]>
Commit | Line | Data |
---|---|---|
0e2063c3 PL |
1 | DNSSEC Modes of Operation |
2 | ========================= | |
3 | ||
4 | Traditionally, DNSSEC signatures have been added to unsigned zones, and | |
5 | then this signed zone could be served by any DNSSEC capable | |
6 | authoritative server. PowerDNS supports this mode fully. | |
7 | ||
8 | In addition, PowerDNS supports taking care of the signing itself, in | |
9 | which case PowerDNS operates differently from most tutorials and | |
10 | handbooks. This mode is easier however. | |
11 | ||
12 | For relevant tradeoffs, please see :doc:`../security` and | |
13 | :doc:`../performance`. | |
14 | ||
15 | .. _dnssec-online-signing: | |
16 | ||
17 | Online Signing | |
18 | -------------- | |
19 | ||
20 | In the simplest situation, there is a single "SQL" database that | |
21 | contains, in separate tables, all domain data, keying material and other | |
22 | DNSSEC related settings. | |
23 | ||
24 | This database is then replicated to all PowerDNS instances, which all | |
25 | serve identical records, keys and signatures. | |
26 | ||
27 | In this mode of operation, care should be taken that the database | |
28 | replication occurs over a secure network, or over an encrypted | |
29 | connection. This is because keying material, if intercepted, could be | |
30 | used to counterfeit DNSSEC data using the original keys. | |
31 | ||
32 | Such a single replicated database requires no further attention beyond | |
33 | monitoring already required during non-DNSSEC operations. | |
34 | ||
35 | Records, Keys, signatures, hashes within PowerDNS in online signing mode | |
36 | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | |
37 | ||
38 | Within PowerDNS live signing, keys are stored separately from the zone | |
39 | records. Zone data are only combined with signatures and keys when | |
40 | requests come in over the internet. | |
41 | ||
42 | Each zone can have a number of keys associated with it, with varying key | |
43 | lengths. Typically 1 or at most 2 of these keys are employed as actual | |
44 | Zone Signing Keys (ZSKs). During normal operations, this means that only | |
45 | 1 ZSK is 'active', and the other is inactive. | |
46 | ||
47 | Should it be desired to 'roll over' to a new key, both keys can | |
48 | temporarily be active (and used for signing), and after a while the old | |
49 | key can be inactivated. Subsequently it can be removed. | |
50 | ||
51 | As elucidated above, there are several ways in which DNSSEC can deny the | |
52 | existence of a record, and this setting too is stored away from zone | |
53 | records, and lives with the DNSSEC keying material. | |
54 | ||
55 | (Hashed) Denial of Existence | |
56 | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | |
57 | ||
58 | PowerDNS supports unhashed secure denial of existence using NSEC | |
59 | records. These are generated with the help of the (database) backend, | |
60 | which needs to be able to supply the 'previous' and 'next' records in | |
61 | canonical ordering. | |
62 | ||
63 | The Generic SQL Backends have fields that allow them to supply these | |
64 | relative record names. | |
65 | ||
66 | In addition, hashed secure denial of existence is supported using NSEC3 | |
67 | records, in two modes, one with help from the database, the other with | |
68 | the help of some additional calculations. | |
69 | ||
70 | NSEC3 in 'broad' or 'inclusive' mode works with the aid of the backend, | |
71 | where the backend should be able to supply the previous and next domain | |
72 | names in hashed order. | |
73 | ||
74 | NSEC3 in 'narrow' mode uses additional hashing calculations to provide | |
75 | hashed secure denial of existence 'on the fly', without further | |
76 | involving the database. | |
77 | ||
78 | .. _dnssec-signatures: | |
79 | ||
80 | Signatures | |
81 | ~~~~~~~~~~ | |
82 | ||
83 | In PowerDNS live signing mode, signatures, as served through RRSIG | |
84 | records, are calculated on the fly, and heavily cached. All CPU cores | |
85 | are used for the calculation. | |
86 | ||
87 | RRSIGs have a validity period, in PowerDNS by default this period starts | |
88 | at most a week in the past, and continues at least a week into the | |
89 | future. | |
90 | ||
91 | Precisely speaking, the time period used is always from the start of the | |
92 | previous Thursday until the Thursday two weeks later. This two-week | |
93 | interval jumps with one-week increments every Thursday. | |
94 | ||
95 | .. note:: | |
96 | Why Thursday? POSIX-based operating systems count the time | |
97 | since GMT midnight January 1st of 1970, which was a Thursday. PowerDNS | |
98 | inception/expiration times are generated based on an integral number of | |
99 | weeks having passed since the start of the 'epoch'. | |
100 | ||
101 | PowerDNS also serves the DNSKEY records in live-signing mode. Their TTL | |
102 | is derived from the SOA records *minimum* field. When using NSEC3, the | |
103 | TTL of the NSEC3PARAM record is also derived from that field. | |
104 | ||
105 | Pre-signed records | |
106 | ------------------ | |
107 | ||
108 | In this mode, PowerDNS serves zones that already contain DNSSEC records. | |
109 | Such zones can either be slaved from a remote master, or can be signed | |
110 | using tools like OpenDNSSEC, ldns-signzone or dnssec-signzone. | |
111 | ||
112 | Even in this mode, PowerDNS will synthesize NSEC(3) records itself | |
113 | because of its architecture. RRSIGs of these NSEC(3) will still need to | |
114 | be imported. See the :ref:`Presigned migration guide <dnssec-migration-presigned>`. | |
115 | ||
116 | Front-signing | |
117 | ------------- | |
118 | ||
119 | As a special feature, PowerDNS can operate as a signing server which | |
120 | operates as a slave to an unsigned master. | |
121 | ||
122 | In this way, if keying material is available for an unsigned zone that | |
123 | is retrieved from a master server, this keying material will be used | |
124 | when serving data from this zone. | |
125 | ||
126 | As part of the zone retrieval, the equivalent of | |
127 | ``pdnsutil rectify-zone`` is run to make sure that all DNSSEC-related | |
128 | fields are set correctly in the backend. | |
129 | ||
130 | Signed AXFR | |
131 | ----------- | |
132 | ||
133 | An outgoing zone transfer from a signing master contains all information | |
134 | required for the receiving party to rectify the zone without knowing the | |
135 | keys, such as signed NSEC3 records for empty non-terminals. The zone is | |
136 | not required to be rectified on the master. | |
137 | ||
138 | Signatures and Hashing is similar as described in :ref:`dnssec-online-signing`. | |
139 | ||
140 | BIND-mode operation | |
141 | ------------------- | |
142 | ||
143 | The :doc:`bindbackend <../backends/bind>` can manage keys in an | |
144 | SQLite3 database without launching a separate gsqlite3 backend. | |
145 | ||
146 | To use this mode, add | |
147 | ``bind-dnssec-db=/var/db/bind-dnssec-db.sqlite3`` to pdns.conf, and run | |
148 | ``pdnsutil create-bind-db /var/db/bind-dnssec-db.sqlite3``. Then, | |
149 | restart PowerDNS. | |
150 | ||
151 | After this, you can use ``pdnsutil secure-zone`` and all other pdnsutil | |
152 | commands on your BIND zones without trouble. | |
153 | ||
154 | .. _dnssec-modes-hybrid-bind: | |
155 | ||
156 | Hybrid BIND-mode operation | |
157 | -------------------------- | |
158 | ||
159 | PowerDNS can also operate based on 'BIND'-style zone & configuration | |
160 | files. This 'bindbackend' has full knowledge of DNSSEC, but has no | |
161 | native way of storing keying material. | |
162 | ||
163 | However, since PowerDNS supports operation with multiple simultaneous | |
164 | backends, this is not a problem. | |
165 | ||
166 | In hybrid mode, keying material and zone records are stored in different | |
167 | backends. This allows for 'bindbackend' operation in full DNSSEC mode. | |
168 | ||
169 | To benefit from this mode, include at least one database-based backend | |
170 | in the 'launch' statement. The :doc:`SQLite 3 backend <../backends/generic-sqlite3>` probably complements BIND mode | |
171 | best, since it does not require a database server process. | |
172 | ||
173 | .. warning:: | |
174 | For now, it is necessary to execute a manual SQL 'insert' | |
175 | into the domains table of the backend hosting the keying material. This | |
176 | is needed to generate a zone-id for the relevant domain. Sample SQL | |
177 | statement:: | |
178 | ||
179 | insert into domains (name, type) values ('powerdnssec.org', 'NATIVE'); |