Sunday, 6 December 2009

Deploy DNSSEC at Authoritative DNS Servers

This document will guide us in deploy DNSSEC at authoritative DNS servers.

Summary of steps:
  1. Install or update tools(openssl and bind)
  2. DNSSEC enable each zone
  3. Periodic zone maintenance
Install or update tools

For install the last stable version of openssl without shared libraries follow the steps:

#wget http://www.openssl.org/source/openssl-0.9.8l.tar.gz
#tar -zxvf openssl-0.9.8l.tar.gz
#./config --prefix=/usr/local no-shared
#make
#make test
#make install


For install the last stable version of Bind with openssl support follow the steps:

#wget ftp://ftp.isc.org/isc/bind9/9.6.1-P2/bind-9.6.1-P2.tar.gz
#tar -zxvf bind-9.6.1-P2.tar.gz
#./configure --with-openssl=/usr/local --prefix=/usr/local --sysconfdir=/etc/bind --localstatedir=/var
#make
#make test
#make install


After install Bind determine whether the configuration is correct and that the installed version is that it is as default.

#named -V

BIND 9.6.1-P2 built with '--with-openssl=/usr/local' '--prefix=/usr/local/' '--sysconfdir=/etc/bind' '--localstatedir=/var/'


DNSSEC enable each zone

Edit your file "named.conf" and add the DNSSEC option:

...
options{
dnssec-enable yes;
}
...


After this restart your named process.

Now we generate the keys for each zone.
For example we use the zone with the name foo and parent zone is .net
For generate the Zone Signing Key(ZSK) for each zone follow the steps:

#dnssec-keygen -a NSEC3RSASHA1 -b 1024 -n ZONE foo.net

the option NSEC3RSASHA1 only available for version BIND 9.6+, for more informations

#man dnssec-keygen

The result of ZSK generation it's some thing like this:

Kfoo.net.+007+45698

For generate the Key Signing Key(KSK) for each zone follow the steps:

#dnssec-keygen -f KSK -a NSEC3RSASHA1 -b 2048 -n ZONE foo.net

the option NSEC3RSASHA1 only available for version BIND 9.6+, for more informations

#man dnssec-keygen

The result of KSK generation it's some thing like this:

Kfoo.net.+007+54789

Note: if the generation of this keys it's too slow use the option -r /dev/urandom.

After we generate the keys have to include them in files of zone:

#echo -e "\$include Kfoo.net.+007+45698.key\n\$include Kfoo.net.+007+54789.key" >> db.foo.net

Sign the zone with the keys ZSK e KSK without extensions:

#dnssec-signzone -k Kfoo.net.+007+54789 -o foo.net -t -3 - -A db.foo.net Kfoo.net.+007+45698

For more informations:

#man dnssec-signzone

Example of result of signature:

foo.net.signed
Signatures generated: 4
Signatures retained: 0
Signatures dropped: 0
Signatures successfully verified: 0
Signatures unsuccessfully verified: 0
Runtime in seconds: 0.011
Signatures per second: 574.122


Upon signature of zone is created a fine name db.foo.net.signed

To verify that zone was properly signed:

#named-checkzone foo.net db.foo.net.signed

Example of result:

zone foo.net/IN: loaded serial 2009051202 (signed)

Now edit your "named.conf" at zone section and change the name of the zone:

zone "foo.net"{
type master;
file "db.foo.net.signed"
};


Upon restart the named process.

The last step it's send to parent the DS record. This record can be found in file dsset-foo.net.

Periodic zone maintenance

Any time you modify a zone or at least every 30 days after last signature you must re-run dnssec-signzone. If you don't the zone will be stale.


Some resources

www.isc.org - information about bind and dnssec
www.openssl - information about openssl

Tuesday, 10 February 2009

Practical Migration Strategy for IPv6 Web Services

If we have web servers that only support IPv4, a simple solution is to configure a web server with IPv6 support and use a Reverse Proxy. One IPv6 friendly solution for that is to use Apache HTTP Server with modules for proxying.

Configure it

Setting up a reverse proxy for an entire website is fairly straightforward. As an example I present the case study from my institution where we have some web servers that do not support IPv4 and for this we set up a server with IPv6 support and the reverse proxy with Apache. The configuration that I show is only for a site, but for others is the same. In my IPv6 Web Server I use Debian, Apache2.2 with modules for proxying.

<VirtualHost [IPv6_address_of_server]:80>
ServerName www.foo.institution.org
ServerAlias foo.institution.org

ProxyPass / http://www.ipv4foo.institution.org/
ProxyPassReverse / http://www.ipv4foo.institution.org/
ProxyPreserveHost On

LogLevel warn
ErrorLog /var/log/apache2/foo-error.log
CustomLog /var/log/apache2/foo-access.log combined

</VirtualHost>
At mod_proxy configuration:

ProxyRequests Off

<Proxy *>
Order deny,allow
Allow from all
</Proxy>
The parties are key:
  • Enable reverse proxying:

ProxyRequests Off

  • Ensure that the downstream server will receive the correct "Host:" header. This option is off by default.

ProxyPreserveHost On

  • Indicating how the proxy URI will convert converted as it passes through the Apache proxy server:

ProxyPass / http://www.ipv4foo.institution.org/
ProxyPassReverse / http://www.ipv4foo.institution.org/

  • I configured these options for all, but can be configured for each VirtualHost.

<Proxy *>
Order deny,allow
Allow from all
</Proxy>


Finish it

This is not an "open proxy", because we restrict the reverse proxy to a single virtual host. The server serves files to the public, but only for the web sites listed. The configuration presented here facilitates the hosting of a large number of web sites, without having to actually store and synchronize the web site with a central server. The natural flow of proxy->core web server automatically keeps data synchronized. I advise to use of Apache HTTP Server high speed threaded model because of the load and number of connections.

Some resources

Apache2.2 information about mod_proxy. Show at http://httpd.apache.org/docs/2.2/