Deploy DNSSEC at Authoritative DNS Servers

This document will guide us in deploy DNSSEC at authoritative DNS servers.

Summary of steps:

1. Install or update tools(openssl and bind)
2. DNSSEC enable each zone
3. Periodic zone maintenance

Install or update tools

For install the last stable version of openssl without shared libraries follow the steps:

#wget http://www.openssl.org/source/openssl-0.9.8l.tar.gz
#tar -zxvf openssl-0.9.8l.tar.gz
#./config --prefix=/usr/local no-shared
#make
#make test
#make install

For install the last stable version of Bind with openssl support follow the steps:

#wget ftp://ftp.isc.org/isc/bind9/9.6.1-P2/bind-9.6.1-P2.tar.gz
#tar -zxvf bind-9.6.1-P2.tar.gz
#./configure --with-openssl=/usr/local --prefix=/usr/local --sysconfdir=/etc/bind --localstatedir=/var
#make
#make test
#make install

After install Bind determine whether the configuration is correct and that the installed version is that it is as default.

#named -V

BIND 9.6.1-P2 built with '--with-openssl=/usr/local' '--prefix=/usr/local/' '--sysconfdir=/etc/bind' '--localstatedir=/var/'

DNSSEC enable each zone

Edit your file "named.conf" and add the DNSSEC option:

...
options{
dnssec-enable yes;
}
...

After this restart your named process.

Now we generate the keys for each zone.
For example we use the zone with the name foo and parent zone is .net
For generate the Zone Signing Key(ZSK) for each zone follow the steps:

#dnssec-keygen -a NSEC3RSASHA1 -b 1024 -n ZONE foo.net

the option NSEC3RSASHA1 only available for version BIND 9.6+, for more informations

#man dnssec-keygen

The result of ZSK generation it's some thing like this:

Kfoo.net.+007+45698

For generate the Key Signing Key(KSK) for each zone follow the steps:

#dnssec-keygen -f KSK -a NSEC3RSASHA1 -b 2048 -n ZONE foo.net

the option NSEC3RSASHA1 only available for version BIND 9.6+, for more informations

#man dnssec-keygen

The result of KSK generation it's some thing like this:

Kfoo.net.+007+54789

Note: if the generation of this keys it's too slow use the option -r /dev/urandom.

After we generate the keys have to include them in files of zone:

#echo -e "\$include Kfoo.net.+007+45698.key\n\$include Kfoo.net.+007+54789.key" >> db.foo.net

Sign the zone with the keys ZSK e KSK without extensions:

#dnssec-signzone -k Kfoo.net.+007+54789 -o foo.net -t -3 - -A db.foo.net Kfoo.net.+007+45698

For more informations:

#man dnssec-signzone

Example of result of signature:

foo.net.signed
Signatures generated: 4
Signatures retained: 0
Signatures dropped: 0
Signatures successfully verified: 0
Signatures unsuccessfully verified: 0
Runtime in seconds: 0.011
Signatures per second: 574.122

Upon signature of zone is created a fine name db.foo.net.signed

To verify that zone was properly signed:

#named-checkzone foo.net db.foo.net.signed

Example of result:

zone foo.net/IN: loaded serial 2009051202 (signed)

Now edit your "named.conf" at zone section and change the name of the zone:

zone "foo.net"{
type master;
file "db.foo.net.signed"
};

Upon restart the named process.

The last step it's send to parent the DS record. This record can be found in file dsset-foo.net.

Periodic zone maintenance

Any time you modify a zone or at least every 30 days after last signature you must re-run dnssec-signzone. If you don't the zone will be stale.


Some resources

www.isc.org - information about bind and dnssec
www.openssl - information about openssl

Practical Migration Strategy for IPv6 Web Services

If we have web servers that only support IPv4, a simple solution is to configure a web server with IPv6 support and use a Reverse Proxy. One IPv6 friendly solution for that is to use Apache HTTP Server with modules for proxying.

Configure it

Setting up a reverse proxy for an entire website is fairly straightforward. As an example I present the case study from my institution where we have some web servers that do not support IPv4 and for this we set up a server with IPv6 support and the reverse proxy with Apache. The configuration that I show is only for a site, but for others is the same. In my IPv6 Web Server I use Debian, Apache2.2 with modules for proxying.

<VirtualHost [IPv6_address_of_server]:80>
ServerName www.foo.institution.org
ServerAlias foo.institution.org

ProxyPass / http://www.ipv4foo.institution.org/
ProxyPassReverse / http://www.ipv4foo.institution.org/
ProxyPreserveHost On

LogLevel warn
ErrorLog /var/log/apache2/foo-error.log
CustomLog /var/log/apache2/foo-access.log combined

</VirtualHost>

At mod_proxy configuration:

ProxyRequests Off

<Proxy *>
    Order deny,allow
    Allow from all
</Proxy>

The parties are key:

• Enable reverse proxying:

ProxyRequests Off

• Ensure that the downstream server will receive the correct "Host:" header. This option is off by default.
  

ProxyPreserveHost On

• Indicating how the proxy URI will convert converted as it passes through the Apache proxy server:

ProxyPass / http://www.ipv4foo.institution.org/
ProxyPassReverse / http://www.ipv4foo.institution.org/

• I configured these options for all, but can be configured for each VirtualHost.

<Proxy *>
Order deny,allow
Allow from all
</Proxy>

Finish it

This is not an "open proxy", because we restrict the reverse proxy to a single virtual host. The server serves files to the public, but only for the web sites listed. The configuration presented here facilitates the hosting of a large number of web sites, without having to actually store and synchronize the web site with a central server. The natural flow of proxy->core web server automatically keeps data synchronized. I advise to use of Apache HTTP Server high speed threaded model because of the load and number of connections.

Some resources

Apache2.2 information about mod_proxy. Show at http://httpd.apache.org/docs/2.2/

Cisco DHCP server with secure ARP

Example of how to configure Cisco DHCP server with secure ARP table for DHCP leases. To set you must follow the following steps:

1. Securing ARP table entries to DHCP leases
2. Configuring DHCP authorized ARP
3. Verifying DHCP ARP(optional)
   

Securing ARP table entries to DHCP leases

• Enables privileged EXEC mode.

Router> enable

• Enters global configuration mode.

Router# configure terminal

• Configures a DHCP address pool and enters DHCP pool configuration mode.

Router(config)# ip dhcp pool foo-pool

• Specifies the subnet network number and mask or prefix-length of the DHCP address pool.

Router(dhcp-config)# network 172.29.10.0 /23

• Secures insecure ARP table entries to the corresponding DHCP leases.

Router(dhcp-config)# update arp


Configuring DHCP authorized ARP

• Enables privileged EXEC mode.

Router> enable

• Enters global configuration mode.

Router# configure terminal

• Configures an interface type and enters interface configuration mode

Router(config)# interface FastEthernet0/1

• Sets a IP address for an interface.

Router(config-if)# ip-address 172.29.10.1 255.255.254.0

• Disables dynamic ARP learning on an interface. This mean that the IP address to MAC address mapping can only be installed by the authorized subsystem.

Router(config-if)# arp authorized

• Configures how long an entry remains in the ARP cache. The ARP time out period should not be set to less than 30 seconds.

Router(config-if)# arp timeout 60


Verifying DHCP ARP example:


Router#sh arp
Protocol Address Age (min) Hardware Addr Type Interface
Internet 172.29.10.155 136 000e.84d7.62e8 ARPA FastEthernet0/1
Internet 172.29.10.154 136 000e.84d7.62ee ARPA FastEthernet0/1
Internet 172.29.10.158 137 000e.84d7.6378 ARPA FastEthernet0/1