Multi Master/Primary Authoritative DNSSEC DNS Nameserver With Synced/Replicated COMMON Dir/Vol For BIND

Terik Erik Ashfolk aterik at outlook.com
Sat Sep 28 01:50:58 UTC 2024


Does the BIND have command/parameter for configuring+running BIND 
in Multi-Signer MODEL-2 mode as specified in RFC 8901 ?
https://www.rfc-editor.org/rfc/rfc8901.html

in another words, Can BIND itself handle multiple-provider's (aka: 
multiple-nameserver's) KSKs, ZSKs, DNSKEYs, etc RRsets and 
create/update RRSIGs accordingly with Multi-Signer MODEL-2 mode ?

If it can what commands/parameters enable such mode ?
What "update-policy" it needs ?

Erik.

Erik T Ashfolk.


On 9/27/24 2:53 PM, Terik Erik Ashfolk wrote:
> According to the page
> https://blog.apnic.net/2021/08/25/multi-signer-dnssec-models/
> in MODEL 2.
> I added an improved image as attachment.
> <img alt="ZSK-signing" src="cid:ImportZSK-PublishDSofKSK.jpg" />
> MULTI-ZSK-SIGNING IS ONE OF THE SOLUTION, and appears to be 
> suitable for my case.
> 
> So, multi-signing with ZSKs from multiple nameservers would have 
> worked,
> when nameservers were using separate "zones" & "keys" folder,
> 
> I needed to sign n1's zone file with n2's ZSK & with n3's ZSK.
> I needed to sign n2's zone file with n1's ZSK & with n3's ZSK.
> I needed to sign n3's zone file with n1's ZSK & with n2's ZSK.
> 
> Because 3 nameservers are using SYNCED/REPLICATED shared 
> directories & files,
> so each ZSK & KSK are available to other nameservers.
> 
> for "key-directory"
> n1 using "/mnt/vol/v1/etc/bind/n1/keys"
> n2 using "/mnt/vol/v1/etc/bind/n2/keys"
> n3 using "/mnt/vol/v1/etc/bind/n3/keys"
> 
> and shared common directory for BIND keys is
> "/mnt/vol/v1/etc/bind/keys"
> 
> and shared directory is
> "/mnt/vol/v1"
> 
> is there an option in BIND, that can monitor+enable additional ZSK 
> signing from new ZSK key from other namerservers for same domain ?
> if not, please add this as new feature in BIND.
> 
> if BIND itself cannot do the monitoring + multi-ZSK-signing now, 
> then, HOW can i monitor the ".../bind/n1/keys" (or ".../bind/n2/ 
> keys" or ".../bind//n3/keys" or ".../bind/keys" ) sub-dirs under 
> shared-directory and find that BIND has began to use a new ZSK key ?
> 
> or HOW can i get a signal from BIND in each nameserver ? that, BIND 
> has began to use a new ZSK key ?
> 
> so-that, i can trigger/run another script in each nameserver (which 
> added new ZSK key) to begin signing my domain's zone file in other 
> 2 nameservers with the new ZSK.
> 
> example : if n1 added a new ZSK for "example.com" domain, then a 
> "new-zsk-key-monitoring-script.sh" script will create 2 files
> "signal-n2-ExampleCom-MZS-zskNUMBER.txt"
> "signal-n3-ExampleCom-MZS-zskNUMBER.txt"
> in the shared-bind-directory : "/mnt/vol/v1/etc/bind/keys".
> Then "monitor-for-signal-file.sh" script running in n2 & n3, will 
> get that signal, & run "multi-ZSK-sign-script.sh" to mulit ZSK 
> signing.
> 
> 
> Thanks in advance.
> 
> Erik.
> 
> Erik T Ashfolk.
> 
> 
> 
> 
> On 9/26/24 7:26 PM, TErik Ashfolk wrote:
>> Hello BIND Community.
>>
>> Looking forward to your suggestions, advises on setup DNSSEC 
>> enabled zones on multiple master/primary authoritative DNS server 
>> (Nameserver) with synced/replicated common shared directories/ 
>> volume.
>>
>>
>> Please skip the section(s) that you dont need to read/scan,
>>
>> & goto the QUESTIONS , the last section.
>>
>>
>> OBJECTIVES (END-RESULT):
>>
>> Trying to achieve HA (High-Availability <https:// 
>> en.wikipedia.org/ wiki/High_availability>), so-that, as long as 1 
>> master/primary is up/running, then my domains are still available 
>> to world, and allowing users to obtain DNSSEC verified domain- 
>> name to IP-address resolving, etc from BIND DNS server services.
>>
>>
>>
>> RESOURCES:
>>
>> • Servers : rented 3 servers on 3 locations from different server 
>> providers.
>>
>> • Domain : I have multiple domains from domain providers 
>> (registrar) . Here i will use "example.com"
>>
>> • Each server has 1 IPv4-address, 1 IPv6-address.
>>
>> • Domain provider's "Use your own Nameserver" is pointed to 3 
>> hostnames in 3 nameservers : n1.example.com ( 192.10.2.11 , 
>> 2001:db8:1::1 ) , n2.example.com ( 198.51.100.12 , 
>> 2001:db8:2::2 ) , n3.example.com ( 203.0.113.13 , 2001:db8:3::3 ) 
>> IP-addresses.
>>
>> • Each IP-adrs has it's RDNS setup done, to correspond & match 
>> with nameserver's hostname.
>>
>> • Using Debian GNU/Linux 12 (bookworm) OS in each server. 
>> ( Server operator can use any other OS, its their choice/ 
>> preference. ) ( By the way, Debian GNU/Linux is base of Ubuntu 
>> Linux, kind of similar to: RedHat Enterprise GNU/Linux is base of 
>> Fedora Linux. )
>>
>> • Using ISC BIND9 (9.18.0 , specifically now : 9.18.28) DNS 
>> server software, in each server. ( Server operator can use any 
>> other DNS server, its their choice/preference. )
>>
>>
>> ABOUT FILE/DIRECTORY REPLICATION:
>>
>> • For directories & files replication/sync purpose, using Gluster 
>> software (1 <https://en.wikipedia.org/wiki/Gluster>,2 <https:// 
>> docs.gluster.org/en/latest/>,3 <https://serverfault.com/ 
>> a/1165339/217110>,4 <https://www.howtoforge.com/how-to-install- 
>> glusterfs-on-debian-12/>). ( There are many other choices for 
>> server operators:Multi-Master Replicaiton <https:// 
>> en.wikipedia.org/wiki/Multi-master_replication>,List <https:// 
>> en.wikipedia.org/wiki/List_of_cluster_management_software>), its 
>> their own choice what suits best/works for their need/purpose.
>>
>> • When any file/directory changes ( i.e: in "n1" server ) , then 
>> the replication/sync software that is installed/monitoring , will 
>> nearly immediately or within few seconds, begin to make same 
>> changes to same file/dir in server-operator's other servers 
>> ( n2 , n3 ), that are member of replication/sync volume/ 
>> directory. These replication software uses time-server to have 
>> accurate time. Whichever edit/creation/deletion/modification is 
>> done last, that takes priority & duplicated/replicated/synced.
>>
>>
>>
>> SHARED/COMMON STORAGE/VOLUME/DIRECTORY:
>>
>> • I created a large file ("data-s1.img"), ~ 300 MB in size, 
>> inside root-partition , at "/storage/s1/data-s1.img" . Formatted 
>> with XFS filesystem creation/make tools . Attached large-file 
>> into a loop block device . Mounted it in "/data/s1" directory . 
>> Created a systemd service "mount-storage.service" in Debian to do 
>> previous steps one after another, so-that it can succeed in 
>> mounting during boot , (as "/etc/fstab" was not suitable for this 
>> purpose) . Others can create/use a 2nd partition in same storage 
>> drive (i.e: "/dev/ sda2") or add another storage drive (i.e: "/ 
>> dev/sdb") in server . Others can use a script (or "/etc/fstab") 
>> during boot to mount, etc.
>>
>> • after above steps, replication software (Gluster) was used to 
>> create replication volume "v1" inside the storage-mount-point ("/ 
>> data/s1") , so it became "/data/s1/v1" . i configured gluster to 
>> enable SSL/TLS based secure connection for replication process. 
>> Gluster also needs user to mount the volume as "glusterfs" type 
>> mount-point to monitor data r/w & replicate, & its done in : "/ 
>> mnt/ vol/v1" mount-point of volume "v1" . Followed stepshere 
>> <https:// serverfault.com/a/1165339/217110>(& changed file/dir 
>> names).
>>
>> • the files+dirs under "/mnt/vol/v1/" is replicated/synced in 
>> each server, available/accessible in each server, in same 
>> location, has exact same contents.
>>
>> • Created "/mnt/vol/v1/etc/bind" directory for BIND aka named aka 
>> DNS server aka nameserver software usage. Applied : chgrp bind / 
>> mnt/vol/v1/etc/bind
>>
>> • Moved the "zones" dir+files from "/etc/bind", from "n1" server 
>> into the "/mnt/vol/v1/etc/bind/n1/" directory, & done similar for 
>> "n2" & "n3" servers . Moved the "keys" dir+files from "/etc/ 
>> bind", from "n1" into the "/mnt/vol/v1/etc/bind/n1" directory, & 
>> done similar for "n2" & "n3".
>>
>> • so, "/mnt/vol/v1/etc/bind/keys" & "/mnt/vol/v1/etc/bind/zones" 
>> folders/directories are COMMON for all servers: "n1", "n2", "n3".
>>
>> • "n1" using "/mnt/vol/v1/etc/bind/n1/keys" dir & “/mnt/vol/v1/ 
>> etc/ bind/n1/zones” dir, so i created symlink inside to 
>> point+goto the replicated/synced mount-point, command : ln -s "/ 
>> mnt/vol/v1/etc/ bind/n1/keys" "/etc/bind/keys" ; ln -s "/mnt/vol/ 
>> v1/etc/bind/n1/ zones" "/etc/bind/zones" ;
>>
>> • "n2" using "/mnt/vol/v1/etc/bind/n2/keys" dir & “/mnt/vol/v1/ 
>> etc/ bind/n2/zones” dir . & created symlinks as shown above.
>>
>> • "n3" using "/mnt/vol/v1/etc/bind/n3/keys" dir & "/mnt/vol/v1/ 
>> etc/ bind/n3/zones" dir. & created symlinks as shown above.
>>
>> • Added permissions in AppArmor "/etc/apparmor.d/local/ 
>> usr.sbin.named" file, for BIND/named, so that BIND/named can use 
>> "v1" replicated-volume "/mnt/vol/v1" BIND directories : /mnt/vol/ 
>> v1/etc/bind  , /mnt/vol/v1/etc/bind/zones , /mnt/vol/v1/etc/bind/ 
>> keys , /mnt/vol/v1/etc/bind/n1/zones , /mnt/vol/v1/etc/bind/n1/ 
>> keys in n1 server ( and i have done similar for n2 & n3 )  . Then 
>> applied changes with command : apparmor_parser -r /etc/ 
>> apparmor.d/ usr.sbin.named
>>
>> • Also applied or re-checked if the ownership-&-permission (O&P) 
>> convention used+recommended by BIND/named for directories & 
>> files, are applied/done on the dirs+files inside the "/mnt/vol/ 
>> v1/etc/ bind, etc.
>>
>>
>>
>> DNSSEC & DNS:
>>
>> • Each nameserver has BIND DNS server named daemon software . 
>> Each BIND need to be Authoritative for my domains 
>> ("example.com" , "example2.com", etc) & response back to any DNS 
>> servers/clients query for my domains & for my subnet's reverse- 
>> zone . And each BIND DNS server also need to serve/perform as a 
>> recursive DNS resolver for any queries made into 
>> "localhost" ( 127.0.0.1 , ::1 ).
>>
>> • Followed various related steps as-much-possible from "DNSSEC 
>> Howto for BIND 9.9+ <https://wiki.debian.org/ 
>> DNSSEC%20Howto%20for%20BIND%209%2E9%2B>” , ISCBIND docs for 
>> 9.18.28 <https://downloads.isc.org/isc/bind9/9.18.28/doc/arm/ 
>> html/> ( that i'm using now while writing this msg ) , etc . 
>> Debian OS will update BIND in distro’s repo, & then my/op's 
>> servers will be updated to that version . For next/latest 
>> version, goto ISC BIND download pagehere <https://www.isc.org/ 
>> download/>, search for "PDF" word, select/click on the HTML / PDF 
>> doc version that you want to read/follow.
>>
>> • As each nameserver has different IP-addresses, so i've kept the 
>> "named.conf", "named.conf.local", "named.conf.options" files in 
>> the /etc/bind of server itself, for faster loading .
>>
>> • The "named.conf" file has BIND ACLs, and include directives . 
>> This file has same content in each server . Has “ acl LocalHostR 
>> { 127.0.0.1; ::1; } ; LocalHostRv4 { 127.0.0.1; } ; LocalHostRv6 
>> { ::1; } ; acl BlockedNets { 0.0.0.0/8 ; 192.0.2.0/24 ; 
>> 224.0.0.0/3 ; 10.0.0.0/8 ; 172.16.0.0/12 ; 192.168.0.0/16 ; } ; 
>> acl N1-IPv4 { 192.10.2.11; } ; acl N1-IPv6 {2001:db8:1::11; }; 
>> ” , etc, (remove quote symbols) . ( i added more IPv4 & IPv6 in 
>> BlockedNetslater ).
>>
>> • The "named.conf.local" file has forward zones & reverse zones 
>> declarations : each zone has "type primary;" directive/option 
>> set , each zone has "file" directive with file located in 
>> replicated volume location . Each local zones & each local 
>> reverse-zone for IP-address) have "allow-query 
>> { LocalHostR; };" . My each domain's zone (i.e: "zone 
>> "example.com" { ... };") declarations, & reverse- zone for my own 
>> subnet, has "allow-query { any; };" .
>>
>> •My domain “example.com”zone declaration in “named.local.conf” 
>> file : “ zone "n1.example.com" { type master ; file "/mnt/vol/v1/ 
>> etc/bind/zones/db.example.com" ; allow-query { any; } ; serial- 
>> update-method unixtime ; key-directory "/mnt/vol/v1/etc/bind/n1/ 
>> keys" ; dnssec-policy opPolicy ; inline-signing yes ; notify 
>> no ; }; ” (remove quote symbols) . We allowed query from anyone . 
>> By the way, i also have a sub-domain zone declared in 
>> “named.local.conf” file as zone : “ zone "ns.example.com" { … }; 
>> ” , nearly same as “example.com”.
>>
>> • The "named.conf.options" file has “dnssec-policy 
>> "opPolicy" { ... };”  , "options { ... };" , "logging { ... };" 
>> sections/declarations . Logging uses the server's "/var/log/ 
>> named" dir ( into "Update_Debug.log" , "Security.log" , 
>> "BIND.log" files ).
>>
>> • The “options { … };” in “named.conf.options” file :  “ options 
>> { recursion yes ; allow-recursion { LocalHostR; } ; allow-query- 
>> cache { LocalHostR; } ;allow-query-cache-on { LocalHostR; } ; 
>> allow-query { LocalHostR; } ; allow-recursion-on 
>> { LocalHostR; } ; empty-zones-enable yes ; blackhole 
>> { BlockedNets; } ; allow- transfer { none; } ; auth-nxdomain no ; 
>> listen-on { N1-IPv4; LocalHostRv4; } ; listen-on-v6 { N1-IPv6; 
>> LocalHostRv6; }; rate- limit { ... }; }; ” (remove quote 
>> symbols). We restricted recursion by allowing only LocalHostR, 
>> not external, not BlockedNets.
>>
>> • DNS server, for non-dnssec part of DNS related queries & 
>> responses for domain(s), IPv4-adrs, IPv6-adrs, etc (forward 
>> lookup/ resolve , subnet IP-adrs reverse resolve/lookup ) WORKING 
>> FINE , from n1 & n2 & n3 . Authoritative mode is working for my 
>> domains . And "localhost" inside server can also provide website- 
>> name/domain- name To IP-address resolve response, to the the 
>> local software/ daemons/clients that are running inside server.
>>
>> • To ENABLE DNSSEC : i add "dnssec-validation auto;" inside 
>> "options" inside "named.conf.options" file , i add "key-directory 
>> "/mnt/vol/v1/etc/bind/n1/keys" ; inline-signing yes;" in "zone 
>> "example.com" { ... };" in "named.conf.local" file, etc , 
>> ( changed the "n1" into "n2" for "n2" server, & similarly in n3. )
>>
>> • For "dnssec-policy" directive about KSK & ZSK cert+key 
>> creation, usage period, signing, validity, verification, etc , 
>> i'm using shorter TTL period, etc , so-that dnssec/dns config 
>> lines can be changed+applied quickly during DNSSEC setup phase : 
>> dnssec-policy "opPolicy" {  ksk lifetime P88D algorithm 
>> RSASHA256 ;  zsk lifetime 22D algorithm RSASHA256 ; dnskey-ttl 
>> PT10M ;  publish-safety P2D ;  retire-safety P3D ;  purge-keys 
>> P3D ; signatures-refresh P5D ;  signatures-validity 
>> P10D ;  signatures-validity-dnskey P11D ; max-zone-ttl 
>> PT30M ;  zone-propagation-delay PT1H ;  parent- ds-ttl 
>> PT1H ;  parent-propagation-delay PT1H ; nsec3param iterations 0 
>> optout yes salt-length 0 ;  };
>>
>>
>> Now finally into the
>>
>> QUESTIONS:
>>
>> • How can i create 1 KSK key ( in "n1" server first ), for a 
>> (single) domain ("example.com") and get the DS code from KSK key 
>> and add that 1 DS in domain-provider ( to send to the TLD ), & 
>> configure other 2 nameservers ( n2 , n3 ) to use that 1 DS record 
>> from TLD & use that same/common 1 KSK file from the synced/ 
>> replicated directory, while "type master;" is set for my domain/ 
>> zone in each nameserver ?
>>
>> ( Using 3 KSK & their 3 DS in domain-provider did not work, 
>> created error indicators in DNSViz & in "DNSSEC- 
>> Annalyzer.VerisignLabs” test sites, when each nameserver used 
>> separate directories, files, etc.
>>
>> • if i specify same/COMMON (replicated) dir "/mnt/vol/v1/etc/ 
>> bind/ keys" & "/mnt/vol/v1/etc/bind/zones/zonename" inside 3 
>> nameserver's “named.conf.local” file domains/zones , Can BIND DNS 
>> server add their own RRSIG response/lines for DNS records (into 
>> same zone file) without removing earlier or other nameserver's 
>> RRSIG lines (unless related ZSK key/period expired) ?
>>
>> • How do i disable/clean/move/backup earlier DNSSEC keys/usages, 
>> & setup DNSSEC completely as anew . ( Our zone TTLs are short 7m 
>> to 1h , (during setup/test phase) , So within 7m to an hour, all 
>> older-records should be discarded from caches. )
>>
>>
>> Thanks in advance for helpful responses.
>>
>> Erik.
>>
>> Erik T Ashfolk.
>>
> 



More information about the bind-users mailing list