Hi, First of all: If you think, I should discuss this somewhere else, please tell me. :) During my quest to get my SSH client to use SSHFP records and not annoy me with trust questions anymore, I fell into the rabbit hole that is DNSSEC. Our domain already uses DNSSEC, so I only had to set up the resolver in our office and my PC to verify it. This however had the side effect that child zones that are not signed were no longer resolving so I thought "Lets just sign them. Can't be that hard, right?" I was very wrong. One of the child zones is for hosts using DHCP and is managed by dnsmasq that unfortunately can't sign the zone. But it can do zone transfers. So we tried a setup using opendnssec as a signing proxy that transfers the zone to an unbound. Unfortunately this has proven unreliable at best and broken at worst so I am looking to replace that. I was just looking around for a DHCP server that directly can sign the zone but I was unable to find something so far. So I was wondering how other people are doing this. Are you signing DHCP zones? Would you recommend (not) doing it? If you are doing it, how are you doing it? Kind regards, Julian PS: If you are at RIPE86 I also would be happy to discuss this in person :) -- Julian Fölsch Arbeitsgemeinschaft Dresdner Studentennetz (AG DSN) Teamsprecher Computing Tel.: +49 351 271816 69 E-Mail: julian.foelsch@agdsn.de StuRa der TU Dresden Helmholtzstr. 10 01069 Dresden
Op ma 22 mei , Julian Fölsch <[julian.foelsch@agdsn.de](mailto:Op ma 22 mei , Julian Fölsch <<a href=)> schreef:
This however had the side effect that child zones that are not signed were no longer resolving so I thought "Lets just sign them. Can't be that hard, right?"
Verifiably-insecure delegations (a zone cut with no DS records on the parent side) should not be a problem to resolve through a validating resolver. You shouldn't have to sign your child zones to make them work. It seems possible that something else was wrong?
I was very wrong. One of the child zones is for hosts using DHCP and is managed by dnsmasq that unfortunately can't sign the zone. But it can do zone transfers. So we tried a setup using opendnssec as a signing proxy that transfers the zone to an unbound. Unfortunately this has proven unreliable at best and broken at worst so I am looking to replace that.
There are a variety of other DNSSEC signers that can act as "bump in the wire" signers (where the "wire" is [AI]XFR). There are people who actually write that kind of software on this list and my hands-on with this stuff is a bit long in the tooth, so I won't try to speak for any of them.
I was just looking around for a DHCP server that directly can sign the zone but I was unable to find something so far. So I was wondering how other people are doing this.
Are you signing DHCP zones? Would you recommend (not) doing it? If you are doing it, how are you doing it?
It used to be quite common to glue DHCP servers to the DNS using dynamic updates, so that a DHCP server sends a DNS UPDATE when it wants to add or drop a binding to an address. If the DNS server handling the DNS UPDATE requests can also act as a DNSSEC signer, that might work for you. I have set up BIND9 like that before and it was fairly painless. Joe
Op ma 22 mei , Joe Abley <[jabley@strandkip.nl](mailto:Op ma 22 mei , Joe Abley <<a href=)> schreef:
Op ma 22 mei , Julian Fölsch <[julian.foelsch@agdsn.de](mailto:Op ma 22 mei , Julian Fölsch <<a href=)> schreef:
This however had the side effect that child zones that are not signed were no longer resolving so I thought "Lets just sign them. Can't be that hard, right?"
Verifiably-insecure delegations (a zone cut with no DS records on the parent side) should not be a problem to resolve through a validating resolver. You shouldn't have to sign your child zones to make them work. It seems possible that something else was wrong?
Actually, here's a thought -- check that the zone cuts actually exist (that the parent has a delegating NS set, and that the child has apex SOA and NS sets). If your parent zone and child zones were hosted on the same servers, lack of zone cuts wouldn't matter if they were all unsigned (there's no referral to return, so the lack of a delegation goes unnoticed). However you need the delegation to be present if you want to signal that the child zone is unsigned. Just guessing, but I've seen this kind of thing before (and not just in enterprise zones). Joe
Hi, On Mon, May 22, 2023 at 09:18:11PM +0200, Julian Fölsch wrote:
This however had the side effect that child zones that are not signed were no longer resolving
... this statement is not actually correct. Non-signed child zones are perfectly fine *as long* as there are no DS records for those childs in the parent. Think ".de" and all the non-signed "$domain.de" zones... [..]
Are you signing DHCP zones? Would you recommend (not) doing it? If you are doing it, how are you doing it?
We're not currently doing it, but that's more a bit of laziness on my side - our DHCP setup currently uses ISC DHCP, and the zones are hosted on a BIND 9 primary. DNS is updated from the ISC dhcpd using DNS nsupdate to BIND, and from there, BIND could do "normal" inline signing. Having DHCP+DNS integrated in dnsmasq makes this more complicated, but you could theoretically have "a real DNS" server AXFR the zones from dnsmasq, and then sign them there. Gert Doering -- NetMaster -- have you enabled IPv6 on something today...? SpaceNet AG Vorstand: Sebastian v. Bomhard, Michael Emmer Joseph-Dollinger-Bogen 14 Aufsichtsratsvors.: A. Grundner-Culemann D-80807 Muenchen HRB: 136055 (AG Muenchen) Tel: +49 (0)89/32356-444 USt-IdNr.: DE813185279
On 23. 05. 23 9:33, Gert Doering wrote:
Hi,
On Mon, May 22, 2023 at 09:18:11PM +0200, Julian Fölsch wrote:
This however had the side effect that child zones that are not signed were no longer resolving
... this statement is not actually correct. Non-signed child zones are perfectly fine *as long* as there are no DS records for those childs in the parent. Think ".de" and all the non-signed "$domain.de" zones...
[..]
Are you signing DHCP zones? Would you recommend (not) doing it? If you are doing it, how are you doing it?
We're not currently doing it, but that's more a bit of laziness on my side - our DHCP setup currently uses ISC DHCP, and the zones are hosted on a BIND 9 primary. DNS is updated from the ISC dhcpd using DNS nsupdate to BIND, and from there, BIND could do "normal" inline signing.
Having DHCP+DNS integrated in dnsmasq makes this more complicated, but you could theoretically have "a real DNS" server AXFR the zones from dnsmasq, and then sign them there.
I agree. 'Usual' setup is a DHCP which sends DNS updates to a separate DNS server and the DNS server takes care of DNSSEC when it receives the dynamic update. Besides other things this allows for redundancy both on DHCP and DNS side. If you want to migrate to another DHCP server then please skip ISC DHCP (that's basically end-of-life) and go straight to Kea (also by ISC) or something else. HTH. -- Petr Špaček Internet Systems Consortium
participants (4)
-
Gert Doering -
Joe Abley -
Julian Fölsch -
Petr Špaček