Posts Tagged with bind

posted by qubix on October 8, 2022

As we all know, Cpanel supports advertises POWERDNS for DNSSEC and not BIND. While this is weird enough, I will not go into it.

Recently I had the situation where a client transferred a .com domain to a different registrar and the website pointing to it to a new server. This domain was signed and since noone knew it, I suddenly was facing a serious problem in DNS propagation.

Since google public DNS had no record of this domain, I checked what the heck was happening and yes, then I found out that it was a signed domain.

The problem had two solutions:
1) Remove the signing
2) Implement DNSSEC for this domain at the server so the chain of trust would be valid again.

Unfortunately, the support of the registrar was terrible, I kept talking to people that clearly had no expertise on the matter, probably some call support center with fixed questions/answers. If you had the time and patience, I suppose eventually they would forward your case to some technical person.

But I didn't had the time. Every day that website was down, that client lost many many euros in revenue, and the complaints where escalating by the hour.

So I thought to myself, there must be someone that did this to a cpanel server...NOT! Cpanel forums had this question and the answer was always "we do not support BIND for DNSSEC". Feature requests where left unanswered.

Well no worries, I could do it on my own!

The problem now was that I didn't want all of my zones automatically signed by BIND, but I wanted manually to do it for only one domain.

I will not go into the pitfalls I got into but, thank the eGods, BIND had EDNS support in Cpanel and CloudNS could transfer the zone along with the DNSSEC records among other things.

So, here comes the actual fun!

===== linux cli steps ====
cd /var/named

#generate the two keys we will use to sign and validate our zone (it will take a loooong time to do it without something like haveged. Check #cat /proc/sys/kernel/random/entropy_avail to see what happens to entropy availability while generating keys...)

#generate ZSK
dnssec-keygen -a RSASHA256 -b 1280 -n ZONE example.com 

#generate KSK
dnssec-keygen -a RSASHA256 -b 2048 -f KSK -n ZONE example.com

#adjust ownership and rights to the two key files we generated
chgrp named Kexample.com.+*
chmod g=r,o= Kexample.com.+*

# copy them to a safe location just in case
cp Kexample.com.+008+* /root/

#change example.com section in /etc/named.conf
zone "example.com" {
        type master;

        file  "/var/named/example.com.db.signed";

    allow-query { any; };

        # DNSSEC keys Location (we could use a separate folder here)
        key-directory "/var/named/";

        # Publish and Activate DNSSEC keys
        auto-dnssec maintain;

        # Use Inline Signing
        inline-signing yes;
};

#add to /etc/named.conf
        dnssec-enable yes;
        dnssec-validation auto;
        //dnssec-lookaside auto; //this is not valid for newer versions of BIND

        //lets setup logging for dnssec only
        channel dnssec_log {
                file "/var/log/named/dnssec.log";
                severity debug 3;
        };
        category dnssec { dnssec_log; };

#now before signing the zone, we must put the public keys into our zone file so the sign tools knows from which key to sign the zone
for key in `ls Kexample.com*.key`
do
echo "\$INCLUDE $key">> example.com.db
done

#sign the zone
dnssec-signzone -A -3 $(head -c 1000 /dev/random | sha1sum | cut -b 1-16) -N INCREMENT -o example.com -t example.com.db

#you should get something like
#Verifying the zone using the following algorithms: RSASHA256.
#Zone fully signed:
#Algorithm: RSASHA256: KSKs: 1 active, 0 stand-by, 0 revoked
#                      ZSKs: 1 active, 0 stand-by, 0 revoked
#example.com.db.signed
#Signatures generated:                       65
#Signatures retained:                         0
#Signatures dropped:                          0
#Signatures successfully verified:            0
#Signatures unsuccessfully verified:          0
#Signing time in seconds:                 0.012
#Signatures per second:                5054.039
#Runtime in seconds:                      0.019


#chmod signed zone file
chmod named.named example.db.signed

#reload bind
systemctl reload named

#ds signatures to put into registrar interface (from dsset-example.com. file created during the signing. They can be also obtained by running #dnssec-dsfromkey Kexample.com.+008+35056.key)
#example.com.        IN DS 35056 8 1 B10CCE8B8C94F46E22451F66E860B7F804D2AC69
#example.com.        IN DS 35056 8 2 296446D4769D4B38175B11ED71767483AD5BD9697AE9C1DD21A3BE9E 670D54EE


#check validation
(d=example.com; k=$(printf '%05d' "$(dig @127.0.0.1 +norecurse "$d". DNSKEY | dnssec-dsfromkey -f - "$d" | awk '{print $4;}' | sort -u)"); delv @127.0.0.1 -a <(sed -e '/^;/d;s/[ \t]\{1,\}/ /g;s/ [0-9]\{1,\} IN DNSKEY / IN DNSKEY /;s/ IN DNSKEY / /;s/^[^ ]* [^ ]* [^ ]* [^ ]* /&"/;:s;/"[^ ]*$/b t;s/\("[^ ]*\) /\1/;b s;:t;s/$/";/;H;$!d;x;s/^\n//;s/.*/trusted-keys {\n    &\n};/' /var/named/Kexample.com.+008+"$k".key) +root="$d" "$d". SOA +multiline)
; fully validated
example.com.        86400 IN SOA ns1.mainserver.com. server.mainserver.com. (
                                2022100118 ; serial
                                3600       ; refresh (1 hour)
                                1800       ; retry (30 minutes)
                                1209600    ; expire (2 weeks)
                                86400      ; minimum (1 day)
                                )
example.com.        86400 IN RRSIG SOA 8 2 86400 (
                                20221101074125 20221002064125 60423 example.com.
                                BUoM4IHVFuL7JhkLkRQeR7xgBHmqo1D+GJStYvfumCrZ
                                km+qAm2HtysnrW+Ug+orWA6fURF2tgY9UkTrPPuLpUlX
                                ExPanItTqrDqWghIA1lFHs28e9DiBNQgv3WByRinfYvF
                                C7o0UpzaXCMppsWisbD50xXlGvcrsCxiXoDxgpiJ+O3p
                                WlIc4hYdolcN2z4o+UoPsSTVOZTj9fBSzRB63w== )



Two excellent tools to use for checking DNS status and the chain of trust are:

https://dnsviz.net/

and

https://dnssec-analyzer.verisignlabs.com/

hyperworks