projects / thirdparty / pdns.git / blame
| Commit | Line | Data |
|---|---|---|
| 223bb49e PL |
1 | DNSSEC in the PowerDNS Recursor |
| 2 | =============================== | |
| 3 | As of 4.0.0, the PowerDNS Recursor has support for DNSSEC processing and experimental support for DNSSEC validation. | |
| 4 | ||
| 879ab4fa PL |
5 | .. warning:: |
| 6 | The DNSSEC implementation in the PowerDNS Recursor 4.0.x is known to have deficiencies due to its original design. | |
| 7 | When doing DNSSEC validation, ensure you are running 4.1.0 or later which has a fully reworked (and correct) DNSSEC implementation. | |
| 8 | ||
| 223bb49e PL |
9 | DNSSEC settings |
| 10 | --------------- | |
| 11 | The PowerDNS Recursor has 5 different levels of DNSSEC processing, which can be set with the :ref:`setting-dnssec` setting in the ``recursor.conf``. | |
| 12 | In order from least to most processing, these are: | |
| 13 | ||
| 14 | ``off`` | |
| 15 | ^^^^^^^ | |
| 16 | In this mode, **no** DNSSEC processing takes place. | |
| 17 | The PowerDNS Recursor will not set the DNSSEC OK (DO) bit in the outgoing queries and will ignore the DO and AD bits in queries. | |
| 18 | In this mode, the behaviour is equal to the PowerDNS Recursor 3.X. | |
| 19 | ||
| 20 | ``process-no-validate`` | |
| 21 | ^^^^^^^^^^^^^^^^^^^^^^^ | |
| 22 | The default mode. | |
| 23 | ||
| 24 | In this mode the Recursor acts as a "security aware, non-validating" nameserver, meaning it will set the DO-bit on outgoing queries and will provide DNSSEC related RRsets (NSEC, RRSIG) to clients that ask for them (by means of a DO-bit in the query), except for zones provided through the ``auth-zones`` setting. | |
| 25 | It will not do any validation in this mode, not even when requested by the client. | |
| 26 | ||
| 27 | ``process`` | |
| 28 | ^^^^^^^^^^^ | |
| 29 | When :ref:`setting-dnssec` is set to ``process`` the behaviour is similar to `process-no-validate`_. | |
| 30 | However, the recursor will try to validate the data if at least one of the DO or AD bits is set in the query; | |
| 31 | in that case, it will set the AD-bit in the response when the data is validated successfully, or send SERVFAIL when the validation comes up bogus. | |
| 32 | ||
| 33 | ``log-fail`` | |
| 34 | ^^^^^^^^^^^^ | |
| 35 | In this mode, the recursor will attempt to validate all data it retrieves from authoritative servers, regardless of the client's DNSSEC desires, and will log the validation result. | |
| 36 | This mode can be used to determine the extra load and amount of possibly bogus answers before turning on full-blown validation. | |
| 37 | Responses to client queries are the same as with `process`_. | |
| 38 | ||
| 39 | ``validate`` | |
| 40 | ^^^^^^^^^^^^ | |
| 41 | The highest mode of DNSSEC processing. | |
| 42 | In this mode, all queries will be be validated and will be answered with a SERVFAIL in case of bogus data, regardless of the client's request. | |
| 43 | ||
| 44 | What, when? | |
| 45 | ^^^^^^^^^^^ | |
| 46 | The descriptions above are a bit terse, here's a table describing different scenarios with regards to the ``dnssec`` mode. | |
| 47 | ||
| 6cfa341d CH |
48 | +--------------+---------+-------------------------+---------------+---------------+---------------+ |
| 49 | | | ``off`` | ``process-no-validate`` | ``process`` | ``log-fail`` | ``validate`` | | |
| 50 | +==============+=========+=========================+===============+===============+===============+ | |
| 51 | | Perform | No | No | Only on +AD | Always (logs | Always | | |
| 52 | | validation | | | or +DO from | result) | | | |
| 53 | | | | | client | | | | |
| 54 | +--------------+---------+-------------------------+---------------+---------------+---------------+ | |
| 55 | | SERVFAIL on | No | No | Only on +AD | Only on +AD | Always | | |
| 56 | | bogus | | | or +DO from | or +DO from | | | |
| 57 | | | | | client | client | | | |
| 58 | +--------------+---------+-------------------------+---------------+---------------+---------------+ | |
| 59 | | AD in | Never | Never | Only on +AD | Only on +AD | Only on +AD | | |
| 60 | | response on | | | or +DO from | or +DO from | or +DO from | | |
| 61 | | authenticate | | | client | client | client | | |
| 62 | | d | | | | | | | |
| 63 | | data | | | | | | | |
| 64 | +--------------+---------+-------------------------+---------------+---------------+---------------+ | |
| 65 | | RRSIGs/NSECs | No | Yes | Yes | Yes | Yes | | |
| 66 | | in answer on | | | | | | | |
| 67 | | +DO from | | | | | | | |
| 68 | | client | | | | | | | |
| 69 | +--------------+---------+-------------------------+---------------+---------------+---------------+ | |
| 223bb49e PL |
70 | |
| 71 | **Note**: the ``dig`` tool sets the AD-bit in the query. | |
| 72 | This might lead to unexpected query results when testing. | |
| 73 | Set ``+noad`` on the ``dig`` commandline when this is the case. | |
| 74 | ||
| e8e5667b CH |
75 | **Note**: the CD-bit is honored correctly for ``process`` and |
| 76 | ``validate``. For ``log-fail``, failures will be logged too. | |
| 77 | ||
| 223bb49e PL |
78 | Trust Anchor Management |
| 79 | ----------------------- | |
| 80 | In the PowerDNS Recursor, both positive and negative trust anchors can be configured during startup (from a persistent configuration file) and at runtime (which is volatile). | |
| 81 | However, all trust anchors are configurable. | |
| 82 | ||
| c1d92d73 PL |
83 | Current trust anchors can be queried from the recursor by sending a query for "trustanchor.server CH TXT". |
| 84 | This query will (if :ref:`setting-allow-trust-anchor-query` is enabled) return a TXT record per trust-anchor in the format ``"DOMAIN KEYTAG [KEYTAG]..."``. | |
| 85 | ||
| 223bb49e PL |
86 | Trust Anchors |
| 87 | ^^^^^^^^^^^^^ | |
| 88 | The PowerDNS Recursor ships with the DNSSEC Root key built-in. | |
| 89 | ||
| 90 | **Note**: it has no support for :rfc:`5011` key rollover and does not persist a changed root trust anchor to disk. | |
| 91 | ||
| 190e0d9a | 92 | Configuring DNSSEC key material must be done in the :ref:`setting-lua-config-file`, using :func:`addTA`. |
| 223bb49e PL |
93 | This function takes 2 arguments: the node in the DNS-tree and the data of the corresponding DS record. |
| 94 | ||
| 95 | To e.g. add a trust anchor for the root and powerdns.com, use the following config in the Lua file: | |
| 96 | ||
| 97 | .. code:: Lua | |
| 98 | ||
| 190e0d9a | 99 | addTA('.', "63149 13 1 a59da3f5c1b97fcd5fa2b3b2b0ac91d38a60d33a") -- This is not an ICANN root |
| 3148bdb4 | 100 | addTA('example.com', "44030 8 2 D4C3D5552B8679FAEEBC317E5F048B614B2E5F607DC57F1553182D49 AB2179F7") |
| 190e0d9a PL |
101 | |
| 102 | For PowerDNS Recursor 4.1.x and below, use the :func:`addDS` function instead. | |
| 223bb49e PL |
103 | |
| 104 | Now (re)start the recursor to load these trust anchors. | |
| 105 | ||
| 8f29eeaa PL |
106 | Reading trust anchors from files |
| 107 | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | |
| 108 | ||
| 9893699f PL |
109 | .. versionadded:: 4.2.0 |
| 110 | ||
| 111 | It is also possible to read the Trust Anchors from a BIND-style zonefile using the :func:`readTrustAnchorsFromFile` in the :ref:`setting-lua-config-file`. | |
| 8f29eeaa | 112 | Only the DS and DNSKEY records from this file are read. |
| e4ae55e5 | 113 | This file is (by default) re-read every 24 hours for updates. |
| 8f29eeaa PL |
114 | Debian and its derivatives ship the ``dns-root-data`` package that contains the DNSSEC root trust anchors in ``/usr/share/dns/root.key``. |
| 115 | ||
| 116 | To only use the distribution-provided Trust Anchors, add the following to the :ref:`setting-lua-config-file`: | |
| 117 | ||
| 118 | .. sourcecode:: lua | |
| 119 | ||
| 120 | clearTA() -- Remove built-in trust-anchors | |
| 121 | readTrustAnchorsFromFile("/usr/share/dns/root.key") -- Use these keys | |
| 122 | ||
| 9893699f PL |
123 | .. note:: |
| 124 | When using :func:`readTrustAnchorsFromFile`, any runtime changes to Trust Anchors (see below) will be overwritten when the file is refreshed. | |
| 125 | To prevent this, set the ``interval`` parameter to ``0``. | |
| 126 | This will **disable** automatic reloading of the file. | |
| 127 | ||
| 223bb49e PL |
128 | Runtime Configuration of Trust Anchors |
| 129 | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | |
| f52b0223 | 130 | To change or add trust anchors at runtime, use the :doc:`manpages/rec_control.1` tool. |
| 223bb49e PL |
131 | These runtime settings are not saved to disk. |
| 132 | To make them permanent, they should be added to the :ref:`setting-lua-config-file` as described above. | |
| 133 | ||
| 134 | Adding a trust anchor is done with the ``add-ta`` command: | |
| 135 | ||
| 136 | :: | |
| 137 | ||
| 138 | $ rec_control add-ta domain.example 63149 13 1 a59da3f5c1b97fcd5fa2b3b2b0ac91d38a60d33a | |
| 139 | Added Trust Anchor for domain.example. with data 63149 13 1 a59da3f5c1b97fcd5fa2b3b2b0ac91d38a60d33a | |
| 140 | ||
| 141 | To view the currently configured trust anchors, run ``get-tas``: | |
| 142 | ||
| 143 | :: | |
| 144 | ||
| 145 | $ rec_control get-tas | |
| 146 | Configured Trust Anchors: | |
| 147 | . 63149 13 1 a59da3f5c1b97fcd5fa2b3b2b0ac91d38a60d33a | |
| 148 | net. 2574 13 1 a5c5acb889a7ba9b5aa5bef2b0ac9fe1565ddaab | |
| 149 | ||
| 150 | To remove a trust anchor, run ``clear-ta``: | |
| 151 | ||
| 152 | :: | |
| 153 | ||
| 154 | $ rec_control clear-ta domain.example | |
| 155 | Removed Trust Anchor for subdomain.example | |
| 156 | ||
| 157 | **Note**: The root trust anchor cannot be removed in this manner. | |
| 158 | ||
| 159 | .. _ntas: | |
| 160 | ||
| 161 | Negative Trust Anchors | |
| 162 | ^^^^^^^^^^^^^^^^^^^^^^ | |
| 163 | Negative trust anchors (defined in :rfc:`7646`) can be used to temporarily disable DNSSEC validation for a part of the DNS-tree. | |
| 164 | This can be done when e.g. a TLD or high-traffic zone goes bogus. | |
| 165 | Note that it is good practice to verify that this is indeed the case and not because of malicious actions. | |
| 166 | ||
| f19a673b | 167 | Current negative trust anchors can be queried from the recursor by sending a query for "negativetrustanchor.server CH TXT". |
| 0b7de4d7 PL |
168 | This query will (if :ref:`setting-allow-trust-anchor-query` is enabled) return a TXT record per negative trust-anchor in the format ``"DOMAIN [REASON]"``. |
| 169 | ||
| 223bb49e PL |
170 | To configure a negative trust anchor, use the ``addNTA()`` function in the :ref:`setting-lua-config-file` and restart the recursor. |
| 171 | This function requires the name of the zone and an optional reason: | |
| 172 | ||
| 173 | .. code-block:: Lua | |
| 174 | ||
| 175 | addNTA('example.', "Someone messed up the delegation") | |
| 176 | addNTA('powerdns.com') -- No reason given | |
| 177 | ||
| 178 | Runtime Configuration of Negative Trust Anchors | |
| 179 | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | |
| 180 | ||
| f52b0223 | 181 | The :doc:`manpages/rec_control.1` command can be used to manage the negative trust anchors of a running instance. |
| 223bb49e PL |
182 | These runtime settings are lost when restarting the recursor, more permanent NTAs should be added to the :ref:`setting-lua-config-file` with ``addNTA()``. |
| 183 | ||
| 184 | Adding a negative trust anchor is done with the ``add-nta`` command (that optionally accepts a reason): | |
| 185 | ||
| 186 | :: | |
| 187 | ||
| 188 | $ rec_control add-nta domain.example botched keyroll | |
| 189 | Added Negative Trust Anchor for domain.example. with reason 'botched keyroll' | |
| 190 | ||
| 191 | To view the currently configured negative trust anchors, run ``get-ntas``: | |
| 192 | ||
| 193 | :: | |
| 194 | ||
| 195 | $ rec_control get-ntas | |
| 196 | Configured Negative Trust Anchors: | |
| 197 | subdomain.example. Operator failed key-roll | |
| 198 | otherdomain.example. DS in parent, no DNSKEY in zone | |
| 199 | ||
| 200 | To remove negative trust anchor(s), run ``clear-nta``: | |
| 201 | ||
| 202 | :: | |
| 203 | ||
| 204 | $ rec_control clear-nta subdomain.example | |
| 205 | Removed Negative Trust Anchors for subdomain.example | |
| 206 | ||
| 207 | ``clear-nta`` accepts multiple domain-names and accepts '\*' (beware the shell quoting) to remove all negative trust anchors. |