331.4 - DNS and Cryptography
Key Knowledge Areas:
- Understand the concepts of DNS, zones and resource records
- Understand DNSSEC, including key signing keys, zone signing keys and relevant DNS records such as DS, DNSKEY, RRSIG, NSEC, NSEC3 and NSEC3PARAM
- Configure and troubleshoot BIND as an authoritative name server serving DNSSEC secured zones
- Manage DNSSEC signed zones, including key generation, key rollover and re-signing of zones
- Configure BIND as an recursive name server that performs DNSSEC validation on behalf of its clients
- Understand CAA and DANE, including relevant DNS records such as CAA and TLSA
- Use CAA and DANE to publish X.509 certificate and certificate authority information in DNS
- Use TSIG for secure communication with BIND
- Awareness of DNS over TLS and DNS over HTTPS
- Awareness of Multicast DNS
Partial list of the used files, terms and utilities:
- named.conf
- dnssec-keygen
- dnssec-signzone
- dnssec-settime
- dnssec-dsfromkey
- rndc (including relevant subcommands)
- dig
- delv
- openssl (including relevant subcommands)
Terms
CAA, DS, DNSKEY, NSEC, NSEC3, NSEC3PARAM, RRSIG, and TLSA records
Certificate-related records
- CAA: DNS Certification Authority Authorization, constraining acceptable CAs for a host/domain
- TLSA: A record for DNS-based Authentication of Named Entities (DANE). “The TLSA DNS resource record is used to associate a TLS server certificate or public key with the domain name where the record is found, thus forming a ‘TLSA certificate association’” (RFC 6698).
The TLSA RR (Resource Record) for a service is located at a DNS name that specifies certificate constraints should be applied for the services at a certain TCP or UDP port. At least one of the TLSA RRs must provide a validation (path) for the certificate offered by the service at the specified address.
Example:
IP
pro- se- certificate
IP to- record lec- association
port col host type tor data (hex)
__ ___ _____________________ ____ _ ________________
_25._tcp.somehost.example.net. TLSA 3 1 1 0123456789ABCDEF
- -
certificate usage matching type
certificate usage:
- 0: The certificate provided when establishing TLS must be issued by the listed root-CA or one of its intermediate CAs, with a valid certification path to a root-CA already trusted by the application doing the verification. Commonly called CA constraint, PKIX-TA.
=> refers issuing certificate authority - 1: The certificate used must match the TLSA record, and it must also pass PKIX certification path validation to a trusted root-CA. Commonly called service certificate constraint, PKIX-EE.
=> refers the server certificate, requires PKI path validation - 2: The TLSA record matches the certificate of the root CA, or one of the intermediate CAs, of the certificate in use by the service. The certification path must be valid up to the matching certificate, but there is no need for a trusted root-CA. Commonly called trust anchor assertion, DANE-TA.
=> refers some issuing certificate authority along the PKI path, requires PKI path validation up to that certificate authority only - 3: The TLSA record matches the used certificate itself. The used certificate does not need to be signed by other parties. This is useful for self-signed certificates, but also for cases where the validator does not have a list of trusted root certificates. Commonly called domain issued certificate, DANE-EE.
=> refers the server certificate, does not require PKI path validation
selector:
- 0: select the entire certificate for matching
- 1: select just the public key for certificate matching
matching type:
- 0: the entire information selected is present in the certificate association data
- 1: SHA-256 hash of the selected data
- 2: SHA-512 hash of the selected data
certificate association data: actual data to be matched given the settings of the other fields
Security extensions-related records
- RRSIG (resource record signature): Contains the DNSSEC signature for a record set. DNS resolvers verify the signature with a public key, stored in a DNSKEY record.
- DNSKEY: Contains the public key that a DNS resolver uses to verify DNSSEC signatures in RRSIG records.
- DS (delegation signer): Holds the name of a delegated zone. References a DNSKEY record in the sub-delegated zone. The DS record is placed in the parent zone along with the delegating NS records.
- NSEC (next secure record): Contains a link to the next record name in the zone and lists the record types that exist for the record’s name. DNS resolvers use NSEC records to verify the non-existence of a record name and type as part of DNSSEC validation.
- NSEC3 (next secure record version 3): Contains links to the next record name in the zone (in hashed name sorting order) and lists the record types that exist for the name covered by the hash value in the first label of the NSEC3 record’s own name. These records can be used by resolvers to verify the non-existence of a record name and type as part of DNSSEC validation. NSEC3 records are similar to NSEC records, but NSEC3 uses cryptographically hashed record names to avoid the enumeration of the record names in a zone.
- NSEC3PARAM (next secure record version 3 parameters): Authoritative DNS servers use this record to calculate and determine which NSEC3 records to include in responses to DNSSEC requests for non-existing names/types.
Example:algorithm iterations (SHA-1) _ _ bcp.example. IN NSEC3PARAM 1 0 0 - ------------ ---------- - - zone record flag salt type (opt-out) (empty)
CAA
DNS certification authority authorization
DANE
DNS-based authentication of named entities
DNS over HTTPS
DNS over TLS
DNSSEC
domain name system security extensions
Multicast DNS
TSIG
Files
named.conf
(Fedora: bind.x86_64)
/etc/named.conf
Utilities
dnssec-keygen
(Fedora: bind-dnssec-utils.x86_64)
man 8 dnssec-keygen
dnssec-keymgr (wrapper for dnssec-keygen, dnssec-settime)
(Fedora: bind-dnssec-utils.x86_64)
man 8 dnssec-keymgr
dnssec-signzone
(Fedora: bind-dnssec-utils.x86_64)
man 8 dnssec-signzone
dnssec-settime
(Fedora: bind-dnssec-utils.x86_64)
man 8 dnssec-settime
dnssec-dsfromkey
(Fedora: bind-dnssec-utils.x86_64)
man 8 dnssec-dsfromkey
rndc
(Fedora: bind.x86_64)
man 8 rndc
- subcommands:
loadkeys ${zone}: fetch DNSSEC keys for the zone from the key directory and add them as DNSKEY recordsreconfig: reload configuration from disk and load new zones, but existing zones are ignoredreload ${zone}: reload the specified existing zonesign ${zone}: fetch DNSSEC keys for the zone from the key directory and add them as DNSKEY records, re-sign the zone if DNSKEY records were changedsigning [-${action}] ${zone}: list, modify, or remove DNSSEC signing state records for the zone
dig
(Fedora: bind-utils.x86_64)
man 1 dig
- subcommands:
axfror-t axfr: zone transferixfr=${N}or-t ixfr=${N}: incremental zone transfer since serial number ${N}
delv
(Fedora: bind-utils.x86_64)
man 1 delv
openssl
(Fedora: openssl.x86_64)
man 1 openssl
Notes
BIND versions
| BIND version | Recommended configuration |
|---|---|
| 9.11-9.14 | Automated (re-)signing by means of Auto-DNSSEC (‘auto-dnssec maintain’) in combination with inline signing (‘inline-signing yes’) Updates by means of ‘rndc signing’ Automated key management by means of ‘dnssec-keymgr’ and policy file /etc/dnssec-policy.conf (and a final cron job) |
| 9.15 and above | Automated (re-)signing by means of Auto-DNSSEC (‘auto-dnssec maintain’) [deprecated in favour of DNSSEC Policy], in combination with inline signing (‘inline-signing yes’) Updates by means of ‘rndc signing’ Fully automated key management by means of DNSSEC Policy |
source: SIDN
BIND DNSSEC authoritative configuration
- general setup:
- install BIND (9.11) and DNSSEC-related utilities (Fedora 31):
sudo dnf install bind.x86_64 bind-dnssec-utils.x86_64 bind-utils.x86_64 - configure BIND as authoratative DNS server:
sudo sed -e "s@recursion yes@recursion no@" -i /etc/named.conf - configure DNSSEC support for BIND:
sudo grep -q 'dnssec-enable' /etc/named.conf || \ echo 'dnssec-enable yes;' | sudo tee -a /etc/named.conf sudo grep -q 'dnssec-enable' /etc/named.conf && \ ! sudo grep -q 'dnssec-enable yes;' /etc/named.conf && \ sudo sed -e "s@dnssec-enable .*@dnssec-enable yes;@" -i /etc/named.conf
- install BIND (9.11) and DNSSEC-related utilities (Fedora 31):
- adding a zone:
- create zone file:
sudo vim /var/named/db.example.net - include zone in BIND config:
echo -e 'zone "example.net" {\n\ttype master;\n\tfile "db.example.net";\n};' | sudo tee -a /etc/named.conf - start BIND:
sudo systemctl start named.service - confirm the zone is available (assuming A or CNAME record for www):
dig @127.0.0.1 www.example.net A +short
- create zone file:
DNSSEC key management and zone signing
- key management:
- ensure path to store keys exists:
sudo mkdir -p /etc/named/keys - generate a key-signing key:
sudo dnssec-keygen -3a ECDSAP256SHA256 -f KSK -K /etc/named/keys example.net - generate a zone-signing key:
sudo dnssec-keygen -3a ECDSAP256SHA256 -K /etc/named/keys example.net - revoke a key:
sudo dnssec-revoke -K /etc/named/keys Kexample.net.+013+49534.key(this will create a new set of files, leaving the original files untouched)
- ensure path to store keys exists:
- zone signing:
- sign a zone:
sudo dnssec-signzone -agK /etc/named/keys -o example.net -S /var/named/db.example.net - verify a zone:
sudo dnssec-verify -o example.net /var/named/db.example.net.signed
- sign a zone:
Reloading zones after signing
- update BIND config:
sudo sed -e 's@file "db.example.net"@file "db.example.net.signed"@' -i /etc/named.conf - reload BIND config (excluding existing zones):
sudo rndc reconfig - reload the signed zone:
sudo rndc reload example.net
CAA configuration
- Certificate Authority Authorization Records
- CAA records are supported from BIND 9.10.1B
- resource record syntax: RFC 6844 - The CAA RR Type
- issuer critical flag:
- 0 (i.e. !1): property tag can be ignored if not understood by the CA
- 1: following property tag must be understood for the CA to issue a certificate
- property tags:
- issue $issuer_domain: CA identified as $issuer_domain is authorized to issue certificates
- issuewild $issuer_domain: CA identified as $issuer_domain is authorized to issue wildcard certificates
- iodef $URL: reports of (possible) problematic certificate requests may be submitted to $URL
- issuer critical flag:
- example:
$ORIGIN example.net . CAA 0 issue "ca.example.net" . CAA 0 iodef "mailto:security@example.net"
DANE configuration
- compose usage, selector, matching type field: RFC 6698 - The TLSA Resource Record
- usage field:
- 0: CA certificate (“CA constraint”)
- 1: end entity certificate (“service certificate constraint”)
- 2: trust anchor (“trust anchor assertion”)
- 3: end entity certificate (“domain-issued certificate”)
- selector field:
- 0: full certificate
- 1: SubjectPublicKeyInfo
- matching type field:
- 0: exact match
- 1: SHA-256 hash
- 2: SHA-512 hash
- usage field:
- generate certificate hash: DNSSEC and Certificates
openssl x509 -in certfile.crt -outform DER | sha256sum
- Let’s Encrypt with DANE
- example:
_443._tcp.www.example.net. IN TLSA ( 0 0 1 d2abde240d7cd3ee6b4b28c54df034b9 7983a1d16e8a410e4561cb106618e971 )
TSIG configuration
BIND 9: Security Configurations - TSIG
BIND DNSSEC recursive configuration
- BIND 9 - DNSSEC Guide - Validation
- older style:
sudo grep -q 'recursion yes;' /etc/named.conf && \ sudo grep -q 'dnssec-enable yes;' && \ sudo grep -q 'dnssec-validation yes;' /etc/named.conf && \ sudo test ! -f /var/named/data/named.secroots && \ sudo systemctl start named.service && \ sudo rndc secroots - newer style:
sudo grep -q 'recursion yes;' /etc/named.conf && \ sudo grep -q 'dnssec-enable yes;' && \ sudo grep -q 'dnssec-validation yes;' /etc/named.conf && \ sudo sed -e "s@dnssec-validation .*@dnssec-validation auto;@" -i /etc/named.conf && \ systemctl is-active named.service && \ sudo rndc reconfig || \ sudo systemctl start named.service
- older style:
- DNSSEC validation - how can I tell if my server is doing it?
- /etc/named.conf:
dnssec-enable yes; - /etc/named.conf:
dnssec-validation yes;(requires manually-configured trust anchors), ordnssec-validation auto;
- /etc/named.conf:
BIND DNSSEC troubleshooting
- Basic DNSSEC Troubleshooting
- (
digoutput)aaflag: Authoritative Answer - (
digoutput)raflag: Recursion Available - (
diginput)+cdflag: Checking Disabled (disable DNSSEC validation)
- (