Using DNSSEC with (Free) IPA

Posted on by Luc de Louw

DNSSEC LogoThe DNS infrastructure contains a growing number of critical information such as services records pointing to authentication services, TLSA records, SSH fingerprints and the like. DNSSEC signs this information, the client can trust the information DNS sends. It protects against forged information through cache poisoning. This article shows how to achieve a DNSSEC protected DNS environment with the help of FreeIPA

This article was taking some time to write as I wanted to see how it behaves in the long term. The initial setup was done in early January 2018. The lab setup is made with RHEL7.4 using stock IPA 4.5.0. and later upgraded subsequently to RHEL 7.9 with IPA 4.6.8. So my test setup was running for a long time before I decided to publish this article.

Since then, a few DNS key rollovers happen, all automated without any manual intervention.

About DNSSEC

DNSSEC was standardized in 1999 in RFC 2535 and superseded in 2005 by RFC 4033, RFC 4034 and RFC 4035.

DNSSEC signs zone data and ensures that nobody had tampered with the DNS data in transit, its an important measure against MITM (Man-In-The-Middle) Attacks and cache poisoning.

Important to know: DNSSEC is not about privacy, the DNS queries and answers are still in plain text. There is an ongoing effort to introduce DNS over QUIC in the future which adds privacy to the Domain Name System. The same applies to DoT (DNS over TLS) as defined in RFC7858.

Using (Free)IPA as a DNS infrastructure

I wrote several articles why IPA is a cool enterprise-grade authentication and authorization tool which comes with an integrated DNS server (BIND with LDAP as storage backend) and why the integrated DNS server functionality should be used to make your job way easier.

Support

For enterprises using IPA in production and having RHEL subscriptions, it is important to know that there is no formal support (yet) for DNSSEC with IPA. It is in the technical Preview state, which means that users are encouraged to test it and giving feedback.

Please have a look to the open issues here: https://pagure.io/freeipa/issue/6988

Feel free to create support cases at https://access.redhat.com/support/cases/ and demand for formal support in the future…

What happens if something goes belly-up?

Well, if DNSSEC is not working correctly, i.e. zone is not signed anymore or not correctly signed, resolvers would return an error which means your DNS infrastructure is not usable anymore until you delete the DS-Entry from upstream DNS servers. Propagation can take up to 24h.

Prerequisites

  • A registered domain name (in this case, ldelouw.ch was just registered as a “Lab-Domain”
  • A least one IPA server with DNS functionality enabled, usually domain registrars are asking for two different DNS servers.

Setup

The DNSSEC feature can be enabled after the initial setup has been completed.

[root@ipa1 ~]# ipa-dns-install --dnssec-master

The log file for this installation can be found in /var/log/ipaserver-install.log
==============================================================================
This program will setup DNS for the IPA Server.

This includes:
  * Configure DNS (bind)
  * Configure SoftHSM (required by DNSSEC)
  * Configure ipa-dnskeysyncd (required by DNSSEC)
  * Configure ipa-ods-exporter (required by DNSSEC key master)
  * Configure OpenDNSSEC (required by DNSSEC key master)
  * Generate DNSSEC master key (required by DNSSEC key master)

NOTE: DNSSEC zone signing is not enabled by default

Plan carefully, replacing DNSSEC key master is not recommended


To accept the default shown in brackets, press the Enter key.

Do you want to set up this IPA server as DNSSEC key master? [no]: yes
Do you want to configure DNS forwarders? [yes]: 
Following DNS servers are configured in /etc/resolv.conf: 2001:470:6d:5e1::1
Do you want to configure these servers as DNS forwarders? [yes]: 
All DNS servers from /etc/resolv.conf were added. You can enter additional addresses now:
Enter an IP address for a DNS forwarder, or press Enter to skip: 
Checking DNS forwarders, please wait ...
Do you want to search for missing reverse zones? [yes]: 

The following operations may take some minutes to complete.
Please wait until the prompt is returned.

Configuring DNS (named)
  [1/8]: generating rndc key file
  [2/8]: setting up our own record
  [3/8]: adding NS record to the zones
  [4/8]: setting up kerberos principal
  [5/8]: setting up named.conf
  [6/8]: setting up server configuration
  [7/8]: configuring named to start on boot
  [8/8]: changing resolv.conf to point to ourselves
Done configuring DNS (named).
Restarting the web server to pick up resolv.conf changes
Configuring DNS key synchronization service (ipa-dnskeysyncd)
  [1/7]: checking status
  [2/7]: setting up bind-dyndb-ldap working directory
  [3/7]: setting up kerberos principal
  [4/7]: setting up SoftHSM
  [5/7]: adding DNSSEC containers
  [6/7]: creating replica keys
  [7/7]: configuring ipa-dnskeysyncd to start on boot
Done configuring DNS key synchronization service (ipa-dnskeysyncd).
Configuring IPA OpenDNSSEC exporter daemon (ipa-ods-exporter)
  [1/6]: checking status
  [2/6]: setting up DNS Key Exporter
  [3/6]: setting up kerberos principal
  [4/6]: disabling default signer daemon
  [5/6]: starting DNS Key Exporter
  [6/6]: configuring DNS Key Exporter to start on boot
Done configuring IPA OpenDNSSEC exporter daemon (ipa-ods-exporter).
Configuring OpenDNSSEC enforcer daemon (ods-enforcerd)
  [1/8]: checking status
  [2/8]: setting up configuration files
  [3/8]: setting up ownership and file mode bits
  [4/8]: generating master key
  [5/8]: setting up OpenDNSSEC
  [6/8]: setting up ipa-dnskeysyncd
  [7/8]: starting OpenDNSSEC enforcer
  [8/8]: configuring OpenDNSSEC enforcer to start on boot
Done configuring OpenDNSSEC enforcer daemon (ods-enforcerd).
Restarting ipa-dnskeysyncd
Restarting named
Updating DNS system records
==============================================================================
Setup complete

Global DNS configuration in LDAP server is empty
You can use 'dnsconfig-mod' command to set global DNS options that
would override settings in local named.conf files


        You must make sure these network ports are open:
                TCP Ports:
                  * 53: bind
                UDP Ports:
                  * 53: bind
[root@ipa1 ~]#

Adding a zone with DNSSEC support

[root@ipa1 ~]# ipa dnszone-mod ldelouw.ch. --dnssec=true
  Zone name: ldelouw.ch.
  Active zone: TRUE
  Authoritative nameserver: ipa1.ldelouw.ch.
  Administrator e-mail address: hostmaster.ldelouw.ch.
  SOA serial: 1516123471
  SOA refresh: 3600
  SOA retry: 900
  SOA expire: 1209600
  SOA minimum: 3600
  Allow query: any;
  Allow transfer: none;
  Allow in-line DNSSEC signing: TRUE
[root@ipa1 ~]#

Checking the result

The keys are automatically attached to your zone created above. You can check the KSK (Key Signing Key) and ZSK (Zone Signing Key) with dig.

[root@ipa1 ~]# dig @localhost ldelouw.ch DNSKEY +short
257 3 8 AwEAAcYIzDVhGAFYlzQWueyOZVQaMMNbWPoclEioLhuu6z0LApv8C2H4 GF0Sn7w0YLq0n0Oq2tMBmXhFtUnM/AhE88vJsc0G6nQ9AdlE2t19mrnE DlC3YM0Lno9hY9SOV74oLNEoSkCoj/5nGxfNvxTmDjyQMJ7+UC9DJGRl sdWuXHVIDKCFYHzIYPKfi4FtIsBrH2sK0ia1Id199RhDDVtkA4KWebR3 2X5ozfr8xFmr2QH7aK3gjxgrIl0umDmemBbzbRhTh7mzF1DHPBIl1/K1 degZG8mTQlsLjP4ZHy3hyiS4jB7rcYfIaDURtAHRtT2Y12wR0mMV05/7 4UmGwD3wXYVqZ58mJHG3zvBmDdJSZhQ8AUaMsocFEm8xJ6paVkLpgMj5 5w1N/mStbxcruIv/u+hJQcVFahlA+OxGuaWOAnY3r+ORDYw4JZ4ya+ZH z/GVEgndIjWqi3hfxTxPoYtxhCqxaXQkGmeMD8RfDCLJvnGa/6EUjCKu Z6cW1yS37wO6hw==
256 3 8 AwEAAbyX74qFY8f3hdpiNdvDMZKKWgsLdJdUTm1m75IvwiWmvPR9n3eU O0up3b0VkbL5PBf2+LaS0PvkZqCuCV8oFkk6kqsMnW5416LoIFJlxM45 3wbfuPN4CdVtW///cDDPTcEUiqpL9C7ncMK/EpDaKL0EiICrEJl6bRXR olLsqFjSSvmQyIt9kYZ55OpJvyT2MBN3NfwrkGwhqppvPfKpNWl5NcY1 d4Rqe63AsTy8VZnGQT9+XkTKPWtA5mA7taQeE2ogUW7hfRU+QhtFzPSf 3qMDWqeGHmE/pkl26vf/aAkD8i51Cl2jdKg38fdhN5UPkcXnAmWlH2xm YmFWLUf97LM=
[root@ipa1 ~]#

There are two types of keys generated:

  • Key Signing Key 257 (KSK) which is used to sign the ZSK (Zone Signing Key). This keys are valid for a long time and usually only rolled over when compromised as this needs interaction with the upstream DNS servers and in case of internal networks the resolvers must be reconfigured as well. The hash of the public key of the KSK is used for the DS records that needs to be delivered to the upstream DNS zone.
  • Zone Signing Key 256 (ZSK) is used to sign a particular DNS zone. It is rolled over automatically

Create the DS (Delegation Signer) Resource Record

[root@ipa1 ~]# dig @localhost ldelouw.ch DNSKEY > dnskey.txt
[root@ipa1 ~]# dnssec-dsfromkey -f dnskey.txt -2 ldelouw.ch
ldelouw.ch. IN DS 29161 8 2 1D87C67A4BA2AA8A4A646CCC133428CA8E27D9C5367958FFC52987BCF63C775E 
[root@ipa1 ~]#

The red marked part is what you need to provide to your upstream DNS zone, in my case this was the the DNS registry for the .ch domain. Note: It will take some time until its propagated.

In enterprise networks, this can also be an internal upstream DNS zone. In this case, make sure your internal resolvers know about the key.

Testing your setup

After your DS record is propagated, which can take up to 24h, you can test your setup using different public services.

  • www.internet.nl is a website operated by the Dutch government and not only checks for correct implementation of DNSSEC but also a bunch of other security-related configurations on your public available infrastructure
  • https://zonemaster.iis.se/en/ is a website operated by the Swedish Internet Foundation and does not only check for correct DNSSEC implementation but also generic DNS tests and warns about the common mistakes that can happen with a DNS server.

Conclusion

DNSSEC is in place for a long time. Most TLDs zones and the root zone are using it. It’s time to do the same with your DNS infrastructure as well. With (Free)IPA it is surprisingly easy to achieve.

Leave a Reply

Your email address will not be published. Required fields are marked *