infrastructure-notes/DNSSEC Notes.md

DNSSEC Notes

unbound server

2020-08-05

Unbound is installed on the 2 resolver servers.
gc-prod-resolver-govcloud-2 gc-prod-resolver-govcloud

If DNS resolution stops working, restart the unbound service. systemctl status unbound

AWS resolvers can't play any part whatsoever in DNSSEC. They just break it.

So unbound servers need external DNS.

/etc/unbound/conf.d/xdr.conf

server:
      private-domain: "pvt.xdr.accenturefederalcyber.com."
      domain-insecure: "pvt.xdr.accenturefederalcyber.com."
      private-domain: "pvt.xdrtest.accenturefederalcyber.com."
      domain-insecure: "pvt.xdrtest.accenturefederalcyber.com."
      private-domain: "10.in-addr.arpa."
      domain-insecure: "10.in-addr.arpa."
      private-address: 10.0.0.0/8
      local-zone: "10.in-addr.arpa." transparent
forward-zone:
      name: "amazonaws.com."
      forward-addr: 169.254.169.253
forward-zone:
      name: "pvt.xdr.accenturefederalcyber.com."
      forward-addr: 10.40.0.198
      forward-addr: 10.40.0.64
forward-zone:
      name: "pvt.xdrtest.accenturefederalcyber.com."
      forward-addr: 10.20.0.119
      forward-addr: 10.20.0.211
forward-zone:
      name: "10.in-addr.arpa."
      # Salt should update this to use commercial or test, not both
      forward-addr: 10.40.0.198
      forward-addr: 10.20.0.119
# If you want to forward everything else to a DNSSEC-capable server:
forward-zone:
      name: "."
      # Salt should update this to use commercial or test, not both
      forward-addr: 8.8.8.8
      forward-addr: 8.8.4.4

Testing

2020-08-05

unbound-host can check config

[root@test_instance unbound]# unbound-host -C /etc/unbound/unbound.conf -v sigok.verteiltesysteme.net
Aug 05 19:32:10 libunbound[16444:0] notice: init module 0: ipsecmod
Aug 05 19:32:10 libunbound[16444:0] notice: init module 1: validator
Aug 05 19:32:10 libunbound[16444:0] notice: init module 2: iterator
sigok.verteiltesysteme.net has address 134.91.78.139 (secure)
sigok.verteiltesysteme.net has IPv6 address 2001:638:501:8efc::139 (secure)
sigok.verteiltesysteme.net has no mail handler record (secure)

[root@test_instance unbound]# unbound-host -C /etc/unbound/unbound.conf -v sigfail.verteiltesysteme.net
Aug 05 19:32:17 libunbound[16445:0] notice: init module 0: ipsecmod
Aug 05 19:32:17 libunbound[16445:0] notice: init module 1: validator
Aug 05 19:32:17 libunbound[16445:0] notice: init module 2: iterator
sigfail.verteiltesysteme.net has address 134.91.78.139 (BOGUS (security failure))
validation failure <sigfail.verteiltesysteme.net. A IN>: misc failure
sigfail.verteiltesysteme.net has IPv6 address 2001:638:501:8efc::139 (BOGUS (security failure))
validation failure <sigfail.verteiltesysteme.net. AAAA IN>: misc failure
sigfail.verteiltesysteme.net has no mail handler record (secure)

other testing:

• dig +dnssec - So RRSIGs. Look for ad in flags.
• dig +dnssec +cd - Do the lookup, send through EVEN IF IT FAILS
• drill ?

Architecture

2020-08-12

Architecture review, just in case:

• All servers have unbound installed.
• Unbound forwards requests for 10.in-addr.arpa (reverse), pvt.xdr*.accenturefederalcyber.com to the resolver endpoints.
• Unbound forwards requests to *.amazonaws.com to the local DNS endpoint (169.254.169.253).
• Non-resolver-* instances forward all other requests to the resolvers.
• resolver-* instances do DNS lookups directly via an EIP.

Good tests:

• host sigok.verteiltesysteme.net should return a result.
• host sigfail.verteiltesysteme.net should return no result.
• Tests against msoc.defpoint.local shoudl work on legacy systems, but not on new systems (still questioning whether we should pay $180/mo to fix this)
• Other tests possible. See DNSSEC Notes.md in brad's repo.