]>
Commit | Line | Data |
---|---|---|
223bb49e PL |
1 | DNSSEC in the PowerDNS Recursor |
2 | =============================== | |
3 | As of 4.0.0, the PowerDNS Recursor has support for DNSSEC processing and experimental support for DNSSEC validation. | |
4 | ||
879ab4fa PL |
5 | .. warning:: |
6 | The DNSSEC implementation in the PowerDNS Recursor 4.0.x is known to have deficiencies due to its original design. | |
7 | When doing DNSSEC validation, ensure you are running 4.1.0 or later which has a fully reworked (and correct) DNSSEC implementation. | |
8 | ||
223bb49e PL |
9 | DNSSEC settings |
10 | --------------- | |
11 | The PowerDNS Recursor has 5 different levels of DNSSEC processing, which can be set with the :ref:`setting-dnssec` setting in the ``recursor.conf``. | |
12 | In order from least to most processing, these are: | |
13 | ||
14 | ``off`` | |
15 | ^^^^^^^ | |
16 | In this mode, **no** DNSSEC processing takes place. | |
17 | The PowerDNS Recursor will not set the DNSSEC OK (DO) bit in the outgoing queries and will ignore the DO and AD bits in queries. | |
18 | In this mode, the behaviour is equal to the PowerDNS Recursor 3.X. | |
19 | ||
20 | ``process-no-validate`` | |
21 | ^^^^^^^^^^^^^^^^^^^^^^^ | |
22 | The default mode. | |
23 | ||
24 | In this mode the Recursor acts as a "security aware, non-validating" nameserver, meaning it will set the DO-bit on outgoing queries and will provide DNSSEC related RRsets (NSEC, RRSIG) to clients that ask for them (by means of a DO-bit in the query), except for zones provided through the ``auth-zones`` setting. | |
25 | It will not do any validation in this mode, not even when requested by the client. | |
26 | ||
27 | ``process`` | |
28 | ^^^^^^^^^^^ | |
29 | When :ref:`setting-dnssec` is set to ``process`` the behaviour is similar to `process-no-validate`_. | |
30 | However, the recursor will try to validate the data if at least one of the DO or AD bits is set in the query; | |
31 | in that case, it will set the AD-bit in the response when the data is validated successfully, or send SERVFAIL when the validation comes up bogus. | |
32 | ||
33 | ``log-fail`` | |
34 | ^^^^^^^^^^^^ | |
35 | In this mode, the recursor will attempt to validate all data it retrieves from authoritative servers, regardless of the client's DNSSEC desires, and will log the validation result. | |
36 | This mode can be used to determine the extra load and amount of possibly bogus answers before turning on full-blown validation. | |
37 | Responses to client queries are the same as with `process`_. | |
38 | ||
39 | ``validate`` | |
40 | ^^^^^^^^^^^^ | |
41 | The highest mode of DNSSEC processing. | |
42 | In this mode, all queries will be be validated and will be answered with a SERVFAIL in case of bogus data, regardless of the client's request. | |
43 | ||
44 | What, when? | |
45 | ^^^^^^^^^^^ | |
46 | The descriptions above are a bit terse, here's a table describing different scenarios with regards to the ``dnssec`` mode. | |
47 | ||
6cfa341d CH |
48 | +--------------+---------+-------------------------+---------------+---------------+---------------+ |
49 | | | ``off`` | ``process-no-validate`` | ``process`` | ``log-fail`` | ``validate`` | | |
50 | +==============+=========+=========================+===============+===============+===============+ | |
51 | | Perform | No | No | Only on +AD | Always (logs | Always | | |
52 | | validation | | | or +DO from | result) | | | |
53 | | | | | client | | | | |
54 | +--------------+---------+-------------------------+---------------+---------------+---------------+ | |
55 | | SERVFAIL on | No | No | Only on +AD | Only on +AD | Always | | |
56 | | bogus | | | or +DO from | or +DO from | | | |
57 | | | | | client | client | | | |
58 | +--------------+---------+-------------------------+---------------+---------------+---------------+ | |
59 | | AD in | Never | Never | Only on +AD | Only on +AD | Only on +AD | | |
60 | | response on | | | or +DO from | or +DO from | or +DO from | | |
61 | | authenticate | | | client | client | client | | |
62 | | d | | | | | | | |
63 | | data | | | | | | | |
64 | +--------------+---------+-------------------------+---------------+---------------+---------------+ | |
65 | | RRSIGs/NSECs | No | Yes | Yes | Yes | Yes | | |
66 | | in answer on | | | | | | | |
67 | | +DO from | | | | | | | |
68 | | client | | | | | | | |
69 | +--------------+---------+-------------------------+---------------+---------------+---------------+ | |
223bb49e PL |
70 | |
71 | **Note**: the ``dig`` tool sets the AD-bit in the query. | |
72 | This might lead to unexpected query results when testing. | |
73 | Set ``+noad`` on the ``dig`` commandline when this is the case. | |
74 | ||
e8e5667b CH |
75 | **Note**: the CD-bit is honored correctly for ``process`` and |
76 | ``validate``. For ``log-fail``, failures will be logged too. | |
77 | ||
223bb49e PL |
78 | Trust Anchor Management |
79 | ----------------------- | |
80 | In the PowerDNS Recursor, both positive and negative trust anchors can be configured during startup (from a persistent configuration file) and at runtime (which is volatile). | |
81 | However, all trust anchors are configurable. | |
82 | ||
c1d92d73 PL |
83 | Current trust anchors can be queried from the recursor by sending a query for "trustanchor.server CH TXT". |
84 | This query will (if :ref:`setting-allow-trust-anchor-query` is enabled) return a TXT record per trust-anchor in the format ``"DOMAIN KEYTAG [KEYTAG]..."``. | |
85 | ||
223bb49e PL |
86 | Trust Anchors |
87 | ^^^^^^^^^^^^^ | |
88 | The PowerDNS Recursor ships with the DNSSEC Root key built-in. | |
89 | ||
90 | **Note**: it has no support for :rfc:`5011` key rollover and does not persist a changed root trust anchor to disk. | |
91 | ||
190e0d9a | 92 | Configuring DNSSEC key material must be done in the :ref:`setting-lua-config-file`, using :func:`addTA`. |
223bb49e PL |
93 | This function takes 2 arguments: the node in the DNS-tree and the data of the corresponding DS record. |
94 | ||
95 | To e.g. add a trust anchor for the root and powerdns.com, use the following config in the Lua file: | |
96 | ||
97 | .. code:: Lua | |
98 | ||
190e0d9a | 99 | addTA('.', "63149 13 1 a59da3f5c1b97fcd5fa2b3b2b0ac91d38a60d33a") -- This is not an ICANN root |
3148bdb4 | 100 | addTA('example.com', "44030 8 2 D4C3D5552B8679FAEEBC317E5F048B614B2E5F607DC57F1553182D49 AB2179F7") |
190e0d9a PL |
101 | |
102 | For PowerDNS Recursor 4.1.x and below, use the :func:`addDS` function instead. | |
223bb49e PL |
103 | |
104 | Now (re)start the recursor to load these trust anchors. | |
105 | ||
8f29eeaa PL |
106 | Reading trust anchors from files |
107 | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | |
108 | ||
9893699f PL |
109 | .. versionadded:: 4.2.0 |
110 | ||
111 | It is also possible to read the Trust Anchors from a BIND-style zonefile using the :func:`readTrustAnchorsFromFile` in the :ref:`setting-lua-config-file`. | |
8f29eeaa | 112 | Only the DS and DNSKEY records from this file are read. |
e4ae55e5 | 113 | This file is (by default) re-read every 24 hours for updates. |
8f29eeaa PL |
114 | Debian and its derivatives ship the ``dns-root-data`` package that contains the DNSSEC root trust anchors in ``/usr/share/dns/root.key``. |
115 | ||
116 | To only use the distribution-provided Trust Anchors, add the following to the :ref:`setting-lua-config-file`: | |
117 | ||
118 | .. sourcecode:: lua | |
119 | ||
120 | clearTA() -- Remove built-in trust-anchors | |
121 | readTrustAnchorsFromFile("/usr/share/dns/root.key") -- Use these keys | |
122 | ||
9893699f PL |
123 | .. note:: |
124 | When using :func:`readTrustAnchorsFromFile`, any runtime changes to Trust Anchors (see below) will be overwritten when the file is refreshed. | |
125 | To prevent this, set the ``interval`` parameter to ``0``. | |
126 | This will **disable** automatic reloading of the file. | |
127 | ||
223bb49e PL |
128 | Runtime Configuration of Trust Anchors |
129 | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | |
f52b0223 | 130 | To change or add trust anchors at runtime, use the :doc:`manpages/rec_control.1` tool. |
223bb49e PL |
131 | These runtime settings are not saved to disk. |
132 | To make them permanent, they should be added to the :ref:`setting-lua-config-file` as described above. | |
133 | ||
134 | Adding a trust anchor is done with the ``add-ta`` command: | |
135 | ||
136 | :: | |
137 | ||
138 | $ rec_control add-ta domain.example 63149 13 1 a59da3f5c1b97fcd5fa2b3b2b0ac91d38a60d33a | |
139 | Added Trust Anchor for domain.example. with data 63149 13 1 a59da3f5c1b97fcd5fa2b3b2b0ac91d38a60d33a | |
140 | ||
141 | To view the currently configured trust anchors, run ``get-tas``: | |
142 | ||
143 | :: | |
144 | ||
145 | $ rec_control get-tas | |
146 | Configured Trust Anchors: | |
147 | . 63149 13 1 a59da3f5c1b97fcd5fa2b3b2b0ac91d38a60d33a | |
148 | net. 2574 13 1 a5c5acb889a7ba9b5aa5bef2b0ac9fe1565ddaab | |
149 | ||
150 | To remove a trust anchor, run ``clear-ta``: | |
151 | ||
152 | :: | |
153 | ||
154 | $ rec_control clear-ta domain.example | |
155 | Removed Trust Anchor for subdomain.example | |
156 | ||
157 | **Note**: The root trust anchor cannot be removed in this manner. | |
158 | ||
159 | .. _ntas: | |
160 | ||
161 | Negative Trust Anchors | |
162 | ^^^^^^^^^^^^^^^^^^^^^^ | |
163 | Negative trust anchors (defined in :rfc:`7646`) can be used to temporarily disable DNSSEC validation for a part of the DNS-tree. | |
164 | This can be done when e.g. a TLD or high-traffic zone goes bogus. | |
165 | Note that it is good practice to verify that this is indeed the case and not because of malicious actions. | |
166 | ||
f19a673b | 167 | Current negative trust anchors can be queried from the recursor by sending a query for "negativetrustanchor.server CH TXT". |
0b7de4d7 PL |
168 | This query will (if :ref:`setting-allow-trust-anchor-query` is enabled) return a TXT record per negative trust-anchor in the format ``"DOMAIN [REASON]"``. |
169 | ||
223bb49e PL |
170 | To configure a negative trust anchor, use the ``addNTA()`` function in the :ref:`setting-lua-config-file` and restart the recursor. |
171 | This function requires the name of the zone and an optional reason: | |
172 | ||
173 | .. code-block:: Lua | |
174 | ||
175 | addNTA('example.', "Someone messed up the delegation") | |
176 | addNTA('powerdns.com') -- No reason given | |
177 | ||
178 | Runtime Configuration of Negative Trust Anchors | |
179 | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | |
180 | ||
f52b0223 | 181 | The :doc:`manpages/rec_control.1` command can be used to manage the negative trust anchors of a running instance. |
223bb49e PL |
182 | These runtime settings are lost when restarting the recursor, more permanent NTAs should be added to the :ref:`setting-lua-config-file` with ``addNTA()``. |
183 | ||
184 | Adding a negative trust anchor is done with the ``add-nta`` command (that optionally accepts a reason): | |
185 | ||
186 | :: | |
187 | ||
188 | $ rec_control add-nta domain.example botched keyroll | |
189 | Added Negative Trust Anchor for domain.example. with reason 'botched keyroll' | |
190 | ||
191 | To view the currently configured negative trust anchors, run ``get-ntas``: | |
192 | ||
193 | :: | |
194 | ||
195 | $ rec_control get-ntas | |
196 | Configured Negative Trust Anchors: | |
197 | subdomain.example. Operator failed key-roll | |
198 | otherdomain.example. DS in parent, no DNSKEY in zone | |
199 | ||
200 | To remove negative trust anchor(s), run ``clear-nta``: | |
201 | ||
202 | :: | |
203 | ||
204 | $ rec_control clear-nta subdomain.example | |
205 | Removed Negative Trust Anchors for subdomain.example | |
206 | ||
207 | ``clear-nta`` accepts multiple domain-names and accepts '\*' (beware the shell quoting) to remove all negative trust anchors. |