# DNSSEC Notes ## unbound server 2020-08-05 Unbound is installed on the 2 resolver servers. ``` gc-prod-resolver-govcloud-2 gc-prod-resolver-govcloud ``` If DNS resolution stops working, restart the unbound service. `systemctl status unbound` ### Troubleshooting ``` Mar 06 03:25:01 oscontext-unbound.msoc.defpoint.local unbound[372]: /etc/unbound/conf.d/xdr.conf:1: error: cannot open include file '/etc/unbound/conf.... denied Mar 06 03:25:01 oscontext-unbound.msoc.defpoint.local unbound[372]: read /etc/unbound/unbound.conf failed: 1 errors in configuration file Mar 06 03:25:01 oscontext-unbound.msoc.defpoint.local systemd[1]: unbound.service: main process exited, code=exited, status=1/FAILURE Mar 06 03:25:01 oscontext-unbound.msoc.defpoint.local systemd[1]: Unit unbound.service entered failed state. Mar 06 03:25:01 oscontext-unbound.msoc.defpoint.local systemd[1]: unbound.service failed. ``` Fixed by... ``` 452 03/06/21 03:50:22 +0000 chown root:unbound /etc/unbound/conf.d/oscontext.conf 453 03/06/21 03:50:36 +0000 chmod 640 /etc/unbound/conf.d/oscontext.conf 454 03/06/21 03:50:38 +0000 ls -l /etc/unbound/conf.d 455 03/06/21 03:50:43 +0000 systemctl restart unbound ``` ### Setup AWS resolvers can't play any part whatsoever in DNSSEC. They just break it. So unbound servers need external DNS. `/etc/unbound/conf.d/xdr.conf` ``` server: private-domain: "pvt.xdr.accenturefederalcyber.com." domain-insecure: "pvt.xdr.accenturefederalcyber.com." private-domain: "pvt.xdrtest.accenturefederalcyber.com." domain-insecure: "pvt.xdrtest.accenturefederalcyber.com." private-domain: "10.in-addr.arpa." domain-insecure: "10.in-addr.arpa." private-address: 10.0.0.0/8 local-zone: "10.in-addr.arpa." transparent forward-zone: name: "amazonaws.com." forward-addr: 169.254.169.253 forward-zone: name: "pvt.xdr.accenturefederalcyber.com." forward-addr: 10.40.0.198 forward-addr: 10.40.0.64 forward-zone: name: "pvt.xdrtest.accenturefederalcyber.com." forward-addr: 10.20.0.119 forward-addr: 10.20.0.211 forward-zone: name: "10.in-addr.arpa." # Salt should update this to use commercial or test, not both forward-addr: 10.40.0.198 forward-addr: 10.20.0.119 # If you want to forward everything else to a DNSSEC-capable server: forward-zone: name: "." # Salt should update this to use commercial or test, not both forward-addr: 8.8.8.8 forward-addr: 8.8.4.4 ``` ## Testing 2020-08-05 unbound-host can check config ``` [root@test_instance unbound]# unbound-host -C /etc/unbound/unbound.conf -v sigok.verteiltesysteme.net Aug 05 19:32:10 libunbound[16444:0] notice: init module 0: ipsecmod Aug 05 19:32:10 libunbound[16444:0] notice: init module 1: validator Aug 05 19:32:10 libunbound[16444:0] notice: init module 2: iterator sigok.verteiltesysteme.net has address 134.91.78.139 (secure) sigok.verteiltesysteme.net has IPv6 address 2001:638:501:8efc::139 (secure) sigok.verteiltesysteme.net has no mail handler record (secure) [root@test_instance unbound]# unbound-host -C /etc/unbound/unbound.conf -v sigfail.verteiltesysteme.net Aug 05 19:32:17 libunbound[16445:0] notice: init module 0: ipsecmod Aug 05 19:32:17 libunbound[16445:0] notice: init module 1: validator Aug 05 19:32:17 libunbound[16445:0] notice: init module 2: iterator sigfail.verteiltesysteme.net has address 134.91.78.139 (BOGUS (security failure)) validation failure : misc failure sigfail.verteiltesysteme.net has IPv6 address 2001:638:501:8efc::139 (BOGUS (security failure)) validation failure : misc failure sigfail.verteiltesysteme.net has no mail handler record (secure) ``` other testing: * `dig +dnssec` - So RRSIGs. Look for `ad` in flags. * `dig +dnssec +cd` - Do the lookup, send through EVEN IF IT FAILS * `drill` ? ## Architecture 2020-08-12 Architecture review, just in case: * All servers have unbound installed. * Unbound forwards requests for `10.in-addr.arpa` (reverse), `pvt.xdr*.accenturefederalcyber.com` to the resolver endpoints. * Unbound forwards requests to `*.amazonaws.com` to the local DNS endpoint (169.254.169.253). * Non-`resolver-*` instances forward all other requests to the resolvers. * `resolver-*` instances do DNS lookups directly via an EIP. Good tests: * host sigok.verteiltesysteme.net should return a result. * host sigfail.verteiltesysteme.net should return no result. * Tests against msoc.defpoint.local shoudl work on legacy systems, but not on new systems (still questioning whether we should pay $180/mo to fix this) * Other tests possible. See DNSSEC Notes.md in brad's repo.