[thirdparty/pdns.git] / docs / dnssec / modes-of-operation.rst

DNSSEC Modes of Operation
=========================

Traditionally, DNSSEC signatures have been added to unsigned zones, and
then this signed zone could be served by any DNSSEC capable
authoritative server. PowerDNS supports this mode fully.

In addition, PowerDNS supports taking care of the signing itself, in
which case PowerDNS operates differently from most tutorials and
handbooks. This mode is easier however.

For relevant tradeoffs, please see :doc:`../security` and
:doc:`../performance`.

.. _dnssec-online-signing:

Online Signing
--------------

In the simplest situation, there is a single "SQL" database that
contains, in separate tables, all domain data, keying material and other
DNSSEC related settings.

This database is then replicated to all PowerDNS instances, which all
serve identical records, keys and signatures.

In this mode of operation, care should be taken that the database
replication occurs over a secure network, or over an encrypted
connection. This is because keying material, if intercepted, could be
used to counterfeit DNSSEC data using the original keys.

Such a single replicated database requires no further attention beyond
monitoring already required during non-DNSSEC operations.

Records, Keys, signatures, hashes within PowerDNS in online signing mode
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Within PowerDNS live signing, keys are stored separately from the zone
records. Zone data are only combined with signatures and keys when
requests come in over the internet.

Each zone can have a number of keys associated with it, with varying key
lengths. Typically 1 or at most 2 of these keys are employed as actual
Zone Signing Keys (ZSKs). During normal operations, this means that only
1 ZSK is 'active', and the other is inactive.

Should it be desired to 'roll over' to a new key, both keys can
temporarily be active (and used for signing), and after a while the old
key can be inactivated. Subsequently it can be removed.

As elucidated above, there are several ways in which DNSSEC can deny the
existence of a record, and this setting too is stored away from zone
records, and lives with the DNSSEC keying material.

(Hashed) Denial of Existence
~~~~~~~~~~~~~~~~~~~~~~~~~~~~

PowerDNS supports unhashed secure denial of existence using NSEC
records. These are generated with the help of the (database) backend,
which needs to be able to supply the 'previous' and 'next' records in
canonical ordering.

The Generic SQL Backends have fields that allow them to supply these
relative record names.

In addition, hashed secure denial of existence is supported using NSEC3
records, in two modes, one with help from the database, the other with
the help of some additional calculations.

NSEC3 in 'broad' or 'inclusive' mode works with the aid of the backend,
where the backend should be able to supply the previous and next domain
names in hashed order.

NSEC3 in 'narrow' mode uses additional hashing calculations to provide
hashed secure denial of existence 'on the fly', without further
involving the database.

.. _dnssec-signatures:

Signatures
~~~~~~~~~~

In PowerDNS live signing mode, signatures, as served through RRSIG
records, are calculated on the fly, and heavily cached. All CPU cores
are used for the calculation.

RRSIGs have a validity period, in PowerDNS by default this period starts
at most a week in the past, and continues at least a week into the
future.

Precisely speaking, the time period used is always from the start of the
previous Thursday until the Thursday two weeks later. This two-week
interval jumps with one-week increments every Thursday.

.. note::
  Why Thursday? POSIX-based operating systems count the time
  since GMT midnight January 1st of 1970, which was a Thursday. PowerDNS
  inception/expiration times are generated based on an integral number of
  weeks having passed since the start of the 'epoch'.

PowerDNS also serves the DNSKEY records in live-signing mode. Their TTL
is derived from the SOA records *minimum* field. When using NSEC3, the
TTL of the NSEC3PARAM record is also derived from that field.

Pre-signed records
------------------

In this mode, PowerDNS serves zones that already contain DNSSEC records.
Such zones can either be slaved from a remote master, or can be signed
using tools like OpenDNSSEC, ldns-signzone or dnssec-signzone.

Even in this mode, PowerDNS will synthesize NSEC(3) records itself
because of its architecture. RRSIGs of these NSEC(3) will still need to
be imported. See the :ref:`Presigned migration guide <dnssec-migration-presigned>`.

Front-signing
-------------

As a special feature, PowerDNS can operate as a signing server which
operates as a slave to an unsigned master.

In this way, if keying material is available for an unsigned zone that
is retrieved from a master server, this keying material will be used
when serving data from this zone.

As part of the zone retrieval, the equivalent of
``pdnsutil rectify-zone`` is run to make sure that all DNSSEC-related
fields are set correctly in the backend.

Signed AXFR
-----------

An outgoing zone transfer from a signing master contains all information
required for the receiving party to rectify the zone without knowing the
keys, such as signed NSEC3 records for empty non-terminals. The zone is
not required to be rectified on the master.

Signatures and Hashing is similar as described in :ref:`dnssec-online-signing`.

BIND-mode operation
-------------------

The :doc:`bindbackend <../backends/bind>` can manage keys in an
SQLite3 database without launching a separate gsqlite3 backend.

To use this mode, add
``bind-dnssec-db=/var/db/bind-dnssec-db.sqlite3`` to pdns.conf, and run
``pdnsutil create-bind-db /var/db/bind-dnssec-db.sqlite3``. Then,
restart PowerDNS.

After this, you can use ``pdnsutil secure-zone`` and all other pdnsutil
commands on your BIND zones without trouble.

.. _dnssec-modes-hybrid-bind:

Hybrid BIND-mode operation
--------------------------

PowerDNS can also operate based on 'BIND'-style zone & configuration
files. This 'bindbackend' has full knowledge of DNSSEC, but has no
native way of storing keying material.

However, since PowerDNS supports operation with multiple simultaneous
backends, this is not a problem.

In hybrid mode, keying material and zone records are stored in different
backends. This allows for 'bindbackend' operation in full DNSSEC mode.

To benefit from this mode, include at least one database-based backend
in the 'launch' statement. The :doc:`SQLite 3 backend <../backends/generic-sqlite3>` probably complements BIND mode
best, since it does not require a database server process.

.. warning::
  For now, it is necessary to execute a manual SQL 'insert'
  into the domains table of the backend hosting the keying material. This
  is needed to generate a zone-id for the relevant domain. Sample SQL
  statement::

      insert into domains (name, type) values ('powerdnssec.org', 'NATIVE');
Commit	Line	Data
0e2063c3 PL	1	DNSSEC Modes of Operation
	2	=========================
	3
	4	Traditionally, DNSSEC signatures have been added to unsigned zones, and
	5	then this signed zone could be served by any DNSSEC capable
	6	authoritative server. PowerDNS supports this mode fully.
	7
	8	In addition, PowerDNS supports taking care of the signing itself, in
	9	which case PowerDNS operates differently from most tutorials and
	10	handbooks. This mode is easier however.
	11
	12	For relevant tradeoffs, please see :doc:`../security` and
	13	:doc:`../performance`.
	14
	15	.. _dnssec-online-signing:
	16
	17	Online Signing
	18	--------------
	19
	20	In the simplest situation, there is a single "SQL" database that
	21	contains, in separate tables, all domain data, keying material and other
	22	DNSSEC related settings.
	23
	24	This database is then replicated to all PowerDNS instances, which all
	25	serve identical records, keys and signatures.
	26
	27	In this mode of operation, care should be taken that the database
	28	replication occurs over a secure network, or over an encrypted
	29	connection. This is because keying material, if intercepted, could be
	30	used to counterfeit DNSSEC data using the original keys.
	31
	32	Such a single replicated database requires no further attention beyond
	33	monitoring already required during non-DNSSEC operations.
	34
	35	Records, Keys, signatures, hashes within PowerDNS in online signing mode
	36	~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
	37
	38	Within PowerDNS live signing, keys are stored separately from the zone
	39	records. Zone data are only combined with signatures and keys when
	40	requests come in over the internet.
	41
	42	Each zone can have a number of keys associated with it, with varying key
	43	lengths. Typically 1 or at most 2 of these keys are employed as actual
	44	Zone Signing Keys (ZSKs). During normal operations, this means that only
	45	1 ZSK is 'active', and the other is inactive.
	46
	47	Should it be desired to 'roll over' to a new key, both keys can
	48	temporarily be active (and used for signing), and after a while the old
	49	key can be inactivated. Subsequently it can be removed.
	50
	51	As elucidated above, there are several ways in which DNSSEC can deny the
	52	existence of a record, and this setting too is stored away from zone
	53	records, and lives with the DNSSEC keying material.
	54
	55	(Hashed) Denial of Existence
	56	~~~~~~~~~~~~~~~~~~~~~~~~~~~~
	57
	58	PowerDNS supports unhashed secure denial of existence using NSEC
	59	records. These are generated with the help of the (database) backend,
	60	which needs to be able to supply the 'previous' and 'next' records in
	61	canonical ordering.
	62
	63	The Generic SQL Backends have fields that allow them to supply these
	64	relative record names.
65
66	In addition, hashed secure denial of existence is supported using NSEC3
67	records, in two modes, one with help from the database, the other with
68	the help of some additional calculations.
69
70	NSEC3 in 'broad' or 'inclusive' mode works with the aid of the backend,
71	where the backend should be able to supply the previous and next domain
72	names in hashed order.
73
74	NSEC3 in 'narrow' mode uses additional hashing calculations to provide
75	hashed secure denial of existence 'on the fly', without further
76	involving the database.
77
78	.. _dnssec-signatures:
79
80	Signatures
81	~~~~~~~~~~
82
83	In PowerDNS live signing mode, signatures, as served through RRSIG
84	records, are calculated on the fly, and heavily cached. All CPU cores
85	are used for the calculation.
86
87	RRSIGs have a validity period, in PowerDNS by default this period starts
88	at most a week in the past, and continues at least a week into the
89	future.
90
91	Precisely speaking, the time period used is always from the start of the
92	previous Thursday until the Thursday two weeks later. This two-week
93	interval jumps with one-week increments every Thursday.
94
95	.. note::
96	Why Thursday? POSIX-based operating systems count the time
97	since GMT midnight January 1st of 1970, which was a Thursday. PowerDNS
98	inception/expiration times are generated based on an integral number of
99	weeks having passed since the start of the 'epoch'.
100
101	PowerDNS also serves the DNSKEY records in live-signing mode. Their TTL
102	is derived from the SOA records minimum field. When using NSEC3, the
103	TTL of the NSEC3PARAM record is also derived from that field.
104
105	Pre-signed records
106	------------------
107
108	In this mode, PowerDNS serves zones that already contain DNSSEC records.
109	Such zones can either be slaved from a remote master, or can be signed
110	using tools like OpenDNSSEC, ldns-signzone or dnssec-signzone.
111
112	Even in this mode, PowerDNS will synthesize NSEC(3) records itself
113	because of its architecture. RRSIGs of these NSEC(3) will still need to
114	be imported. See the :ref:`Presigned migration guide <dnssec-migration-presigned>`.
115
116	Front-signing
117	-------------
118
119	As a special feature, PowerDNS can operate as a signing server which
120	operates as a slave to an unsigned master.
121
122	In this way, if keying material is available for an unsigned zone that
123	is retrieved from a master server, this keying material will be used
124	when serving data from this zone.
125
126	As part of the zone retrieval, the equivalent of
127	``pdnsutil rectify-zone`` is run to make sure that all DNSSEC-related
128	fields are set correctly in the backend.
129
130	Signed AXFR
131	-----------
132
133	An outgoing zone transfer from a signing master contains all information
134	required for the receiving party to rectify the zone without knowing the
135	keys, such as signed NSEC3 records for empty non-terminals. The zone is
136	not required to be rectified on the master.
137
138	Signatures and Hashing is similar as described in :ref:`dnssec-online-signing`.
139
140	BIND-mode operation
141	-------------------
142
143	The :doc:`bindbackend <../backends/bind>` can manage keys in an
144	SQLite3 database without launching a separate gsqlite3 backend.
145
146	To use this mode, add
147	``bind-dnssec-db=/var/db/bind-dnssec-db.sqlite3`` to pdns.conf, and run
148	``pdnsutil create-bind-db /var/db/bind-dnssec-db.sqlite3``. Then,
149	restart PowerDNS.
150
151	After this, you can use ``pdnsutil secure-zone`` and all other pdnsutil
152	commands on your BIND zones without trouble.
153
154	.. _dnssec-modes-hybrid-bind:
155
156	Hybrid BIND-mode operation
157	--------------------------
158
159	PowerDNS can also operate based on 'BIND'-style zone & configuration
160	files. This 'bindbackend' has full knowledge of DNSSEC, but has no
161	native way of storing keying material.
162
163	However, since PowerDNS supports operation with multiple simultaneous
164	backends, this is not a problem.
165
166	In hybrid mode, keying material and zone records are stored in different
167	backends. This allows for 'bindbackend' operation in full DNSSEC mode.
168
169	To benefit from this mode, include at least one database-based backend
170	in the 'launch' statement. The :doc:`SQLite 3 backend <../backends/generic-sqlite3>` probably complements BIND mode
171	best, since it does not require a database server process.
172
173	.. warning::
174	For now, it is necessary to execute a manual SQL 'insert'
175	into the domains table of the backend hosting the keying material. This
176	is needed to generate a zone-id for the relevant domain. Sample SQL
177	statement::
178
179	insert into domains (name, type) values ('powerdnssec.org', 'NATIVE');