[Pdns-users] Setting up intentionally invalid DNSSEC record in auto-secure environment

Nick Williams nicholas at nicholaswilliams.net
Sat Jan 9 22:55:23 UTC 2016


> On Jan 9, 2016, at 3:28 PM, Pieter Lexis <pieter.lexis at powerdns.com> wrote:
> 
> Hi Nick,
> 
> On Sat, 9 Jan 2016 14:48:12 -0600
> Nicholas Williams <nicholas at nicholaswilliams.net> wrote:
> 
>> But the documentation says the opposite. It says NOT to create
>> NSEC(3) records (in fact, zone2sql intentionally ignores them, even
>> for presigned zones), because (again, it says) PowerDNS generates
>> then automatically, even for presigned zones. It also says that
>> manually inserting NSEC3 records could cause errors. So the
>> documentation makes clear that, on presigned zones, it is still the
>> authority. Indeed, PowerDNS IS generating the NSEC3 records (as I
>> showed), just not signing them.
> 
> This is indeed the way this works. As the NXDOMAIN generation code
> works as it should, the design choice was made to 'just' generate NSECs
> on the fly. The signatures still have to be provided in the presigned
> zone.
> 
>> How could I possibly presign records that PowerDNS generates? I
>> can't. So why does PowerDNS prohibit me creating NSEC3 records,
>> generate them for me, but not sign them?
> 
> This is because pre-signed zones (from e.g. opendnssec, ldns-signzone
> or slaved from a master) contain the RRSIGs to the negative answers.
> 
>> That is, at best, poor design. But I'm confident it's a bug or I've
>> configured something incorrectly. 
> 
> I agree this is and 'interesting' design choice made back in the day.
> In normal operation (using other tools to generate DNSSEC records or
> slaving the zone) this will never come up.
> 
> I agree that the docs are not very verbose on how presigned zone work,
> we'll fix this in the coming weeks.

So I need to create signatures for the NSEC3 records, and insert those signatures, but not the NSEC3 records? Fascinating. Let me try this out…

I started from scratch to ensure I didn’t mess something else up…

I copied ALL of the RRSIGs this time, including the ones for the NSEC3 records, but I did not copy the NSEC3 records…

And it works! Everything passes the verification checks and I can resolve both A records through my verifying recursors.

$ host good.e7d8ca.test.my-zone.com
good.e7d8ca.test.dnscrawler.com has address x.x.x.x

$ host bad.e7d8ca.test.my-zone.com
bad.e7d8ca.test.dnscrawler.com has address x.x.x.x

Now, to munge the signature for bad.e7d8ca.test.my-zone.com <http://bad.e7d8ca.test.my-zone.com/>…

And it works! From my verifying recursors:

$ host good.e7d8ca.test.my-zone.com
good.e7d8ca.test.dnscrawler.com has address x.x.x.x

$ host bad.e7d8ca.test.my-zone.com
Host bad.e7d8ca.test.dnscrawler.com not found: 3(NXDOMAIN)

From non-verifying recursors:

$ host good.e7d8ca.test.my-zone.com 4.2.2.2
Using domain server:
Name: 4.2.2.2
Address: 4.2.2.2#53
Aliases: 
good.e7d8ca.test.my-zone.com has address x.x.x.x

$ host bad.e7d8ca.test.my-zone.com 4.2.2.2
Using domain server:
Name: 4.2.2.2
Address: 4.2.2.2#53
Aliases: 
bad.e7d8ca.test.my-zone.com has address x.x.x.x

Thanks for all your help. I still maintain that requiring presigners to provide RRSIG NSEC3 records but NOT provide the NSEC3 records is a bad idea. At the very least, as you said, the documentation needs significant enhancement. But I did get it to work, finally.

Thanks again,

Nick
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.powerdns.com/pipermail/pdns-users/attachments/20160109/bb8c77f6/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4142 bytes
Desc: not available
URL: <http://mailman.powerdns.com/pipermail/pdns-users/attachments/20160109/bb8c77f6/attachment-0001.bin>


More information about the Pdns-users mailing list