Multi Master/Primary Authoritative DNSSEC DNS Nameserver With Synced/Replicated COMMON Dir/Vol For BIND

Mon Sep 30 06:36:45 UTC 2024

Hi Erik,

There is no configuration option for enabling multi-signer in BIND.

BIND 9.20 is able to deal with multi-signer setups, but as Mark 
mentioned earlier, all the coordination needs to be done outside the 
name server.

You may consider MUSIC for this: 
https://github.com/DNSSEC-Provisioning/music

Best regards,

Matthijs

On 9/28/24 03:50, Terik Erik Ashfolk wrote:
> Does the BIND have command/parameter for configuring+running BIND in 
> Multi-Signer MODEL-2 mode as specified in RFC 8901 ?
> https://www.rfc-editor.org/rfc/rfc8901.html
> 
> in another words, Can BIND itself handle multiple-provider's (aka: 
> multiple-nameserver's) KSKs, ZSKs, DNSKEYs, etc RRsets and create/update 
> RRSIGs accordingly with Multi-Signer MODEL-2 mode ?
> 
> If it can what commands/parameters enable such mode ?
> What "update-policy" it needs ?
> 
> Erik.
> 
> Erik T Ashfolk.
> 
> 
> On 9/27/24 2:53 PM, Terik Erik Ashfolk wrote:
>> According to the page
>> https://blog.apnic.net/2021/08/25/multi-signer-dnssec-models/
>> in MODEL 2.
>> I added an improved image as attachment.
>> <img alt="ZSK-signing" src="cid:ImportZSK-PublishDSofKSK.jpg" />
>> MULTI-ZSK-SIGNING IS ONE OF THE SOLUTION, and appears to be suitable 
>> for my case.
>>
>> So, multi-signing with ZSKs from multiple nameservers would have worked,
>> when nameservers were using separate "zones" & "keys" folder,
>>
>> I needed to sign n1's zone file with n2's ZSK & with n3's ZSK.
>> I needed to sign n2's zone file with n1's ZSK & with n3's ZSK.
>> I needed to sign n3's zone file with n1's ZSK & with n2's ZSK.
>>
>> Because 3 nameservers are using SYNCED/REPLICATED shared directories & 
>> files,
>> so each ZSK & KSK are available to other nameservers.
>>
>> for "key-directory"
>> n1 using "/mnt/vol/v1/etc/bind/n1/keys"
>> n2 using "/mnt/vol/v1/etc/bind/n2/keys"
>> n3 using "/mnt/vol/v1/etc/bind/n3/keys"
>>
>> and shared common directory for BIND keys is
>> "/mnt/vol/v1/etc/bind/keys"
>>
>> and shared directory is
>> "/mnt/vol/v1"
>>
>> is there an option in BIND, that can monitor+enable additional ZSK 
>> signing from new ZSK key from other namerservers for same domain ?
>> if not, please add this as new feature in BIND.
>>
>> if BIND itself cannot do the monitoring + multi-ZSK-signing now, then, 
>> HOW can i monitor the ".../bind/n1/keys" (or ".../bind/n2/ keys" or 
>> ".../bind//n3/keys" or ".../bind/keys" ) sub-dirs under 
>> shared-directory and find that BIND has began to use a new ZSK key ?
>>
>> or HOW can i get a signal from BIND in each nameserver ? that, BIND 
>> has began to use a new ZSK key ?
>>
>> so-that, i can trigger/run another script in each nameserver (which 
>> added new ZSK key) to begin signing my domain's zone file in other 2 
>> nameservers with the new ZSK.
>>
>> example : if n1 added a new ZSK for "example.com" domain, then a 
>> "new-zsk-key-monitoring-script.sh" script will create 2 files
>> "signal-n2-ExampleCom-MZS-zskNUMBER.txt"
>> "signal-n3-ExampleCom-MZS-zskNUMBER.txt"
>> in the shared-bind-directory : "/mnt/vol/v1/etc/bind/keys".
>> Then "monitor-for-signal-file.sh" script running in n2 & n3, will get 
>> that signal, & run "multi-ZSK-sign-script.sh" to mulit ZSK signing.
>>
>>
>> Thanks in advance.
>>
>> Erik.
>>
>> Erik T Ashfolk.
>>
>>
>>
>>
>> On 9/26/24 7:26 PM, TErik Ashfolk wrote:
>>> Hello BIND Community.
>>>
>>> Looking forward to your suggestions, advises on setup DNSSEC enabled 
>>> zones on multiple master/primary authoritative DNS server 
>>> (Nameserver) with synced/replicated common shared directories/ volume.
>>>
>>>
>>> Please skip the section(s) that you dont need to read/scan,
>>>
>>> & goto the QUESTIONS , the last section.
>>>
>>>
>>> OBJECTIVES (END-RESULT):
>>>
>>> Trying to achieve HA (High-Availability <https:// en.wikipedia.org/ 
>>> wiki/High_availability>), so-that, as long as 1 master/primary is 
>>> up/running, then my domains are still available to world, and 
>>> allowing users to obtain DNSSEC verified domain- name to IP-address 
>>> resolving, etc from BIND DNS server services.
>>>
>>>
>>>
>>> RESOURCES:
>>>
>>> • Servers : rented 3 servers on 3 locations from different server 
>>> providers.
>>>
>>> • Domain : I have multiple domains from domain providers (registrar) 
>>> . Here i will use "example.com"
>>>
>>> • Each server has 1 IPv4-address, 1 IPv6-address.
>>>
>>> • Domain provider's "Use your own Nameserver" is pointed to 3 
>>> hostnames in 3 nameservers : n1.example.com ( 192.10.2.11 , 
>>> 2001:db8:1::1 ) , n2.example.com ( 198.51.100.12 , 2001:db8:2::2 ) , 
>>> n3.example.com ( 203.0.113.13 , 2001:db8:3::3 ) IP-addresses.
>>>
>>> • Each IP-adrs has it's RDNS setup done, to correspond & match with 
>>> nameserver's hostname.
>>>
>>> • Using Debian GNU/Linux 12 (bookworm) OS in each server. ( Server 
>>> operator can use any other OS, its their choice/ preference. ) ( By 
>>> the way, Debian GNU/Linux is base of Ubuntu Linux, kind of similar 
>>> to: RedHat Enterprise GNU/Linux is base of Fedora Linux. )
>>>
>>> • Using ISC BIND9 (9.18.0 , specifically now : 9.18.28) DNS server 
>>> software, in each server. ( Server operator can use any other DNS 
>>> server, its their choice/preference. )
>>>
>>>
>>> ABOUT FILE/DIRECTORY REPLICATION:
>>>
>>> • For directories & files replication/sync purpose, using Gluster 
>>> software (1 <https://en.wikipedia.org/wiki/Gluster>,2 <https:// 
>>> docs.gluster.org/en/latest/>,3 <https://serverfault.com/ 
>>> a/1165339/217110>,4 <https://www.howtoforge.com/how-to-install- 
>>> glusterfs-on-debian-12/>). ( There are many other choices for server 
>>> operators:Multi-Master Replicaiton <https:// 
>>> en.wikipedia.org/wiki/Multi-master_replication>,List <https:// 
>>> en.wikipedia.org/wiki/List_of_cluster_management_software>), its 
>>> their own choice what suits best/works for their need/purpose.
>>>
>>> • When any file/directory changes ( i.e: in "n1" server ) , then the 
>>> replication/sync software that is installed/monitoring , will nearly 
>>> immediately or within few seconds, begin to make same changes to same 
>>> file/dir in server-operator's other servers ( n2 , n3 ), that are 
>>> member of replication/sync volume/ directory. These replication 
>>> software uses time-server to have accurate time. Whichever 
>>> edit/creation/deletion/modification is done last, that takes priority 
>>> & duplicated/replicated/synced.
>>>
>>>
>>>
>>> SHARED/COMMON STORAGE/VOLUME/DIRECTORY:
>>>
>>> • I created a large file ("data-s1.img"), ~ 300 MB in size, inside 
>>> root-partition , at "/storage/s1/data-s1.img" . Formatted with XFS 
>>> filesystem creation/make tools . Attached large-file into a loop 
>>> block device . Mounted it in "/data/s1" directory . Created a systemd 
>>> service "mount-storage.service" in Debian to do previous steps one 
>>> after another, so-that it can succeed in mounting during boot , (as 
>>> "/etc/fstab" was not suitable for this purpose) . Others can 
>>> create/use a 2nd partition in same storage drive (i.e: "/dev/ sda2") 
>>> or add another storage drive (i.e: "/ dev/sdb") in server . Others 
>>> can use a script (or "/etc/fstab") during boot to mount, etc.
>>>
>>> • after above steps, replication software (Gluster) was used to 
>>> create replication volume "v1" inside the storage-mount-point ("/ 
>>> data/s1") , so it became "/data/s1/v1" . i configured gluster to 
>>> enable SSL/TLS based secure connection for replication process. 
>>> Gluster also needs user to mount the volume as "glusterfs" type 
>>> mount-point to monitor data r/w & replicate, & its done in : "/ mnt/ 
>>> vol/v1" mount-point of volume "v1" . Followed stepshere <https:// 
>>> serverfault.com/a/1165339/217110>(& changed file/dir names).
>>>
>>> • the files+dirs under "/mnt/vol/v1/" is replicated/synced in each 
>>> server, available/accessible in each server, in same location, has 
>>> exact same contents.
>>>
>>> • Created "/mnt/vol/v1/etc/bind" directory for BIND aka named aka DNS 
>>> server aka nameserver software usage. Applied : chgrp bind / 
>>> mnt/vol/v1/etc/bind
>>>
>>> • Moved the "zones" dir+files from "/etc/bind", from "n1" server into 
>>> the "/mnt/vol/v1/etc/bind/n1/" directory, & done similar for "n2" & 
>>> "n3" servers . Moved the "keys" dir+files from "/etc/ bind", from 
>>> "n1" into the "/mnt/vol/v1/etc/bind/n1" directory, & done similar for 
>>> "n2" & "n3".
>>>
>>> • so, "/mnt/vol/v1/etc/bind/keys" & "/mnt/vol/v1/etc/bind/zones" 
>>> folders/directories are COMMON for all servers: "n1", "n2", "n3".
>>>
>>> • "n1" using "/mnt/vol/v1/etc/bind/n1/keys" dir & “/mnt/vol/v1/ etc/ 
>>> bind/n1/zones” dir, so i created symlink inside to point+goto the 
>>> replicated/synced mount-point, command : ln -s "/ mnt/vol/v1/etc/ 
>>> bind/n1/keys" "/etc/bind/keys" ; ln -s "/mnt/vol/ v1/etc/bind/n1/ 
>>> zones" "/etc/bind/zones" ;
>>>
>>> • "n2" using "/mnt/vol/v1/etc/bind/n2/keys" dir & “/mnt/vol/v1/ etc/ 
>>> bind/n2/zones” dir . & created symlinks as shown above.
>>>
>>> • "n3" using "/mnt/vol/v1/etc/bind/n3/keys" dir & "/mnt/vol/v1/ etc/ 
>>> bind/n3/zones" dir. & created symlinks as shown above.
>>>
>>> • Added permissions in AppArmor "/etc/apparmor.d/local/ 
>>> usr.sbin.named" file, for BIND/named, so that BIND/named can use "v1" 
>>> replicated-volume "/mnt/vol/v1" BIND directories : /mnt/vol/ 
>>> v1/etc/bind  , /mnt/vol/v1/etc/bind/zones , /mnt/vol/v1/etc/bind/ 
>>> keys , /mnt/vol/v1/etc/bind/n1/zones , /mnt/vol/v1/etc/bind/n1/ 
>>> keys in n1 server ( and i have done similar for n2 & n3 )  . Then 
>>> applied changes with command : apparmor_parser -r /etc/ apparmor.d/ 
>>> usr.sbin.named
>>>
>>> • Also applied or re-checked if the ownership-&-permission (O&P) 
>>> convention used+recommended by BIND/named for directories & files, 
>>> are applied/done on the dirs+files inside the "/mnt/vol/ v1/etc/ 
>>> bind, etc.
>>>
>>>
>>>
>>> DNSSEC & DNS:
>>>
>>> • Each nameserver has BIND DNS server named daemon software . Each 
>>> BIND need to be Authoritative for my domains ("example.com" , 
>>> "example2.com", etc) & response back to any DNS servers/clients query 
>>> for my domains & for my subnet's reverse- zone . And each BIND DNS 
>>> server also need to serve/perform as a recursive DNS resolver for any 
>>> queries made into "localhost" ( 127.0.0.1 , ::1 ).
>>>
>>> • Followed various related steps as-much-possible from "DNSSEC Howto 
>>> for BIND 9.9+ <https://wiki.debian.org/ 
>>> DNSSEC%20Howto%20for%20BIND%209%2E9%2B>” , ISCBIND docs for 9.18.28 
>>> <https://downloads.isc.org/isc/bind9/9.18.28/doc/arm/ html/> ( that 
>>> i'm using now while writing this msg ) , etc . Debian OS will update 
>>> BIND in distro’s repo, & then my/op's servers will be updated to that 
>>> version . For next/latest version, goto ISC BIND download pagehere 
>>> <https://www.isc.org/ download/>, search for "PDF" word, select/click 
>>> on the HTML / PDF doc version that you want to read/follow.
>>>
>>> • As each nameserver has different IP-addresses, so i've kept the 
>>> "named.conf", "named.conf.local", "named.conf.options" files in the 
>>> /etc/bind of server itself, for faster loading .
>>>
>>> • The "named.conf" file has BIND ACLs, and include directives . This 
>>> file has same content in each server . Has “ acl LocalHostR { 
>>> 127.0.0.1; ::1; } ; LocalHostRv4 { 127.0.0.1; } ; LocalHostRv6 { ::1; 
>>> } ; acl BlockedNets { 0.0.0.0/8 ; 192.0.2.0/24 ; 224.0.0.0/3 ; 
>>> 10.0.0.0/8 ; 172.16.0.0/12 ; 192.168.0.0/16 ; } ; acl N1-IPv4 { 
>>> 192.10.2.11; } ; acl N1-IPv6 {2001:db8:1::11; }; ” , etc, (remove 
>>> quote symbols) . ( i added more IPv4 & IPv6 in BlockedNetslater ).
>>>
>>> • The "named.conf.local" file has forward zones & reverse zones 
>>> declarations : each zone has "type primary;" directive/option set , 
>>> each zone has "file" directive with file located in replicated volume 
>>> location . Each local zones & each local reverse-zone for IP-address) 
>>> have "allow-query { LocalHostR; };" . My each domain's zone (i.e: 
>>> "zone "example.com" { ... };") declarations, & reverse- zone for my 
>>> own subnet, has "allow-query { any; };" .
>>>
>>> •My domain “example.com”zone declaration in “named.local.conf” file : 
>>> “ zone "n1.example.com" { type master ; file "/mnt/vol/v1/ 
>>> etc/bind/zones/db.example.com" ; allow-query { any; } ; serial- 
>>> update-method unixtime ; key-directory "/mnt/vol/v1/etc/bind/n1/ 
>>> keys" ; dnssec-policy opPolicy ; inline-signing yes ; notify no ; }; 
>>> ” (remove quote symbols) . We allowed query from anyone . By the way, 
>>> i also have a sub-domain zone declared in “named.local.conf” file as 
>>> zone : “ zone "ns.example.com" { … }; ” , nearly same as “example.com”.
>>>
>>> • The "named.conf.options" file has “dnssec-policy "opPolicy" { ... 
>>> };”  , "options { ... };" , "logging { ... };" sections/declarations 
>>> . Logging uses the server's "/var/log/ named" dir ( into 
>>> "Update_Debug.log" , "Security.log" , "BIND.log" files ).
>>>
>>> • The “options { … };” in “named.conf.options” file :  “ options { 
>>> recursion yes ; allow-recursion { LocalHostR; } ; allow-query- cache 
>>> { LocalHostR; } ;allow-query-cache-on { LocalHostR; } ; allow-query { 
>>> LocalHostR; } ; allow-recursion-on { LocalHostR; } ; 
>>> empty-zones-enable yes ; blackhole { BlockedNets; } ; allow- transfer 
>>> { none; } ; auth-nxdomain no ; listen-on { N1-IPv4; LocalHostRv4; } ; 
>>> listen-on-v6 { N1-IPv6; LocalHostRv6; }; rate- limit { ... }; }; ” 
>>> (remove quote symbols). We restricted recursion by allowing only 
>>> LocalHostR, not external, not BlockedNets.
>>>
>>> • DNS server, for non-dnssec part of DNS related queries & responses 
>>> for domain(s), IPv4-adrs, IPv6-adrs, etc (forward lookup/ resolve , 
>>> subnet IP-adrs reverse resolve/lookup ) WORKING FINE , from n1 & n2 & 
>>> n3 . Authoritative mode is working for my domains . And "localhost" 
>>> inside server can also provide website- name/domain- name To 
>>> IP-address resolve response, to the the local software/ 
>>> daemons/clients that are running inside server.
>>>
>>> • To ENABLE DNSSEC : i add "dnssec-validation auto;" inside "options" 
>>> inside "named.conf.options" file , i add "key-directory 
>>> "/mnt/vol/v1/etc/bind/n1/keys" ; inline-signing yes;" in "zone 
>>> "example.com" { ... };" in "named.conf.local" file, etc , ( changed 
>>> the "n1" into "n2" for "n2" server, & similarly in n3. )
>>>
>>> • For "dnssec-policy" directive about KSK & ZSK cert+key creation, 
>>> usage period, signing, validity, verification, etc , i'm using 
>>> shorter TTL period, etc , so-that dnssec/dns config lines can be 
>>> changed+applied quickly during DNSSEC setup phase : dnssec-policy 
>>> "opPolicy" {  ksk lifetime P88D algorithm RSASHA256 ;  zsk lifetime 
>>> 22D algorithm RSASHA256 ; dnskey-ttl PT10M ;  publish-safety P2D 
>>> ;  retire-safety P3D ;  purge-keys P3D ; signatures-refresh P5D 
>>> ;  signatures-validity P10D ;  signatures-validity-dnskey P11D 
>>> ; max-zone-ttl PT30M ;  zone-propagation-delay PT1H ;  parent- ds-ttl 
>>> PT1H ;  parent-propagation-delay PT1H ; nsec3param iterations 0 
>>> optout yes salt-length 0 ;  };
>>>
>>>
>>> Now finally into the
>>>
>>> QUESTIONS:
>>>
>>> • How can i create 1 KSK key ( in "n1" server first ), for a (single) 
>>> domain ("example.com") and get the DS code from KSK key and add that 
>>> 1 DS in domain-provider ( to send to the TLD ), & configure other 2 
>>> nameservers ( n2 , n3 ) to use that 1 DS record from TLD & use that 
>>> same/common 1 KSK file from the synced/ replicated directory, while 
>>> "type master;" is set for my domain/ zone in each nameserver ?
>>>
>>> ( Using 3 KSK & their 3 DS in domain-provider did not work, created 
>>> error indicators in DNSViz & in "DNSSEC- Annalyzer.VerisignLabs” test 
>>> sites, when each nameserver used separate directories, files, etc.
>>>
>>> • if i specify same/COMMON (replicated) dir "/mnt/vol/v1/etc/ bind/ 
>>> keys" & "/mnt/vol/v1/etc/bind/zones/zonename" inside 3 nameserver's 
>>> “named.conf.local” file domains/zones , Can BIND DNS server add their 
>>> own RRSIG response/lines for DNS records (into same zone file) 
>>> without removing earlier or other nameserver's RRSIG lines (unless 
>>> related ZSK key/period expired) ?
>>>
>>> • How do i disable/clean/move/backup earlier DNSSEC keys/usages, & 
>>> setup DNSSEC completely as anew . ( Our zone TTLs are short 7m to 1h 
>>> , (during setup/test phase) , So within 7m to an hour, all 
>>> older-records should be discarded from caches. )
>>>
>>>
>>> Thanks in advance for helpful responses.
>>>
>>> Erik.
>>>
>>> Erik T Ashfolk.
>>>
>>
> 