DNSSEC, views & trusted keys...episode 43
Timothe Litt
litt at acm.org
Mon Nov 1 19:02:30 UTC 2010
I have tried to consolidate the several suggestions for how to configure a
view that would respond with AD to recursive queries for authoritative
zoned.
I don't have a working recipe. I could use some help.
At this point, it looks like the recursive view is still going to the
external nameservers.
Validation fails because the external views don't use the same keys as the
internal views (when the zones have the same name).
Stub zones are active - as in the queries were made and their .db files
created. Their content IS coming from the internal view (as expected).
Trusted keys are being specified (I intend to switch to managed-keys, but
one step at a time!)
Here is the configuration - I'm eliding include statements, truncating keys
and showing only one zone.
Bind 9.7.2-P2
view "r-internal" in {
// match-clients { !any_external; all_internal; };
match-clients { 192.168.148.136; }; // This is for debugging
match-recursive-only yes;
transfer-source 192.168.42.6; // Required so recursion hits the right
view
query-source address 192.168.42.6; // ", but doesn't seem to be obeyed
recursion yes;
allow-recursion { all_internal; };
allow-query-cache { all_internal; };
trusted-keys {
litts.net. 257 3 7
"AwEAAd8UA5VFFxqqyj+2peMH+/KOhm3q2H/(...)";
};
// dig @192.168.42.6 example.net dnskey
// example.net. 60 IN DNSKEY 257 3 7
AwEAAd8UA5VFFxqqyj2peMH+/KOhm3q2H/(...)"
// Yes, there is a ZSK too
zone "example.net" in {
type stub;
file "EXAMPLE_NET.stub.DB";
masters { 192.168.148.4; };
};
};
Named.log:
01-Nov-2010 13:58:41.436 lame-servers: info: error (no valid KEY) resolving
'example.net/DNSKEY/IN': <external-IP of NS1>#53
01-Nov-2010 13:58:41.535 lame-servers: info: error (no valid KEY) resolving
'example.net/DNSKEY/IN': <external-IP of NS2>#53
01-Nov-2010 13:58:41.628 lame-servers: info: error (no valid KEY) resolving
'example.net/DNSKEY/IN': <external-IP of NS3>#53
01-Nov-2010 13:58:41.630 lame-servers: info: error (broken trust chain)
resolving 'www.example.net/A/IN': <external-IP of NS3>#53
Note that none of the three nameservers in the log are the one configured
for this test.
I suspect that some internal shortcut is causing named to ignore the
query-source directive.
Perhaps in not wanting to do UDP to itself, named isn't setting (or looking
at) the source address?
In any case, this server is authoritative (a slave) for all the zones
involved, so it's also a bit of a mystery as to why it goes outside to
resolve this at all.
I have created a level 99 trace of this lookup - perhaps it will mean
something to a named internals wizard...
Named.run (domain & ip addresses masked with sed)
01-Nov-2010 14:33:40.579 debug level is now 99
01-Nov-2010 14:33:40.581 socket 0x406bd410: socket_recv: event 0x408ee3c8 ->
task 0x40655008
01-Nov-2010 14:33:40.583 socket 0x406bd410: dispatch_recv: event 0x408ee3c8
-> task 0x40655008
01-Nov-2010 14:33:40.584 socket 0x406bd410: internal_recv: task 0x40655008
got event 0x406bd470
01-Nov-2010 14:33:40.578 socket 0x406bd410: destroying
01-Nov-2010 14:33:43.162 socket 0x40697568: dispatch_recv: event 0x408ef968
-> task 0x40910c08
01-Nov-2010 14:33:43.162 socket 0x40697568: internal_recv: task 0x40910c08
got event 0x406975c8
01-Nov-2010 14:33:43.162 socket 0x40697568 192.168.148.136#41145: packet
received correctly
01-Nov-2010 14:33:43.163 socket 0x40697568: processing cmsg 0x40642190
01-Nov-2010 14:33:43.163 client 192.168.148.136#41145: UDP request
01-Nov-2010 14:33:43.164 client 192.168.148.136#41145: view r-internal:
using view 'r-internal'
01-Nov-2010 14:33:43.164 client 192.168.148.136#41145: view r-internal:
request is not signed
01-Nov-2010 14:33:43.158 client 192.168.148.136#41145: view r-internal:
recursion available
01-Nov-2010 14:33:43.158 client 192.168.148.136#41145: view r-internal:
query
01-Nov-2010 14:33:43.158 client 192.168.148.136#41145: view r-internal:
ns_client_attach: ref = 1
01-Nov-2010 14:33:43.159 client 192.168.148.136#41145: view r-internal:
query 'www.example.net/A/IN' approved
01-Nov-2010 14:33:43.160 client 192.168.148.136#41145: view r-internal:
replace
01-Nov-2010 14:33:43.160 clientmgr @0x4063f3c8: createclients
01-Nov-2010 14:33:43.160 clientmgr @0x4063f3c8: recycle
01-Nov-2010 14:33:43.161 createfetch: www.example.net A
01-Nov-2010 14:33:43.161 fctx 0x40867c38(www.example.net/A'): create
01-Nov-2010 14:33:43.168 fctx 0x40867c38(www.example.net/A'): join
01-Nov-2010 14:33:43.168 fetch 0x4064bc70 (fctx
0x40867c38(www.example.net/A)): created
01-Nov-2010 14:33:43.169 client @0x40a08008: udprecv
01-Nov-2010 14:33:43.169 socket 0x40697568: socket_recv: event 0x408c91e8 ->
task 0x40a050c8
01-Nov-2010 14:33:43.169 fctx 0x40867c38(www.example.net/A'): start
01-Nov-2010 14:33:43.170 fctx 0x40867c38(www.example.net/A'): try
01-Nov-2010 14:33:43.170 fctx 0x40867c38(www.example.net/A'): cancelqueries
01-Nov-2010 14:33:43.170 fctx 0x40867c38(www.example.net/A'): getaddresses
01-Nov-2010 14:33:43.171 expiring v4 for name 0x40703a58
01-Nov-2010 14:33:43.171 expire_v4 set to MIN(2147483647,1288636433)
import_rdataset
01-Nov-2010 14:33:43.172 dns_adb_createfind: found A for name 0x40703a58 in
db
01-Nov-2010 14:33:43.172 expiring v4 for name 0x407039a8
01-Nov-2010 14:33:43.173 expire_v4 set to MIN(2147483647,1288636433)
import_rdataset
01-Nov-2010 14:33:43.173 dns_adb_createfind: found A for name 0x407039a8 in
db
01-Nov-2010 14:33:43.173 expiring v4 for name 0x407038f8
01-Nov-2010 14:33:43.174 expire_v4 set to MIN(2147483647,1288636433)
import_rdataset
01-Nov-2010 14:33:43.168 dns_adb_createfind: found A for name 0x407038f8 in
db
01-Nov-2010 14:33:43.168 fctx 0x40867c38(www.example.net/A'): query
01-Nov-2010 14:33:43.169 resquery 0x409f9008 (fctx
0x40867c38(www.example.net/A)): send
01-Nov-2010 14:33:43.169 socket 0x409fbac8 192.168.42.6#47591: bound
01-Nov-2010 14:33:43.170 dispatch 0x409193f0 response 0x40935168
204.42.254.5#53: attached to task 0x40a05968
01-Nov-2010 14:33:43.170 socket 0x409fbac8: socket_recv: event 0x408ee3c8 ->
task 0x40a1e6c8
01-Nov-2010 14:33:43.171 resquery 0x409f9008 (fctx
0x40867c38(www.example.net/A)): sent
01-Nov-2010 14:33:43.178 resquery 0x409f9008 (fctx
0x40867c38(www.example.net/A)): udpconnected
01-Nov-2010 14:33:43.178 resquery 0x409f9008 (fctx
0x40867c38(www.example.net/A)): senddone
01-Nov-2010 14:33:43.221 socket 0x409fbac8: dispatch_recv: event 0x408ee3c8
-> task 0x40a1e6c8
01-Nov-2010 14:33:43.222 socket 0x409fbac8: internal_recv: task 0x40a1e6c8
got event 0x409fbb28
01-Nov-2010 14:33:43.222 socket 0x409fbac8 204.42.254.5#53: packet received
correctly
01-Nov-2010 14:33:43.223 socket 0x409fbac8: processing cmsg 0x406ab468
01-Nov-2010 14:33:43.223 dispatch 0x409193f0: got packet: requests 1,
buffers 1, recvs 0
01-Nov-2010 14:33:43.223 dispatch 0x409193f0: got valid DNS message header,
/QR 1, id 3501
01-Nov-2010 14:33:43.224 dispatch 0x409193f0 response 0x40935168
204.42.254.5#53: [a] Sent event 0x40938878 buffer 0xf9f58 len 4096 to task
0x40a05968
01-Nov-2010 14:33:43.218 socket 0x409fbac8: socket_recv: event 0x408ee788 ->
task 0x40a1e6c8
01-Nov-2010 14:33:43.218 resquery 0x409f9008 (fctx
0x40867c38(www.example.net/A)): response
01-Nov-2010 14:33:43.229 received packet:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 3501
;; flags: qr aa cd; QUESTION: 1, ANSWER: 4, AUTHORITY: 4, ADDITIONAL: 7
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;www.example.net. IN A
;; ANSWER SECTION:
www.example.net. 0 IN CNAME nano.example.net.
www.example.net. 600 IN RRSIG CNAME 7 3 600
20101106112303 20101029110730 14819 example.net.
U09+opQO2LgsZUE3/sZLdO4q5QE2F0HiXMvJstxpsTcXMY+PeCllXlX0
eJ+D9j6H9lW6KgxkwsNb1PUEzQConfNO3yD6tYOLOU2nyAu/ELfvG5Sf
30YBdwdiPz3Tq3jqrXX55pga20c1AgfJH+xqboTaa0Hx2R6/P3Mg7LlI jHg=
nano.example.net. 600 IN A xxx.xxx.xxx.61
nano.example.net. 600 IN RRSIG A 7 3 600 20101106133337
20101029125732 14819 example.net.
aTVYvj5grzmo+jSjq3J04VqrvGTClhklKtgdKl7ZTctLJ2x7MEXKUaSQ
fSe9M4Tv1o3EEp0ZnpAf3LjUPZcrSW1z+TdUaSVh0yDPyGXLo9klxWS7
HukAfUa4LEYvtbmJM8LHJCp43V1CXwpxfTKS7lCaN/4Vcpd14sl5CqJl 26w=
;; AUTHORITY SECTION:
example.net. 600 IN NS ns1.example.net.
example.net. 600 IN NS puck.nether.net.
example.net. 600 IN NS ns2.example.net.
example.net. 600 IN RRSIG NS 7 2 600 20101104151216
20101027144322 14819 example.net.
JeeKLNUK/GUKMgc/JMCp7CyFhc3aWoSOAGsVzl/FjoEDEnX66s71OjEe
mvYNkcMrvg2vMdGfI7RCldPYlphYU8bYORxOGoB01sNHJrWF1lFLwS3b
XWEwcZX1mxGhGNObfL8uHluNq/vn3nwFqtWSrU2+oxNeulBFo2e7PRu+ WOU=
;; ADDITIONAL SECTION:
ns1.example.net. 600 IN A xxx.xxx.xxx.59
ns1.example.net. 600 IN RRSIG A 7 3 600 20101106133337
20101029125732 14819 example.net.
Jd4GMf96XxSgvHmLZ8tL1cVvOjSGY6Ol+qNb74KnS4bqdSI/ak3NQoLW
ZH6GC0YsqqDhoDITJTU64temi+5xPubGFWYJvtoW58uqy6vXBSfBzbe3
zA6qPEXtdaulSy5rev7P1Eol1GVujW+SRgBJsI1okiVWzNe1bAZK2gZI VHI=
ns2.example.net. 600 IN A xxx.xxx.xxx.61
ns2.example.net. 600 IN RRSIG A 7 3 600 20101106133337
20101029125732 14819 example.net.
dGLxn2kdekOtLuJfEKGXwLJVfnvjlJ46UwuXhI5bUk9XzZffuBwz5NkH
h0iivrpj/ghFhJXxXy4QvlYwEAhFk9Qb0aSv3rXslSoqxE4+JwVcZSgG
7wpAuDKOfQa1JBlBXxMo3SU63v5ghmIk+NLGpCfgNQTo1H4iOuZ7xcFl Un4=
puck.nether.net. 86400 IN A 204.42.254.5
puck.nether.net. 86400 IN AAAA 2001:418:3f4::5
01-Nov-2010 14:33:43.230 fctx 0x40867c38(www.example.net/A'):
answer_response
01-Nov-2010 14:33:43.230 fctx 0x40867c38(www.example.net/A'):
noanswer_response
01-Nov-2010 14:33:43.230 fctx 0x40867c38(www.example.net/A'): cache_message
01-Nov-2010 14:33:43.231 decrement_reference: delete from rbt: 0x40bfde40
www.example.net
01-Nov-2010 14:33:43.242 fctx 0x40867c38(www.example.net/A'): cancelquery
01-Nov-2010 14:33:43.243 dispatch 0x409193f0 response 0x40935168
204.42.254.5#53: detaching from task 0x40a05968
01-Nov-2010 14:33:43.243 dispatch 0x409193f0: detach: refcount 2
01-Nov-2010 14:33:43.243 fctx 0x40867c38(www.example.net/A'): wait for
validator
01-Nov-2010 14:33:43.244 fctx 0x40867c38(www.example.net/A'): cancelqueries
01-Nov-2010 14:33:43.239 fctx 0x40867c38(www.example.net/A'): received
validation completion event
01-Nov-2010 14:33:43.239 fctx 0x40867c38(www.example.net/A'): validation
failed
01-Nov-2010 14:33:43.240 fctx 0x40867c38(www.example.net/A'): add_bad
01-Nov-2010 14:33:43.241 error (broken trust chain) resolving
'www.example.net/A/IN': 204.42.254.5#53
01-Nov-2010 14:33:43.241 fctx 0x40867c38(www.example.net/A'): done
01-Nov-2010 14:33:43.248 fctx 0x40867c38(www.example.net/A'): stopeverything
01-Nov-2010 14:33:43.248 fctx 0x40867c38(www.example.net/A'): cancelqueries
01-Nov-2010 14:33:43.248 dns_adb_destroyfind on find 0x40702008
01-Nov-2010 14:33:43.249 dns_adb_destroyfind on find 0x40702f80
01-Nov-2010 14:33:43.249 dns_adb_destroyfind on find 0x4070ccb0
01-Nov-2010 14:33:43.249 fctx 0x40867c38(www.example.net/A'): sendevents
01-Nov-2010 14:33:43.250 dispatch 0x409193f0: got packet: requests 0,
buffers 1, recvs 0
01-Nov-2010 14:33:43.250 client 192.168.148.136#41145: view r-internal:
query failed (SERVFAIL) for www.example.net/IN/A at query.c:4650
01-Nov-2010 14:33:43.251 client 192.168.148.136#41145: view r-internal:
error
01-Nov-2010 14:33:43.252 client 192.168.148.136#41145: view r-internal: send
01-Nov-2010 14:33:43.252 client 192.168.148.136#41145: view r-internal:
sendto
01-Nov-2010 14:33:43.253 client 192.168.148.136#41145: view r-internal:
senddone
01-Nov-2010 14:33:43.253 client 192.168.148.136#41145: view r-internal: next
01-Nov-2010 14:33:43.253 client 192.168.148.136#41145: view r-internal:
ns_client_detach: ref = 0
01-Nov-2010 14:33:43.254 client 192.168.148.136#41145: view r-internal:
endrequest
01-Nov-2010 14:33:43.248 dispatch 0x4065bc20: detach: refcount 2
01-Nov-2010 14:33:43.248 fetch completed at resolver.c:4148 for
www.example.net/A in 0.081635: broken trust chain/broken trust chain
[domain:example.net,referral:0,restart:1,qrysent:1,timeout:0,lame:0,neterr:0
,badresp:0,adberr:0,findfail:0,valfail:1]
01-Nov-2010 14:33:43.249 fetch 0x4064bc70 (fctx
0x40867c38(www.example.net/A)): destroyfetch
01-Nov-2010 14:33:43.249 fctx 0x40867c38(www.example.net/A'): shutdown
01-Nov-2010 14:33:43.249 fctx 0x40867c38(www.example.net/A'): doshutdown
01-Nov-2010 14:33:43.249 fctx 0x40867c38(www.example.net/A'): stopeverything
01-Nov-2010 14:33:43.250 fctx 0x40867c38(www.example.net/A'): cancelqueries
01-Nov-2010 14:33:43.250 fctx 0x40867c38(www.example.net/A'): destroy
01-Nov-2010 14:33:48.441 socket 0x40697d78: internal_accept called, locked
socket
01-Nov-2010 14:33:48.441 socket 0x40697d78 192.168.42.6#3249: accepted
connection, new socket 0x4092dac8
01-Nov-2010 14:33:48.442 socket 0x4092dac8: socket_recv: event 0x40a03968 ->
task 0x40655008
01-Nov-2010 14:33:48.439 socket 0x4092dac8: dispatch_recv: event 0x40a03968
-> task 0x40655008
01-Nov-2010 14:33:48.439 socket 0x4092dac8: internal_recv: task 0x40655008
got event 0x4092db28
01-Nov-2010 14:33:48.440 socket 0x4092dac8 192.168.42.6#3249: packet
received correctly
01-Nov-2010 14:33:48.440 socket 0x4092dac8 192.168.42.6#3249: packet
received correctly
01-Nov-2010 14:33:48.449 received control channel command 'null'
01-Nov-2010 14:33:48.450 socket 0x4092dac8: socket_recv: event 0x40a03b48 ->
task 0x40655008
01-Nov-2010 14:33:48.452 socket 0x4092dac8: dispatch_recv: event 0x40a03b48
-> task 0x40655008
01-Nov-2010 14:33:48.453 socket 0x4092dac8: internal_recv: task 0x40655008
got event 0x4092db28
01-Nov-2010 14:33:48.453 socket 0x4092dac8 192.168.42.6#3249: packet
received correctly
01-Nov-2010 14:33:48.453 socket 0x4092dac8 192.168.42.6#3249: packet
received correctly
01-Nov-2010 14:33:48.449 received control channel command 'notrace'
Finally, here is the stub zone file - ?should it be signed?
$ORIGIN .
$TTL 600 ; 10 minutes
example.net IN SOA ns1.example.net.
examplenetadmin.example.net. (
2007037072 ; serial
3600 ; refresh (1 hour)
300 ; retry (5 minutes)
604800 ; expire (1 week)
600 ; minimum (10 minutes)
)
NS ns1.example.net.
NS ns2.example.net.
$ORIGIN example.net.
ns1 A 192.168.148.4
ns2 A 192.168.148.6
Many thanks in advance...
---------------------------------------------------------
This communication may not represent my employer's views,
if any, on the matters discussed.
More information about the bind-users
mailing list