNC Publish: UNSET
    SYNC Delete: UNSET
    DS Publish: UNSET
    DS Delete: UNSET

And the DNSKEY matches the parent's DS record (above)

    rip.psg.com:/usr/home/dns/dkeys# dnssec-dsfromkey Kymbk.com.+008+53482.key
    ymbk.com. IN DS 53482 8 2 2508D45AAC3422FA5DCD9DE58929E6A4A784A85C123B2FBB63C7A41C6D642E90

Start named, and look at what is being published

    rip.psg.com:/usr/home/dns/dkeys# /usr/local/etc/rc.d/named start
    Starting named.
    rip.psg.com:/usr/home/dns/dkeys# dig +short @localhost ymbk.com. dnskey
    257 3 8 AwEAAZ+aoeZlhQFcMdmkbAmM6vPtAgXjG1a5m9XXZbr2WQoOUmwMvyJc FkqIiOMBNGA/VeteteFT3cefe+SoV/CL6t9ZbmTOTimIT9joCXmQgGDw 4PYbTTB4h4gM/6mCqOxdrH/I6EQP5w3CtLocXbYG7dpgqXy9IEylfVm2 z0GWw5WV4/Daa0C/yRUN9Bk6x5+yKlZguawWTxYyIzMYgFJvZNO3LIIn THMHt5WyiNWroJ3CJ/yL7sMkLzrlQxt8Ya2VBmevNtwUkS03jXzVeGA2 N/0Mp5KVwNW0k1cESG7zxpzIKSBqOJ4QsgkPJtEfKE9mFptasPlUKTpn 1Hp4I5C5+/0=
    257 3 8 AwEAAbti2GparBX/Zm44Dx4x/ELK+B/m+YRX2iD/ZvARAFvKQtJtpNta /ZccRtAI69/dOeRh3pae1qV/i76ngYnZEYKf9Br4Ja+ucZzefT2cRmHA 5jasFSyRgQrcI1FdW/DOrWniVbBd2EHevCcdLkYi1B2WK6ORQlSrStgF U8wTzze+SSDRnsSiIICNHveeJh09T17lbsZKjrImAEycOqdi7rLcifAC hhR7SeJGwQvpEMkpIgxH5+l71Hk6zyxsDdjOsCmjwFVbljZUQ8rQ7MN3 2zqwaKNBIQTsbOfhC+eQqdfwQURx7NjHVRLcOH9R1ZULsgfRhgPxIaLF Z1Ll/wsTcCM=
    256 3 8 AwEAAcXhBQb2b5hwiTk2GXSN0KKNq/U8PWz+m41fV8dq9X5m5un4AuLL nWNjYIIC878ct9re2NNztWFAW1uVPPzt1b79YKsEqEZrZjvvevPyc9E/ TipUi5naHG3tcJP2VFBctVSjbdV+a19jSS7UShKw+DJed4RTogGNnEJ4 I/J7SpBjvh99qWrekWHEMAJ8aXY8Y9l8U8+jOYeitUAONRR3xlVCm/me 3AkV+xVjJLGhrNiCw3MOKWKDktEU6pG5M/SSsv4H5H2//70OTWddfO8h EGv/wLPbM3Rk/QlzpAVr6DFUW1oPBXW1PLjR+AxOiFg04r1R33xurdZQ ifpmXbTyuK0=
    257 3 8 AwEAAcHqMUg0IBxtJLiX7eGM+FR+PSdKu3944hy4Yk5JLi3vYUdZKyey SEE9J0Xn08yqdbYWbjZfmPZoIiprt/IfPXvMYfASSHmDws1Vpu7Tqmc4 +n2oXM8/LUJrJWbhlAo9RAzGP7Yv7/ssiMLOyErDlOvLRDR2s5ZjzSYO 3fi57vIXdIOztOYgF4nOIoyKW6n0P7V3hvqLN/cfj+e6qwa0L7RKg/Hg Zhv/wk+civNJyxSrQ52WGLNs6hbbQ9gtOot8mOtTuZdRgoUwPz6Y/3YC 2nfyJgh+TsxQJAs+8uBpaYW+0ilS1HyCn9Oijmh90yUBakkRRzDmj5X3 l/u5wp3nzw8=
    257 3 8 AwEAAb4zORTQGbI2hB8sujYZ+1QdTgsHB1Aqgn9U1oTA1igTPZYzqabI leGgWSIFKxRP4EnIdtD5FD4ybeBnzb1xY/Mxh5lVQk/wYcwCKOyntnI1 A6ZxQkjQfmovm9PtOEWE9Pd7TAGXd1W6k6nWrWHPs3eqXokUHu40PkR8 F/zGam56pxwCsk47pyHkbZu/62pbMwgav31X0Gfnd/HbJ794lcvLNx5t ayzQvnF6yKB2HengITCLjKn47S3UbYwO7OHIRR0pZLIId7Cs+And4qcd 97e6CgLHgoiu9muIJRYP4h7rAxNAfT9pcbQwBivk9g40MxNGT4Xo0NYt oK+LNtCzjKc=
    256 3 8 AwEAAeI6nWa8Rf7G7Pq8gQBcCxFFQpGequg1lFBb0+pNI1FgbEEr+eWz i6s+tkVQBFFbLxvFRGLGnouHSd1UGhayq1OVmsyTK603vZyGy1REyJZz aXs4TdNQebrlRahpqinXfNV0sbuvoUwWQjKIlym9JaV9cVZMMTB+t+lw IFJ+Tg6JnzYOA0e9TgePwp4nph1VGR99Ax2nMImwRj9xn6N4G+10FUG2 5faUEEJztDt28nbr/AtV2qR5VpWZY0LJVk9xBIq4lM5AFd9X7ih3Rx4u sjdwo9y0ymXqenvc8wJr8to4v3tMDK8lZrYSnnpJsq54mEAktAd2I7N0 tUJbdScJsDU=

It's an LLM hallucination of three more KSKs!

But the key files still look sane

    -rw-r--r--  1 bind  bind   711 Mar 11 22:14 Kymbk.com.+008+30069.key
    -rw-------  1 bind  bind  1824 Mar 11 22:14 Kymbk.com.+008+30069.private
    -rw-r--r--  1 bind  bind   552 Mar 11 22:14 Kymbk.com.+008+30069.state
    -rw-r--r--  1 bind  bind   661 Mar 11 22:14 Kymbk.com.+008+53482.key
    -rw-------  1 bind  bind  1804 Mar 11 22:14 Kymbk.com.+008+53482.private
    -rw-r--r--  1 bind  bind   568 Mar 11 22:14 Kymbk.com.+008+53482.state

And zonemaster pukes, of course, exactly at the three hallucinated
DNSKEYs

    The DNSKEY RRset is signed with an RRSIG with tag 60004 which cannot be validated by the matching DNSKEY. Fetched from the nameservers with IP addresses "147.28.0.39; 2001:418:1::39".
    The DNSKEY RRset is signed with an RRSIG with tag 55769 which cannot be validated by the matching DNSKEY. Fetched from the nameservers with IP addresses "147.28.0.39; 2001:418:1::39".
    The DNSKEY RRset is signed with an RRSIG with tag 42010 which cannot be validated by the matching DNSKEY. Fetched from the nameservers with IP addresses "147.28.0.39; 2001:418:1::39". 

DNSSEC15
    All servers do not have the same CDS RRset.
    All servers do not have the same CDNSKEY RRset.
    CDNSKEY and CDS RRsets are found on nameservers that resolve to IP addresses (147.28.0.39; 2001:418:1::39).

CDS and CDNSKEY would seem to hint that bind tried to do a KSK/DS roll!!!

And dnsviz says

    RRSIG ymbk.com/DNSKEY alg 8, id 42010: The cryptographic signature of the RRSIG RR does not properly validate.
    RRSIG ymbk.com/DNSKEY alg 8, id 55769: The cryptographic signature of the RRSIG RR does not properly validate.
    RRSIG ymbk.com/DNSKEY alg 8, id 60004: The cryptographic signature of the RRSIG RR does not properly validate.
    ymbk.com/DNSKEY (alg 8, id 60795): The DNSKEY RR was not found in the DNSKEY RRset returned by one or more servers. (94.142.241.91, 2a02:898:31::53:0, UDP_-_EDNS0_4096_D_KN)

I can not interpret state files well enough to know if they contain hints,
but the `DNSKEYChange` and `DSChange` are scary

    rip.psg.com:/usr/home/dns/dkeys# cat *state
    ; This is the state of key 30069, for ymbk.com.
    Algorithm: 8
    Length: 2048
    Lifetime: 7776000
    KSK: no
    ZSK: yes
    Generated: 20240311221049 (Mon Mar 11 22:10:49 2024)
    Published: 20240301000000 (Fri Mar  1 00:00:00 2024)
    Active: 20240301000000 (Fri Mar  1 00:00:00 2024)
    Retired: 20240610000000 (Mon Jun 10 00:00:00 2024)
    Removed: 20240620010500 (Thu Jun 20 01:05:00 2024)
    DNSKEYChange: 20240311221425 (Mon Mar 11 22:14:25 2024)
    ZRRSIGChange: 20240311221425 (Mon Mar 11 22:14:25 2024)
    DNSKEYState: omnipresent
    ZRRSIGState: omnipresent
    GoalState: omnipresent
    ; This is the state of key 53482, for ymbk.com.
    Algorithm: 8
    Length: 2048
    Lifetime: 0
    KSK: yes
    ZSK: no
    Generated: 20240311221049 (Mon Mar 11 22:10:49 2024)
    Published: 20040301000000 (Mon Mar  1 00:00:00 2004)
    Active: 20040301000000 (Mon Mar  1 00:00:00 2004)
    PublishCDS: 20040302010500 (Tue Mar  2 01:05:00 2004)
    DNSKEYChange: 20240311221425 (Mon Mar 11 22:14:25 2024)
    KRRSIGChange: 20240311221425 (Mon Mar 11 22:14:25 2024)
    DSChange: 20240311221425 (Mon Mar 11 22:14:25 2024)
    DNSKEYState: omnipresent
    KRRSIGState: omnipresent
    DSState: rumoured
    GoalState: omnipresent

Logging to syslog did not work, so used a file

    11-Mar-2024 21:06:03.983 dnssec: info: zone ymbk.com/IN (signed): reconfiguring zone keys
    11-Mar-2024 21:06:03.983 dnssec: info: zone ymbk.com/IN (signed): next key event: 12-Mar-2024 17:45:24.983
    11-Mar-2024 22:14:25.083 dnssec: info: zone ymbk.com/IN (signed): reconfiguring zone keys
    11-Mar-2024 22:14:25.083 dnssec: info: Fetching ymbk.com/RSASHA256/30069 (ZSK) from key repository.
    11-Mar-2024 22:14:25.083 dnssec: info: DNSKEY ymbk.com/RSASHA256/30069 (ZSK) is now published
    11-Mar-2024 22:14:25.083 dnssec: info: DNSKEY ymbk.com/RSASHA256/30069 (ZSK) is now active
    11-Mar-2024 22:14:25.093 dnssec: info: zone ymbk.com/IN (signed): next key event: 11-Mar-2024 23:14:25.083

---
2024.03.11