Dnssec on Miek Gieben

DNSSEC Too Complex

Sat, 04 Nov 2023 15:18:59 +0100

Deploying DNSSEC.

Even though I co-authored RFC 4641, laying out how you should run DNSSEC - I think in retrospect that BCP is way too complex, ah the sin of youth.

You should (if you want to run DNSSEC) run with a single key (called common-signing-key; CSK) and never roll your keys. This is what CoreDNS’ sign plugin implements and what I use.

Also see this Mastodon post.

A Working Sign Plugin in CoreDNS

Sat, 03 Aug 2019 08:10:10 +0000

This sign plugin is working! I’m running it live for miek.nl on my servers to test it out. (See this branch or this one after it is merged into master.)

To use the sign plugin, I only need a few extra lines in my Corefile:

miek.nl {
    file /var/lib/coredns/db.miek.nl.signed
    sign /etc/coredns/zones/miek.nl {
        key file /etc/coredns/zones/keys/Kmiek.nl.+008+33694
        directory /var/lib/coredns
    }
}

This resigns the miek.nl zone ever so often. Logging will tell you what’s happening with your zonefile. In this case this it skips signing:

Signing in CoreDNS

Mon, 01 Jul 2019 17:27:12 +0000

I’m pondering adding a new plugin to CoreDNS that automatically signs DNS zones.

This new plugin will be called sign. I tried to prototype the README.md in that PR, as I like to start with the documentation when designing something new. It will do the bare minimum to give you “good DNSSEC” and will not implement key rollovers, nor the KSK/ZSK split. It will, however, add CDS records to your zone for easier interaction with your parent zone. Sign with a CSK, and use a proper new algorithm like ECDSA.

Starting with CoreDNS

Wed, 27 Apr 2016 07:30:39 +0100

This post talks you through getting and setting up CoreDNS with a small zone file that it will serve. CoreDNS is a nameserver that is very flexible because it can chain different kinds of middleware. From the README:

CoreDNS aims to be a fast and flexible DNS server. The keyword here is flexible, with CoreDNS you are able to do what you want with your DNS data. And if not: write a middleware!

Almost ready to dogfood CoreDNS

Mon, 28 Mar 2016 21:47:02 +0100

CoreDNS is gaining more and more features, and bug #15, allowing CoreDNS to replace BIND9 in my home setup, is almost attainable. With a pre-signed DNSSEC zone (I just use CRON, don’t do key rollovers) and the following Corefile, CoreDNS is acting standards compliant already:

.:1053 {
    errors stdout
    log stdout
    file miek.nl.signed miek.nl {
        transfer out
    }

Start it, query it:

% dig @localhost -p 1053 SOA miek.nl +short
linode.atoom.net. miek.miek.nl. 1459138381 14400 3600 604800 14400

And! DNSSEC:

SkyDNS running live

Sat, 28 Jun 2014 09:02:00 +0000

SkyDNS is able to do DNSSEC. It generates signatures and NSEC3 records on the fly. For authenticated denial of existence SkyDNS uses NSEC3 white lies, of course implementing (and testing!) this isn’t completely trivial.

To aid in debugging I’ve setup a live version of SkyDNS on voordeur.atoom.net, under the name the zone http://dnssex.nl:

% dig +mul +noall +answer @voordeur.atoom.net soa skydns.dnssex.nl
skydns.dnssex.nl.    3600 IN SOA ns1.dns.skydns.dnssex.nl. hostmaster.skydns.local. (
                            1403942400 ; serial
                            28800      ; refresh (8 hours)
                            7200       ; retry (2 hours)
                            604800     ; expire (1 week)
                            60         ; minimum (1 minute)
                            )

To help getting DNSSEC support 100% working this zone has been delegated and has an DS record in the parent zone. With unbound-host you can see the validation status of this zone: