صفحهٔ اصلی گشت‌و‌گذار راهنما
ثبت نام ورود
AFS
/
infrastructure-notes
2
0
انشعاب 0
پرونده‌ها مشکلات 0 درخواست واکشی 0 ویکی
درخت: 883a468866
شاخه‌ها تگ‌ها
infrastructure-...
/
DNSSEC Notes.md

DNSSEC Notes.md 4.7 KB
تاريخچه خام

DNSSEC Notes

unbound server

2020-08-05

Unbound is installed on the 2 resolver servers.

gc-prod-resolver-govcloud-2               
gc-prod-resolver-govcloud

If DNS resolution stops working, restart the unbound service.
systemctl status unbound

Troubleshooting

Mar 06 03:25:01 oscontext-unbound.msoc.defpoint.local unbound[372]: /etc/unbound/conf.d/xdr.conf:1: error: cannot open include file '/etc/unbound/conf.... denied
Mar 06 03:25:01 oscontext-unbound.msoc.defpoint.local unbound[372]: read /etc/unbound/unbound.conf failed: 1 errors in configuration file
Mar 06 03:25:01 oscontext-unbound.msoc.defpoint.local systemd[1]: unbound.service: main process exited, code=exited, status=1/FAILURE
Mar 06 03:25:01 oscontext-unbound.msoc.defpoint.local systemd[1]: Unit unbound.service entered failed state.
Mar 06 03:25:01 oscontext-unbound.msoc.defpoint.local systemd[1]: unbound.service failed.

Fixed by...

  452  03/06/21 03:50:22 +0000 chown root:unbound /etc/unbound/conf.d/oscontext.conf
  453  03/06/21 03:50:36 +0000 chmod 640 /etc/unbound/conf.d/oscontext.conf
  454  03/06/21 03:50:38 +0000 ls -l /etc/unbound/conf.d
  455  03/06/21 03:50:43 +0000 systemctl restart unbound

Setup

AWS resolvers can't play any part whatsoever in DNSSEC. They just break it.

So unbound servers need external DNS.

/etc/unbound/conf.d/xdr.conf

server:
      private-domain: "pvt.xdr.accenturefederalcyber.com."
      domain-insecure: "pvt.xdr.accenturefederalcyber.com."
      private-domain: "pvt.xdrtest.accenturefederalcyber.com."
      domain-insecure: "pvt.xdrtest.accenturefederalcyber.com."
      private-domain: "10.in-addr.arpa."
      domain-insecure: "10.in-addr.arpa."
      private-address: 10.0.0.0/8
      local-zone: "10.in-addr.arpa." transparent
forward-zone:
      name: "amazonaws.com."
      forward-addr: 169.254.169.253
forward-zone:
      name: "pvt.xdr.accenturefederalcyber.com."
      forward-addr: 10.40.0.198
      forward-addr: 10.40.0.64
forward-zone:
      name: "pvt.xdrtest.accenturefederalcyber.com."
      forward-addr: 10.20.0.119
      forward-addr: 10.20.0.211
forward-zone:
      name: "10.in-addr.arpa."
      # Salt should update this to use commercial or test, not both
      forward-addr: 10.40.0.198
      forward-addr: 10.20.0.119
# If you want to forward everything else to a DNSSEC-capable server:
forward-zone:
      name: "."
      # Salt should update this to use commercial or test, not both
      forward-addr: 8.8.8.8
      forward-addr: 8.8.4.4

Testing

2020-08-05

unbound-host can check config

[root@test_instance unbound]# unbound-host -C /etc/unbound/unbound.conf -v sigok.verteiltesysteme.net
Aug 05 19:32:10 libunbound[16444:0] notice: init module 0: ipsecmod
Aug 05 19:32:10 libunbound[16444:0] notice: init module 1: validator
Aug 05 19:32:10 libunbound[16444:0] notice: init module 2: iterator
sigok.verteiltesysteme.net has address 134.91.78.139 (secure)
sigok.verteiltesysteme.net has IPv6 address 2001:638:501:8efc::139 (secure)
sigok.verteiltesysteme.net has no mail handler record (secure)

[root@test_instance unbound]# unbound-host -C /etc/unbound/unbound.conf -v sigfail.verteiltesysteme.net
Aug 05 19:32:17 libunbound[16445:0] notice: init module 0: ipsecmod
Aug 05 19:32:17 libunbound[16445:0] notice: init module 1: validator
Aug 05 19:32:17 libunbound[16445:0] notice: init module 2: iterator
sigfail.verteiltesysteme.net has address 134.91.78.139 (BOGUS (security failure))
validation failure <sigfail.verteiltesysteme.net. A IN>: misc failure
sigfail.verteiltesysteme.net has IPv6 address 2001:638:501:8efc::139 (BOGUS (security failure))
validation failure <sigfail.verteiltesysteme.net. AAAA IN>: misc failure
sigfail.verteiltesysteme.net has no mail handler record (secure)

other testing:

  • dig +dnssec - So RRSIGs. Look for ad in flags.
  • dig +dnssec +cd - Do the lookup, send through EVEN IF IT FAILS
  • drill ?

Architecture

2020-08-12

Architecture review, just in case:

  • All servers have unbound installed.
  • Unbound forwards requests for 10.in-addr.arpa (reverse), pvt.xdr*.accenturefederalcyber.com to the resolver endpoints.
  • Unbound forwards requests to *.amazonaws.com to the local DNS endpoint (169.254.169.253).
  • Non-resolver-* instances forward all other requests to the resolvers.
  • resolver-* instances do DNS lookups directly via an EIP.

Good tests:

  • host sigok.verteiltesysteme.net should return a result.
  • host sigfail.verteiltesysteme.net should return no result.
  • Tests against msoc.defpoint.local shoudl work on legacy systems, but not on new systems (still questioning whether we should pay $180/mo to fix this)
  • Other tests possible. See DNSSEC Notes.md in brad's repo.