DNSSEC Notes.md 3.7 KB
DNSSEC Notes
unbound server
2020-08-05
Unbound is installed on the 2 resolver servers.
gc-prod-resolver-govcloud-2
gc-prod-resolver-govcloud
If DNS resolution stops working, restart the unbound service.
systemctl status unbound
AWS resolvers can't play any part whatsoever in DNSSEC. They just break it.
So unbound servers need external DNS.
/etc/unbound/conf.d/xdr.conf
server:
private-domain: "pvt.xdr.accenturefederalcyber.com."
domain-insecure: "pvt.xdr.accenturefederalcyber.com."
private-domain: "pvt.xdrtest.accenturefederalcyber.com."
domain-insecure: "pvt.xdrtest.accenturefederalcyber.com."
private-domain: "10.in-addr.arpa."
domain-insecure: "10.in-addr.arpa."
private-address: 10.0.0.0/8
local-zone: "10.in-addr.arpa." transparent
forward-zone:
name: "amazonaws.com."
forward-addr: 169.254.169.253
forward-zone:
name: "pvt.xdr.accenturefederalcyber.com."
forward-addr: 10.40.0.198
forward-addr: 10.40.0.64
forward-zone:
name: "pvt.xdrtest.accenturefederalcyber.com."
forward-addr: 10.20.0.119
forward-addr: 10.20.0.211
forward-zone:
name: "10.in-addr.arpa."
# Salt should update this to use commercial or test, not both
forward-addr: 10.40.0.198
forward-addr: 10.20.0.119
# If you want to forward everything else to a DNSSEC-capable server:
forward-zone:
name: "."
# Salt should update this to use commercial or test, not both
forward-addr: 8.8.8.8
forward-addr: 8.8.4.4
Testing
2020-08-05
unbound-host can check config
[root@test_instance unbound]# unbound-host -C /etc/unbound/unbound.conf -v sigok.verteiltesysteme.net
Aug 05 19:32:10 libunbound[16444:0] notice: init module 0: ipsecmod
Aug 05 19:32:10 libunbound[16444:0] notice: init module 1: validator
Aug 05 19:32:10 libunbound[16444:0] notice: init module 2: iterator
sigok.verteiltesysteme.net has address 134.91.78.139 (secure)
sigok.verteiltesysteme.net has IPv6 address 2001:638:501:8efc::139 (secure)
sigok.verteiltesysteme.net has no mail handler record (secure)
[root@test_instance unbound]# unbound-host -C /etc/unbound/unbound.conf -v sigfail.verteiltesysteme.net
Aug 05 19:32:17 libunbound[16445:0] notice: init module 0: ipsecmod
Aug 05 19:32:17 libunbound[16445:0] notice: init module 1: validator
Aug 05 19:32:17 libunbound[16445:0] notice: init module 2: iterator
sigfail.verteiltesysteme.net has address 134.91.78.139 (BOGUS (security failure))
validation failure <sigfail.verteiltesysteme.net. A IN>: misc failure
sigfail.verteiltesysteme.net has IPv6 address 2001:638:501:8efc::139 (BOGUS (security failure))
validation failure <sigfail.verteiltesysteme.net. AAAA IN>: misc failure
sigfail.verteiltesysteme.net has no mail handler record (secure)
other testing:
dig +dnssec- So RRSIGs. Look foradin flags.dig +dnssec +cd- Do the lookup, send through EVEN IF IT FAILSdrill?
Architecture
2020-08-12
Architecture review, just in case:
- All servers have unbound installed.
- Unbound forwards requests for
10.in-addr.arpa(reverse),pvt.xdr*.accenturefederalcyber.comto the resolver endpoints. - Unbound forwards requests to
*.amazonaws.comto the local DNS endpoint (169.254.169.253). - Non-
resolver-*instances forward all other requests to the resolvers. resolver-*instances do DNS lookups directly via an EIP.
Good tests:
- host sigok.verteiltesysteme.net should return a result.
- host sigfail.verteiltesysteme.net should return no result.
- Tests against msoc.defpoint.local shoudl work on legacy systems, but not on new systems (still questioning whether we should pay $180/mo to fix this)
- Other tests possible. See DNSSEC Notes.md in brad's repo.