195 lines
9.1 KiB
Markdown
195 lines
9.1 KiB
Markdown
# Randy Does Not Understand DNSSec
|
|
|
|
But we knew that already
|
|
|
|
## TL;DR
|
|
|
|
OpenDNSsec works, Bind inline-signing does not. Yet.
|
|
|
|
## Static Data
|
|
|
|
parent zone DS
|
|
|
|
ryuu.rg.net:/Users/randy/git-randy> dig +short @j.gtld-servers.net ymbk.com. ds
|
|
53482 8 2 2508D45AAC3422FA5DCD9DE58929E6A4A784A85C123B2FBB63C7A41C 6D642E90
|
|
|
|
## The Config for inline-signing
|
|
|
|
dnssec-policy "sepksk8" {
|
|
keys {
|
|
ksk lifetime unlimited algorithm 8;
|
|
zsk lifetime P90d algorithm 8;
|
|
};
|
|
};
|
|
...
|
|
zone "ymbk.com" { type master; file "primary/com.ymbk.rg";
|
|
key-directory "/usr/home/dns/dkeys";
|
|
dnssec-policy sepksk8;
|
|
inline-signing yes;
|
|
allow-transfer {
|
|
globnix_keys; }; };
|
|
|
|
## Extracting the Keys
|
|
|
|
Keys were extracted from opendnssec's openhsm by
|
|
|
|
rip.psg.com:/usr/home/Fixed# softhsm --export foo.pem --slot 0 --pin secret --id foo
|
|
rip.psg.com:/usr/home/Fixed# softhsm-keyconv --tobind --in foo.pem --pin secret --name example.org --algorithm RSASHA256
|
|
|
|
# Upgrading Keys to v1.3
|
|
|
|
Mark gave me the hint that the keys from extraction from OpenHSM were
|
|
v1, and needed to be converted to v1.3, and to look at the page on
|
|
[DNSSEC Key and Signing
|
|
Policy](https://kb.isc.org/docs/dnssec-key-and-signing-policy). So I
|
|
used this [dnssec-settime](https://linux.die.net/man/8/dnssec-settime)
|
|
hack ``` #!/bin/sh
|
|
|
|
ZONE=$1
|
|
FNAME=$2
|
|
|
|
ZSK=`grep -l "256 " K$ZONE+*.key`
|
|
KSK=`grep -l "257 " K$ZONE+*.key`
|
|
|
|
dnssec-settime \
|
|
-f \
|
|
-P 20040301 \
|
|
-A 20040301 \
|
|
$KSK
|
|
|
|
dnssec-settime \
|
|
-f \
|
|
-P 20240301 \
|
|
-A 20240301 \
|
|
-I 20240610 \
|
|
-D 20240610 \
|
|
$ZSK
|
|
|
|
mv K$ZONE\+*.key K$ZONE\+*.private ./old
|
|
|
|
KSK=`grep -l "key-signing key" K$ZONE.+*.key`
|
|
ZSK=`grep -l "zone-signing key" K$ZONE.+*.key`
|
|
chown bind:bind $ZSK $KSK
|
|
```
|
|
|
|
Which produced
|
|
|
|
rip.psg.com:/usr/home/dns/dkeys# ls -l *ymbk*
|
|
-rw-r--r-- 1 bind bind 711 Mar 11 22:10 Kymbk.com.+008+30069.key
|
|
-rw------- 1 bind bind 1824 Mar 11 22:10 Kymbk.com.+008+30069.private
|
|
-rw-r--r-- 1 bind bind 604 Mar 11 22:10 Kymbk.com.+008+53482.key
|
|
-rw------- 1 bind bind 1776 Mar 11 22:10 Kymbk.com.+008+53482.private
|
|
|
|
And this looks reasonable
|
|
|
|
rip.psg.com:/usr/home/dns/dkeys# dnssec-settime -p all Kymbk.com.+008+53482.key
|
|
Created: Mon Mar 11 22:10:49 2024
|
|
Publish: Mon Mar 1 00:00:00 2004
|
|
Activate: Mon Mar 1 00:00:00 2004
|
|
Revoke: UNSET
|
|
Inactive: UNSET
|
|
Delete: UNSET
|
|
SYNC Publish: UNSET
|
|
SYNC Delete: UNSET
|
|
DS Publish: UNSET
|
|
DS Delete: UNSET
|
|
|
|
And the DNSKEY matches the parent's DS record (above)
|
|
|
|
rip.psg.com:/usr/home/dns/dkeys# dnssec-dsfromkey Kymbk.com.+008+53482.key
|
|
ymbk.com. IN DS 53482 8 2 2508D45AAC3422FA5DCD9DE58929E6A4A784A85C123B2FBB63C7A41C6D642E90
|
|
|
|
Start named, and look at what is being published
|
|
|
|
rip.psg.com:/usr/home/dns/dkeys# /usr/local/etc/rc.d/named start
|
|
Starting named.
|
|
rip.psg.com:/usr/home/dns/dkeys# dig +short @localhost ymbk.com. dnskey
|
|
257 3 8 AwEAAZ+aoeZlhQFcMdmkbAmM6vPtAgXjG1a5m9XXZbr2WQoOUmwMvyJc FkqIiOMBNGA/VeteteFT3cefe+SoV/CL6t9ZbmTOTimIT9joCXmQgGDw 4PYbTTB4h4gM/6mCqOxdrH/I6EQP5w3CtLocXbYG7dpgqXy9IEylfVm2 z0GWw5WV4/Daa0C/yRUN9Bk6x5+yKlZguawWTxYyIzMYgFJvZNO3LIIn THMHt5WyiNWroJ3CJ/yL7sMkLzrlQxt8Ya2VBmevNtwUkS03jXzVeGA2 N/0Mp5KVwNW0k1cESG7zxpzIKSBqOJ4QsgkPJtEfKE9mFptasPlUKTpn 1Hp4I5C5+/0=
|
|
257 3 8 AwEAAbti2GparBX/Zm44Dx4x/ELK+B/m+YRX2iD/ZvARAFvKQtJtpNta /ZccRtAI69/dOeRh3pae1qV/i76ngYnZEYKf9Br4Ja+ucZzefT2cRmHA 5jasFSyRgQrcI1FdW/DOrWniVbBd2EHevCcdLkYi1B2WK6ORQlSrStgF U8wTzze+SSDRnsSiIICNHveeJh09T17lbsZKjrImAEycOqdi7rLcifAC hhR7SeJGwQvpEMkpIgxH5+l71Hk6zyxsDdjOsCmjwFVbljZUQ8rQ7MN3 2zqwaKNBIQTsbOfhC+eQqdfwQURx7NjHVRLcOH9R1ZULsgfRhgPxIaLF Z1Ll/wsTcCM=
|
|
256 3 8 AwEAAcXhBQb2b5hwiTk2GXSN0KKNq/U8PWz+m41fV8dq9X5m5un4AuLL nWNjYIIC878ct9re2NNztWFAW1uVPPzt1b79YKsEqEZrZjvvevPyc9E/ TipUi5naHG3tcJP2VFBctVSjbdV+a19jSS7UShKw+DJed4RTogGNnEJ4 I/J7SpBjvh99qWrekWHEMAJ8aXY8Y9l8U8+jOYeitUAONRR3xlVCm/me 3AkV+xVjJLGhrNiCw3MOKWKDktEU6pG5M/SSsv4H5H2//70OTWddfO8h EGv/wLPbM3Rk/QlzpAVr6DFUW1oPBXW1PLjR+AxOiFg04r1R33xurdZQ ifpmXbTyuK0=
|
|
257 3 8 AwEAAcHqMUg0IBxtJLiX7eGM+FR+PSdKu3944hy4Yk5JLi3vYUdZKyey SEE9J0Xn08yqdbYWbjZfmPZoIiprt/IfPXvMYfASSHmDws1Vpu7Tqmc4 +n2oXM8/LUJrJWbhlAo9RAzGP7Yv7/ssiMLOyErDlOvLRDR2s5ZjzSYO 3fi57vIXdIOztOYgF4nOIoyKW6n0P7V3hvqLN/cfj+e6qwa0L7RKg/Hg Zhv/wk+civNJyxSrQ52WGLNs6hbbQ9gtOot8mOtTuZdRgoUwPz6Y/3YC 2nfyJgh+TsxQJAs+8uBpaYW+0ilS1HyCn9Oijmh90yUBakkRRzDmj5X3 l/u5wp3nzw8=
|
|
257 3 8 AwEAAb4zORTQGbI2hB8sujYZ+1QdTgsHB1Aqgn9U1oTA1igTPZYzqabI leGgWSIFKxRP4EnIdtD5FD4ybeBnzb1xY/Mxh5lVQk/wYcwCKOyntnI1 A6ZxQkjQfmovm9PtOEWE9Pd7TAGXd1W6k6nWrWHPs3eqXokUHu40PkR8 F/zGam56pxwCsk47pyHkbZu/62pbMwgav31X0Gfnd/HbJ794lcvLNx5t ayzQvnF6yKB2HengITCLjKn47S3UbYwO7OHIRR0pZLIId7Cs+And4qcd 97e6CgLHgoiu9muIJRYP4h7rAxNAfT9pcbQwBivk9g40MxNGT4Xo0NYt oK+LNtCzjKc=
|
|
256 3 8 AwEAAeI6nWa8Rf7G7Pq8gQBcCxFFQpGequg1lFBb0+pNI1FgbEEr+eWz i6s+tkVQBFFbLxvFRGLGnouHSd1UGhayq1OVmsyTK603vZyGy1REyJZz aXs4TdNQebrlRahpqinXfNV0sbuvoUwWQjKIlym9JaV9cVZMMTB+t+lw IFJ+Tg6JnzYOA0e9TgePwp4nph1VGR99Ax2nMImwRj9xn6N4G+10FUG2 5faUEEJztDt28nbr/AtV2qR5VpWZY0LJVk9xBIq4lM5AFd9X7ih3Rx4u sjdwo9y0ymXqenvc8wJr8to4v3tMDK8lZrYSnnpJsq54mEAktAd2I7N0 tUJbdScJsDU=
|
|
|
|
It's an LLM hallucination of three more KSKs!
|
|
|
|
But the key files still look sane
|
|
|
|
-rw-r--r-- 1 bind bind 711 Mar 11 22:14 Kymbk.com.+008+30069.key
|
|
-rw------- 1 bind bind 1824 Mar 11 22:14 Kymbk.com.+008+30069.private
|
|
-rw-r--r-- 1 bind bind 552 Mar 11 22:14 Kymbk.com.+008+30069.state
|
|
-rw-r--r-- 1 bind bind 661 Mar 11 22:14 Kymbk.com.+008+53482.key
|
|
-rw------- 1 bind bind 1804 Mar 11 22:14 Kymbk.com.+008+53482.private
|
|
-rw-r--r-- 1 bind bind 568 Mar 11 22:14 Kymbk.com.+008+53482.state
|
|
|
|
And zonemaster pukes, of course, exactly at the three hallucinated
|
|
DNSKEYs
|
|
|
|
The DNSKEY RRset is signed with an RRSIG with tag 60004 which cannot be validated by the matching DNSKEY. Fetched from the nameservers with IP addresses "147.28.0.39; 2001:418:1::39".
|
|
The DNSKEY RRset is signed with an RRSIG with tag 55769 which cannot be validated by the matching DNSKEY. Fetched from the nameservers with IP addresses "147.28.0.39; 2001:418:1::39".
|
|
The DNSKEY RRset is signed with an RRSIG with tag 42010 which cannot be validated by the matching DNSKEY. Fetched from the nameservers with IP addresses "147.28.0.39; 2001:418:1::39".
|
|
|
|
DNSSEC15
|
|
All servers do not have the same CDS RRset.
|
|
All servers do not have the same CDNSKEY RRset.
|
|
CDNSKEY and CDS RRsets are found on nameservers that resolve to IP addresses (147.28.0.39; 2001:418:1::39).
|
|
|
|
CDS and CDNSKEY would seem to hint that bind tried to do a KSK/DS roll!!!
|
|
|
|
And dnsviz says
|
|
|
|
RRSIG ymbk.com/DNSKEY alg 8, id 42010: The cryptographic signature of the RRSIG RR does not properly validate.
|
|
RRSIG ymbk.com/DNSKEY alg 8, id 55769: The cryptographic signature of the RRSIG RR does not properly validate.
|
|
RRSIG ymbk.com/DNSKEY alg 8, id 60004: The cryptographic signature of the RRSIG RR does not properly validate.
|
|
ymbk.com/DNSKEY (alg 8, id 60795): The DNSKEY RR was not found in the DNSKEY RRset returned by one or more servers. (94.142.241.91, 2a02:898:31::53:0, UDP_-_EDNS0_4096_D_KN)
|
|
|
|
I can not interpret state files well enough to know if they contain hints,
|
|
but the `DNSKEYChange` and `DSChange` are scary
|
|
|
|
rip.psg.com:/usr/home/dns/dkeys# cat *state
|
|
; This is the state of key 30069, for ymbk.com.
|
|
Algorithm: 8
|
|
Length: 2048
|
|
Lifetime: 7776000
|
|
KSK: no
|
|
ZSK: yes
|
|
Generated: 20240311221049 (Mon Mar 11 22:10:49 2024)
|
|
Published: 20240301000000 (Fri Mar 1 00:00:00 2024)
|
|
Active: 20240301000000 (Fri Mar 1 00:00:00 2024)
|
|
Retired: 20240610000000 (Mon Jun 10 00:00:00 2024)
|
|
Removed: 20240620010500 (Thu Jun 20 01:05:00 2024)
|
|
DNSKEYChange: 20240311221425 (Mon Mar 11 22:14:25 2024)
|
|
ZRRSIGChange: 20240311221425 (Mon Mar 11 22:14:25 2024)
|
|
DNSKEYState: omnipresent
|
|
ZRRSIGState: omnipresent
|
|
GoalState: omnipresent
|
|
; This is the state of key 53482, for ymbk.com.
|
|
Algorithm: 8
|
|
Length: 2048
|
|
Lifetime: 0
|
|
KSK: yes
|
|
ZSK: no
|
|
Generated: 20240311221049 (Mon Mar 11 22:10:49 2024)
|
|
Published: 20040301000000 (Mon Mar 1 00:00:00 2004)
|
|
Active: 20040301000000 (Mon Mar 1 00:00:00 2004)
|
|
PublishCDS: 20040302010500 (Tue Mar 2 01:05:00 2004)
|
|
DNSKEYChange: 20240311221425 (Mon Mar 11 22:14:25 2024)
|
|
KRRSIGChange: 20240311221425 (Mon Mar 11 22:14:25 2024)
|
|
DSChange: 20240311221425 (Mon Mar 11 22:14:25 2024)
|
|
DNSKEYState: omnipresent
|
|
KRRSIGState: omnipresent
|
|
DSState: rumoured
|
|
GoalState: omnipresent
|
|
|
|
Logging to syslog did not work, so used a file
|
|
|
|
11-Mar-2024 21:06:03.983 dnssec: info: zone ymbk.com/IN (signed): reconfiguring zone keys
|
|
11-Mar-2024 21:06:03.983 dnssec: info: zone ymbk.com/IN (signed): next key event: 12-Mar-2024 17:45:24.983
|
|
11-Mar-2024 22:14:25.083 dnssec: info: zone ymbk.com/IN (signed): reconfiguring zone keys
|
|
11-Mar-2024 22:14:25.083 dnssec: info: Fetching ymbk.com/RSASHA256/30069 (ZSK) from key repository.
|
|
11-Mar-2024 22:14:25.083 dnssec: info: DNSKEY ymbk.com/RSASHA256/30069 (ZSK) is now published
|
|
11-Mar-2024 22:14:25.083 dnssec: info: DNSKEY ymbk.com/RSASHA256/30069 (ZSK) is now active
|
|
11-Mar-2024 22:14:25.093 dnssec: info: zone ymbk.com/IN (signed): next key event: 11-Mar-2024 23:14:25.083
|
|
|
|
---
|
|
2024.03.11
|