Multi Master/Primary Authoritative DNSSEC DNS Nameserver With Synced/Replicated COMMON Dir/Vol For BIND
Terik Erik Ashfolk
aterik at outlook.com
Sat Sep 28 01:50:58 UTC 2024
Does the BIND have command/parameter for configuring+running BIND
in Multi-Signer MODEL-2 mode as specified in RFC 8901 ?
https://www.rfc-editor.org/rfc/rfc8901.html
in another words, Can BIND itself handle multiple-provider's (aka:
multiple-nameserver's) KSKs, ZSKs, DNSKEYs, etc RRsets and
create/update RRSIGs accordingly with Multi-Signer MODEL-2 mode ?
If it can what commands/parameters enable such mode ?
What "update-policy" it needs ?
Erik.
Erik T Ashfolk.
On 9/27/24 2:53 PM, Terik Erik Ashfolk wrote:
> According to the page
> https://blog.apnic.net/2021/08/25/multi-signer-dnssec-models/
> in MODEL 2.
> I added an improved image as attachment.
> <img alt="ZSK-signing" src="cid:ImportZSK-PublishDSofKSK.jpg" />
> MULTI-ZSK-SIGNING IS ONE OF THE SOLUTION, and appears to be
> suitable for my case.
>
> So, multi-signing with ZSKs from multiple nameservers would have
> worked,
> when nameservers were using separate "zones" & "keys" folder,
>
> I needed to sign n1's zone file with n2's ZSK & with n3's ZSK.
> I needed to sign n2's zone file with n1's ZSK & with n3's ZSK.
> I needed to sign n3's zone file with n1's ZSK & with n2's ZSK.
>
> Because 3 nameservers are using SYNCED/REPLICATED shared
> directories & files,
> so each ZSK & KSK are available to other nameservers.
>
> for "key-directory"
> n1 using "/mnt/vol/v1/etc/bind/n1/keys"
> n2 using "/mnt/vol/v1/etc/bind/n2/keys"
> n3 using "/mnt/vol/v1/etc/bind/n3/keys"
>
> and shared common directory for BIND keys is
> "/mnt/vol/v1/etc/bind/keys"
>
> and shared directory is
> "/mnt/vol/v1"
>
> is there an option in BIND, that can monitor+enable additional ZSK
> signing from new ZSK key from other namerservers for same domain ?
> if not, please add this as new feature in BIND.
>
> if BIND itself cannot do the monitoring + multi-ZSK-signing now,
> then, HOW can i monitor the ".../bind/n1/keys" (or ".../bind/n2/
> keys" or ".../bind//n3/keys" or ".../bind/keys" ) sub-dirs under
> shared-directory and find that BIND has began to use a new ZSK key ?
>
> or HOW can i get a signal from BIND in each nameserver ? that, BIND
> has began to use a new ZSK key ?
>
> so-that, i can trigger/run another script in each nameserver (which
> added new ZSK key) to begin signing my domain's zone file in other
> 2 nameservers with the new ZSK.
>
> example : if n1 added a new ZSK for "example.com" domain, then a
> "new-zsk-key-monitoring-script.sh" script will create 2 files
> "signal-n2-ExampleCom-MZS-zskNUMBER.txt"
> "signal-n3-ExampleCom-MZS-zskNUMBER.txt"
> in the shared-bind-directory : "/mnt/vol/v1/etc/bind/keys".
> Then "monitor-for-signal-file.sh" script running in n2 & n3, will
> get that signal, & run "multi-ZSK-sign-script.sh" to mulit ZSK
> signing.
>
>
> Thanks in advance.
>
> Erik.
>
> Erik T Ashfolk.
>
>
>
>
> On 9/26/24 7:26 PM, TErik Ashfolk wrote:
>> Hello BIND Community.
>>
>> Looking forward to your suggestions, advises on setup DNSSEC
>> enabled zones on multiple master/primary authoritative DNS server
>> (Nameserver) with synced/replicated common shared directories/
>> volume.
>>
>>
>> Please skip the section(s) that you dont need to read/scan,
>>
>> & goto the QUESTIONS , the last section.
>>
>>
>> OBJECTIVES (END-RESULT):
>>
>> Trying to achieve HA (High-Availability <https://
>> en.wikipedia.org/ wiki/High_availability>), so-that, as long as 1
>> master/primary is up/running, then my domains are still available
>> to world, and allowing users to obtain DNSSEC verified domain-
>> name to IP-address resolving, etc from BIND DNS server services.
>>
>>
>>
>> RESOURCES:
>>
>> • Servers : rented 3 servers on 3 locations from different server
>> providers.
>>
>> • Domain : I have multiple domains from domain providers
>> (registrar) . Here i will use "example.com"
>>
>> • Each server has 1 IPv4-address, 1 IPv6-address.
>>
>> • Domain provider's "Use your own Nameserver" is pointed to 3
>> hostnames in 3 nameservers : n1.example.com ( 192.10.2.11 ,
>> 2001:db8:1::1 ) , n2.example.com ( 198.51.100.12 ,
>> 2001:db8:2::2 ) , n3.example.com ( 203.0.113.13 , 2001:db8:3::3 )
>> IP-addresses.
>>
>> • Each IP-adrs has it's RDNS setup done, to correspond & match
>> with nameserver's hostname.
>>
>> • Using Debian GNU/Linux 12 (bookworm) OS in each server.
>> ( Server operator can use any other OS, its their choice/
>> preference. ) ( By the way, Debian GNU/Linux is base of Ubuntu
>> Linux, kind of similar to: RedHat Enterprise GNU/Linux is base of
>> Fedora Linux. )
>>
>> • Using ISC BIND9 (9.18.0 , specifically now : 9.18.28) DNS
>> server software, in each server. ( Server operator can use any
>> other DNS server, its their choice/preference. )
>>
>>
>> ABOUT FILE/DIRECTORY REPLICATION:
>>
>> • For directories & files replication/sync purpose, using Gluster
>> software (1 <https://en.wikipedia.org/wiki/Gluster>,2 <https://
>> docs.gluster.org/en/latest/>,3 <https://serverfault.com/
>> a/1165339/217110>,4 <https://www.howtoforge.com/how-to-install-
>> glusterfs-on-debian-12/>). ( There are many other choices for
>> server operators:Multi-Master Replicaiton <https://
>> en.wikipedia.org/wiki/Multi-master_replication>,List <https://
>> en.wikipedia.org/wiki/List_of_cluster_management_software>), its
>> their own choice what suits best/works for their need/purpose.
>>
>> • When any file/directory changes ( i.e: in "n1" server ) , then
>> the replication/sync software that is installed/monitoring , will
>> nearly immediately or within few seconds, begin to make same
>> changes to same file/dir in server-operator's other servers
>> ( n2 , n3 ), that are member of replication/sync volume/
>> directory. These replication software uses time-server to have
>> accurate time. Whichever edit/creation/deletion/modification is
>> done last, that takes priority & duplicated/replicated/synced.
>>
>>
>>
>> SHARED/COMMON STORAGE/VOLUME/DIRECTORY:
>>
>> • I created a large file ("data-s1.img"), ~ 300 MB in size,
>> inside root-partition , at "/storage/s1/data-s1.img" . Formatted
>> with XFS filesystem creation/make tools . Attached large-file
>> into a loop block device . Mounted it in "/data/s1" directory .
>> Created a systemd service "mount-storage.service" in Debian to do
>> previous steps one after another, so-that it can succeed in
>> mounting during boot , (as "/etc/fstab" was not suitable for this
>> purpose) . Others can create/use a 2nd partition in same storage
>> drive (i.e: "/dev/ sda2") or add another storage drive (i.e: "/
>> dev/sdb") in server . Others can use a script (or "/etc/fstab")
>> during boot to mount, etc.
>>
>> • after above steps, replication software (Gluster) was used to
>> create replication volume "v1" inside the storage-mount-point ("/
>> data/s1") , so it became "/data/s1/v1" . i configured gluster to
>> enable SSL/TLS based secure connection for replication process.
>> Gluster also needs user to mount the volume as "glusterfs" type
>> mount-point to monitor data r/w & replicate, & its done in : "/
>> mnt/ vol/v1" mount-point of volume "v1" . Followed stepshere
>> <https:// serverfault.com/a/1165339/217110>(& changed file/dir
>> names).
>>
>> • the files+dirs under "/mnt/vol/v1/" is replicated/synced in
>> each server, available/accessible in each server, in same
>> location, has exact same contents.
>>
>> • Created "/mnt/vol/v1/etc/bind" directory for BIND aka named aka
>> DNS server aka nameserver software usage. Applied : chgrp bind /
>> mnt/vol/v1/etc/bind
>>
>> • Moved the "zones" dir+files from "/etc/bind", from "n1" server
>> into the "/mnt/vol/v1/etc/bind/n1/" directory, & done similar for
>> "n2" & "n3" servers . Moved the "keys" dir+files from "/etc/
>> bind", from "n1" into the "/mnt/vol/v1/etc/bind/n1" directory, &
>> done similar for "n2" & "n3".
>>
>> • so, "/mnt/vol/v1/etc/bind/keys" & "/mnt/vol/v1/etc/bind/zones"
>> folders/directories are COMMON for all servers: "n1", "n2", "n3".
>>
>> • "n1" using "/mnt/vol/v1/etc/bind/n1/keys" dir & “/mnt/vol/v1/
>> etc/ bind/n1/zones” dir, so i created symlink inside to
>> point+goto the replicated/synced mount-point, command : ln -s "/
>> mnt/vol/v1/etc/ bind/n1/keys" "/etc/bind/keys" ; ln -s "/mnt/vol/
>> v1/etc/bind/n1/ zones" "/etc/bind/zones" ;
>>
>> • "n2" using "/mnt/vol/v1/etc/bind/n2/keys" dir & “/mnt/vol/v1/
>> etc/ bind/n2/zones” dir . & created symlinks as shown above.
>>
>> • "n3" using "/mnt/vol/v1/etc/bind/n3/keys" dir & "/mnt/vol/v1/
>> etc/ bind/n3/zones" dir. & created symlinks as shown above.
>>
>> • Added permissions in AppArmor "/etc/apparmor.d/local/
>> usr.sbin.named" file, for BIND/named, so that BIND/named can use
>> "v1" replicated-volume "/mnt/vol/v1" BIND directories : /mnt/vol/
>> v1/etc/bind , /mnt/vol/v1/etc/bind/zones , /mnt/vol/v1/etc/bind/
>> keys , /mnt/vol/v1/etc/bind/n1/zones , /mnt/vol/v1/etc/bind/n1/
>> keys in n1 server ( and i have done similar for n2 & n3 ) . Then
>> applied changes with command : apparmor_parser -r /etc/
>> apparmor.d/ usr.sbin.named
>>
>> • Also applied or re-checked if the ownership-&-permission (O&P)
>> convention used+recommended by BIND/named for directories &
>> files, are applied/done on the dirs+files inside the "/mnt/vol/
>> v1/etc/ bind, etc.
>>
>>
>>
>> DNSSEC & DNS:
>>
>> • Each nameserver has BIND DNS server named daemon software .
>> Each BIND need to be Authoritative for my domains
>> ("example.com" , "example2.com", etc) & response back to any DNS
>> servers/clients query for my domains & for my subnet's reverse-
>> zone . And each BIND DNS server also need to serve/perform as a
>> recursive DNS resolver for any queries made into
>> "localhost" ( 127.0.0.1 , ::1 ).
>>
>> • Followed various related steps as-much-possible from "DNSSEC
>> Howto for BIND 9.9+ <https://wiki.debian.org/
>> DNSSEC%20Howto%20for%20BIND%209%2E9%2B>” , ISCBIND docs for
>> 9.18.28 <https://downloads.isc.org/isc/bind9/9.18.28/doc/arm/
>> html/> ( that i'm using now while writing this msg ) , etc .
>> Debian OS will update BIND in distro’s repo, & then my/op's
>> servers will be updated to that version . For next/latest
>> version, goto ISC BIND download pagehere <https://www.isc.org/
>> download/>, search for "PDF" word, select/click on the HTML / PDF
>> doc version that you want to read/follow.
>>
>> • As each nameserver has different IP-addresses, so i've kept the
>> "named.conf", "named.conf.local", "named.conf.options" files in
>> the /etc/bind of server itself, for faster loading .
>>
>> • The "named.conf" file has BIND ACLs, and include directives .
>> This file has same content in each server . Has “ acl LocalHostR
>> { 127.0.0.1; ::1; } ; LocalHostRv4 { 127.0.0.1; } ; LocalHostRv6
>> { ::1; } ; acl BlockedNets { 0.0.0.0/8 ; 192.0.2.0/24 ;
>> 224.0.0.0/3 ; 10.0.0.0/8 ; 172.16.0.0/12 ; 192.168.0.0/16 ; } ;
>> acl N1-IPv4 { 192.10.2.11; } ; acl N1-IPv6 {2001:db8:1::11; };
>> ” , etc, (remove quote symbols) . ( i added more IPv4 & IPv6 in
>> BlockedNetslater ).
>>
>> • The "named.conf.local" file has forward zones & reverse zones
>> declarations : each zone has "type primary;" directive/option
>> set , each zone has "file" directive with file located in
>> replicated volume location . Each local zones & each local
>> reverse-zone for IP-address) have "allow-query
>> { LocalHostR; };" . My each domain's zone (i.e: "zone
>> "example.com" { ... };") declarations, & reverse- zone for my own
>> subnet, has "allow-query { any; };" .
>>
>> •My domain “example.com”zone declaration in “named.local.conf”
>> file : “ zone "n1.example.com" { type master ; file "/mnt/vol/v1/
>> etc/bind/zones/db.example.com" ; allow-query { any; } ; serial-
>> update-method unixtime ; key-directory "/mnt/vol/v1/etc/bind/n1/
>> keys" ; dnssec-policy opPolicy ; inline-signing yes ; notify
>> no ; }; ” (remove quote symbols) . We allowed query from anyone .
>> By the way, i also have a sub-domain zone declared in
>> “named.local.conf” file as zone : “ zone "ns.example.com" { … };
>> ” , nearly same as “example.com”.
>>
>> • The "named.conf.options" file has “dnssec-policy
>> "opPolicy" { ... };” , "options { ... };" , "logging { ... };"
>> sections/declarations . Logging uses the server's "/var/log/
>> named" dir ( into "Update_Debug.log" , "Security.log" ,
>> "BIND.log" files ).
>>
>> • The “options { … };” in “named.conf.options” file : “ options
>> { recursion yes ; allow-recursion { LocalHostR; } ; allow-query-
>> cache { LocalHostR; } ;allow-query-cache-on { LocalHostR; } ;
>> allow-query { LocalHostR; } ; allow-recursion-on
>> { LocalHostR; } ; empty-zones-enable yes ; blackhole
>> { BlockedNets; } ; allow- transfer { none; } ; auth-nxdomain no ;
>> listen-on { N1-IPv4; LocalHostRv4; } ; listen-on-v6 { N1-IPv6;
>> LocalHostRv6; }; rate- limit { ... }; }; ” (remove quote
>> symbols). We restricted recursion by allowing only LocalHostR,
>> not external, not BlockedNets.
>>
>> • DNS server, for non-dnssec part of DNS related queries &
>> responses for domain(s), IPv4-adrs, IPv6-adrs, etc (forward
>> lookup/ resolve , subnet IP-adrs reverse resolve/lookup ) WORKING
>> FINE , from n1 & n2 & n3 . Authoritative mode is working for my
>> domains . And "localhost" inside server can also provide website-
>> name/domain- name To IP-address resolve response, to the the
>> local software/ daemons/clients that are running inside server.
>>
>> • To ENABLE DNSSEC : i add "dnssec-validation auto;" inside
>> "options" inside "named.conf.options" file , i add "key-directory
>> "/mnt/vol/v1/etc/bind/n1/keys" ; inline-signing yes;" in "zone
>> "example.com" { ... };" in "named.conf.local" file, etc ,
>> ( changed the "n1" into "n2" for "n2" server, & similarly in n3. )
>>
>> • For "dnssec-policy" directive about KSK & ZSK cert+key
>> creation, usage period, signing, validity, verification, etc ,
>> i'm using shorter TTL period, etc , so-that dnssec/dns config
>> lines can be changed+applied quickly during DNSSEC setup phase :
>> dnssec-policy "opPolicy" { ksk lifetime P88D algorithm
>> RSASHA256 ; zsk lifetime 22D algorithm RSASHA256 ; dnskey-ttl
>> PT10M ; publish-safety P2D ; retire-safety P3D ; purge-keys
>> P3D ; signatures-refresh P5D ; signatures-validity
>> P10D ; signatures-validity-dnskey P11D ; max-zone-ttl
>> PT30M ; zone-propagation-delay PT1H ; parent- ds-ttl
>> PT1H ; parent-propagation-delay PT1H ; nsec3param iterations 0
>> optout yes salt-length 0 ; };
>>
>>
>> Now finally into the
>>
>> QUESTIONS:
>>
>> • How can i create 1 KSK key ( in "n1" server first ), for a
>> (single) domain ("example.com") and get the DS code from KSK key
>> and add that 1 DS in domain-provider ( to send to the TLD ), &
>> configure other 2 nameservers ( n2 , n3 ) to use that 1 DS record
>> from TLD & use that same/common 1 KSK file from the synced/
>> replicated directory, while "type master;" is set for my domain/
>> zone in each nameserver ?
>>
>> ( Using 3 KSK & their 3 DS in domain-provider did not work,
>> created error indicators in DNSViz & in "DNSSEC-
>> Annalyzer.VerisignLabs” test sites, when each nameserver used
>> separate directories, files, etc.
>>
>> • if i specify same/COMMON (replicated) dir "/mnt/vol/v1/etc/
>> bind/ keys" & "/mnt/vol/v1/etc/bind/zones/zonename" inside 3
>> nameserver's “named.conf.local” file domains/zones , Can BIND DNS
>> server add their own RRSIG response/lines for DNS records (into
>> same zone file) without removing earlier or other nameserver's
>> RRSIG lines (unless related ZSK key/period expired) ?
>>
>> • How do i disable/clean/move/backup earlier DNSSEC keys/usages,
>> & setup DNSSEC completely as anew . ( Our zone TTLs are short 7m
>> to 1h , (during setup/test phase) , So within 7m to an hour, all
>> older-records should be discarded from caches. )
>>
>>
>> Thanks in advance for helpful responses.
>>
>> Erik.
>>
>> Erik T Ashfolk.
>>
>
More information about the bind-users
mailing list