Add new comment

DNSSEC Validation in Bind

I haven't done anything with DNSSEC for a while, not since I messed around with signing my domain in 2008. That was a success, by the way, but I changed around my nameservers and it's not signed any more.

Today's project was to see if I could enable DNSSEC validation on my server. The goal being to ignore any zones which are supposed to be signed, but don't contain correct data.

The configuration in Bind is pretty easy. Just add this to your options config and reload:

dnssec-enable yes; 
dnssec-validation yes;
dnssec-lookaside auto;

You can verify it's working by doing a search for a domain that's signed, which should return a result as normal:

dig a isc.org

And do a query for a domain which is signed incorrectly (and on purpose). If you get an A record, that means you missed something.

dig a www.dnssec-failed.org

Furthermore, if you're a real glutton for punishment, you can enable DNSSEC debugging in your logs.

channel dnssec_log {
   file "/var/log/bind/dnssec.log";
   print-time yes;
   print-category yes;
   print-severity yes;
   severity debug 3;
};
category dnssec { dnssec_log; };

Where you would see something such as:

26-Mar-2013 15:08:32.572 dnssec: debug 3: validating @0xb7bbb568: dnssec-failed.org DNSKEY: no DNSKEY matching DS
26-Mar-2013 15:08:32.572 dnssec: info: validating @0xb7bbb568: dnssec-failed.org DNSKEY: no valid signature found (DS)
26-Mar-2013 15:08:32.572 dnssec: debug 3: validating @0xb7bbb568: dnssec-failed.org DNSKEY: falling back to insecurity proof
26-Mar-2013 15:08:32.572 dnssec: debug 3: validating @0xb7bbb568: dnssec-failed.org DNSKEY: checking existence of DS at 'org'
26-Mar-2013 15:08:32.572 dnssec: debug 3: validating @0xb7bbb568: dnssec-failed.org DNSKEY: checking existence of DS at 'dnssec-failed.org'
26-Mar-2013 15:08:32.572 dnssec: debug 3: validating @0xb7bbb568: dnssec-failed.org DNSKEY: insecurity proof failed

Subscribe to zmonkey.org - All comments