DNSSEC what an interesting and not easy journey

5 posts / 0 new
Last post
#1 Thu, 05/14/2015 - 10:25
Diabolico
Diabolico's picture

DNSSEC what an interesting and not easy journey

Everything started with errors in named logs
... no valid signature found
... Unable to fetch DNSKEY set 'dlv.isc.org': SERVFAIL

and this few lines in named.conf:
dnssec-enable yes;
dnssec-validation yes;
dnssec-lookaside auto;

what is the result of default setting from Vmin.

So i decided to check what actually is dnssec and what i can get from that. First search results based on logs didnt bring too much informations aside of how to disable dnssec in named.conf. How i was not happy with option "turn it off and move on" i went to read what is actually dnssec and found many interesting things. But one what caught my attention was "man-in-the-middle attack", DNS cache poisoning, spoofing, redirection and information harvesting. So reading more about this subject there is really valid point - your domain (and website) because of how DNS works is not secure at all, well at least not how i would like. Some of us spend a lot of time in hardening our servers but whatever we do our DNS will still be left open for such attacks.

To help people understand how this attacks works you can watch this video, simple explanation what everyone can understand: https://youtu.be/p4cehmHRUmw

Not happy with what i found i decided to take this journey and actually learn from zero what is dnssec and how i could implement on my domains. I was able to successfully sign all my domains but it was not easy. Only few (really just few of them) domain registrars offer this option inside user control panel, sadly Namecheap still didnt apply this feature to the user cp. But to be fair after i opened a ticket they did this manually for me and show me one more time why i have all my domains with them.

To not make this topic only my bragging how i mange to sort dnssec here is step by step instructions how you can do the same. Tested on Centos 7 with .com domains (keep in mind not all tld can accept dnssec at this moment):

------

Before we start i need to warn you this is huge time consuming process and i would like to suggest to prepare for that, coffee, movies or some other activity will come handy if you want to keep your sanity intact. :)

------

Check your named.conf for this lines if they are there if not c/p inside options { ... };
dnssec-enable yes;
dnssec-validation yes;
dnssec-lookaside auto;

------

Use Putty (or any other SSH client), navigate to your named folder cd /var/named/ and there should be your zone files, yourdomain1.com.hosts, yourdomain2.com.hosts ... For this example i will just explain how to do with one domain but you can use same info to create dnssec for all your domains.

------

Now is time to make our first key - Zone Signing Key (ZSK), and dont forget to stay in /var/named/ folder:

dnssec-keygen -a NSEC3RSASHA1 -b 2048 -n ZONE yourdomain1.com

For this key probably one or two cigarettes will be enough and you should see on your screen:
Generating key pair......................++ ..................
Once done you will be presented with two new files:
Kyourdomain1.com.+007+XXXXX.key
Kyourdomain1.com.+007+XXXXX.private

where XXXXX will be a generated number and same for both files.

------

Next step is to create another key - Key Signing Key (KSK), we are still in same folder /var/named/:

dnssec-keygen -f KSK -a NSEC3RSASHA1 -b 4096 -n ZONE yourdomain1.com

Here is when everything start to move really slow and to make this key it could take from 15-30 min up to 3-4 hours. I found some advice that if you install Haveged it could speed up a lot this process but in my case didnt help.

The process will start same as one before but it will go for really long time and my suggestion is to turn on a movie or just spend somehow your time:

Generating key pair......................++ ..................

When done you will have another two new files:
Kyourdomain1.com.+007+XXXXX.key
Kyourdomain1.com.+007+XXXXX.private

where XXXXX will be a generated number and same for both files but not same as two before. How you can tell the difference between this two: ZSK keys are much smaller in size than KSK or open both .key files and you will see at the top what key is what.

------

! ! ! Please before next step make local copy of your yourdomain1.com.hosts file because one little mistake in next code could wipe out your zone file ! ! !
Time to add our keys to zone file, e.g. yourdomain1.com.hosts (press "enter" after each line):

for key in `ls Kyourdomain1.com*.key`
do
echo "\$INCLUDE $key">> yourdomain1.com.hosts
done

This will copy both keys in your zone file. They will not be visible when you go to Vmin and open DNS but if you click on "Manually Edit Records" or open your zone file you can see them at the bottom.

------

Go to dlv.isc.org and create new account. Once done go to Manage Zone - Add a zone - put your domain. After that you will be asked to "Add Record", that means you will need to copy/paste your content from Kyourdomain1.com.+007+XXXXX.key files. Doesnt matter what key you will pick up first as we will go to insert both of them.
Open first Kyourdomain1.com.+007+XXXXX.key file and copy everything from yourdomain1.com.IN DNSKEY....... to the end of the long code. Once done you will get error that the key is not validated and at the bottom of the page you will see a TXT record to add to your DNS. Just make a local copy of that TXT record and proceed with second key. Next to "DNSKEY Records" you will see "(add)", click on that and insert second key. Again you will be offered with new TXT record and now is time to insert both of them in your current DNS over Vmin or manually in your yourdomain1.com.hosts file. If you do manually both TXT records must be before the keys we already copied in our zone file.

------

Sign the zone with:

dnssec-signzone -A -3 $(head -c 1000 /dev/random | sha1sum | cut -b 1-16) -N INCREMENT -o yourdomain1.com -t yourdomain1.com.hosts

This will create another two new files yourdomain1.com.hosts.signed and dsset-yourdomain1.com..

------

Open your /etc/named.conf file and under zone "yourdomain1.com" { ... change file "/var/named/yourdomain1.com.hosts"; to file "/var/named/yourdomain1.com.hosts.signed";.

Restart DNS with systemctl restart named

------

Now back to dlv.isc.org and you will see two entries under "DNSKEY Records". Click "(details) and on new page "(request re-check)". Do that for both keys. If you did everything good you should have both keys with good status.

------

I didnt notice anything bad if you keep both TXT records we insert before in your DNS but better to remove them (even dlv.isc.org recomend same thing).

You can do that in two ways, one is to manually edit yourdomain1.com.hosts and another way is to change your /etc/named.conf back to file "/var/named/yourdomain1.com.hosts"; make a change with Vmin and then revert back to file "/var/named/yourdomain1.com.hosts.signed";.

Whatever solution you take is ok and if you feel more safe to make a change over Vmin do it in this way.

Once you deleted both TXT records run again:

dnssec-signzone -A -3 $(head -c 1000 /dev/random | sha1sum | cut -b 1-16) -N INCREMENT -o yourdomain1.com -t yourdomain1.com.hosts

Remember every time when you want to change your DNS you MUST do this in your yourdomain1.com.hosts and NOT yourdomain1.com.hosts.signed. To make it clear - every change in your DNS you must sign your zone again. Lucky this will take only 1-2 min to finish the job.

------

Believe or not we are almost done. Time to check if everything is ok. Got to http://dnssec-debugger.verisignlabs.com/ and check your domain. If you did everything properly only red cross should be next to No DS records found for yourdomain1.com in the com zone and that part must be done by your domain registrar.

------

Check if your domain registrar have this option in your domain control panel if not you will need to ask him to manually make the change. For that you will need to send him data from your dsset-yourdomain1.com. file and is asked what algorithm - RSASHA1-NSEC3-SHA1 (7).

------

PLEASE TO AVOID ANY STRESSFUL SITUATION TEST THIS ON NON-PRODUCTION SERVER AND KEEP IN MIND THAT MY TEST WAS DONE ON CENTOS 7. THERE IS NO GUARANTEE THAT ON OTHER DISTRO WILL WORK AND YOUR DOMAIN REGISTRAR COULD REJECT TO DO THIS MANUALLY. IF YOU GOT YOUR DOMAIN FROM HOSTING COMPANY THE CHANCE THEY WILL DO THIS IS ALMOST ZERO AS THEY ARE JUST RESELLERS.

Wed, 01/04/2017 - 12:06
Miker1029

Hey,

As I'm still in the Learning stages of Linux (CentOs 7 Server on a VPS), When I went to do the "dnssec-keygen -a NSEC3RSASHA1 -b 2048 -n ZONE yourdomain1.com" It pretty much looked like it Locked up....I let it sit for a couple hours and not even a "-" was printed while it was "generating"

I had to install RGN-TOOLS and Increase My Entropy from 46 to 4096, and the step completed in a matter of 1 Second....

Here's a Link to what I did.

https://redhatlinux.guru/index.php/2016/04/03/increase-system-entropy-on...

If this is incorrect or anything my apologies, it fixed my problem, also I had to reboot the server for it to take effect, Not mentioned on the Linked page.

Mike

Wed, 01/04/2017 - 12:12
Miker1029

Also I installed "HAVEGED" before I did the RND-TOOLS, as you said....

Mike

Sun, 01/08/2017 - 00:50
Diabolico
Diabolico's picture

This tutorial is still usable but little outdated, plus in mean time i added cron job to refresh the zone every X days. Some things changed from my post so people should not blindly follow my instructions. I was thinking to update my original post but i need to find time for that.

- I often come to the conclusion that my brain has too many tabs open. -
Failing at desktop publishing & graphic design since 1994.

Sun, 01/08/2017 - 09:32
Miker1029

Ya a couple changes here and there it worked fine, Except Verisign Site said the Second Key wasn't matching the RSIS or some such, I had to restore a backup copy of the server as I'm working on another project on the server, so I'll post back if you want on what I do when I get what I'm working on now done, or give-up, whichever comes first..

Mike

Topic locked