USAGE_SEC Secure DNS (TIS/DNSSEC) September 1996 This is the usage documentation for TIS' Secure DNS (TIS/DNSSEC) version BETA-1.3. This looks like a standard named distribution, with the following exceptions this version is coded against BIND-4.9.4-P1 there are three new directories in this distribution dnssec_lib signer rsaref rsaref/ is place holder directory for RSAREF distribution. You must get RSAREF on your own. signer/ contains two applications needed by DNSSEC: signer: tool to sign zones key_gen: tool to generate keys dnssec_lib/ contains common library routines that are used by named, key_gen and signer. This is where most of the DNSSEC work is done. Before compiling you need to do your standard configurations for named and the edits explained in INSTALL_SEC. This version has been tested on SUNOS4.1.3. This version includes portability fixes from previous beta releases for Linux, Solaris-2.4, HPUX-9 and FreeBSD. CHANGES TO BIND res/ There are minor changes to the files in the res directory. Most of the changes have to do with displaying NXT records. There are also some changes related to translating domain names into uncompressed lower case names upon request. tools/ Minor changes to recognize NXT records and display them. named/ Added code to read and write new record types. Added code to do signature validation on read. Added code to return appropriate SIG records. Added security flags to databuf and zoneinfo structures. Names can now have CNAME record and security RR's. Records are stored and transmitted in DNS SEC sort order. conf/ Turned off ROUND_ROBIN option and installed new sorting required for signature verification. signer/ NXT record generation. Key generation Signing of zones Converting data records to format required for signatures. dnssec_lib/ Interfacing with Crypto library. Verifying signatures, preparing data for signing and verification The role of .PARENT files: DNSSEC specification requires change who is authorative for certain resource records. In order to support certification hierarchy each zone KEY RR must be signed by parent zone. The parent signed KEY RR must be distributed by the zone itself as it is the most authorative for its own records. To facilitate this TIS/DNSSEC signer program creates a .PARENT file for every name in a zone that has a NS record. This file contains the KEY records stored under this name and NXT record and corresponding SIG records. If no KEY record is found for a name with a NS record a NULL-KEY record is generated to indicate that the child is INSECURE. Each .PARENT file must be sent via an out of band mechanism to the appropriate primary for the zone, for inclusion. signer program adds an $INCLUDE .PARENT command at the end of each zone file, if no file exists an warning message is printed. Potential PROBLEM: It is likely that the parent and child are on a different signing schedule. If new .PARENT file is put on the primary, due to the fact that the zone data changed but the SOA did not, it may take a long time for new records to propagate to the secondaries. This is only a problem if zone has added/deleted a KEY or if the the signatures will expire in the near future. To overcome this problem, resign your zone when any of above conditions is true. DNS NOTIFY and/or DNS DYNUPDATE may fix this problem in the future. TIS/DNSSEC SOA serial numbers. To facilitate prompt distribution of zone data to secondaries, signer takes over the management of SOA serial numbers. Each time signer signs a zone it sets the serial number to a value reflecting the time the zone was signed, in standard Unix time seconds since 1970/1/1 0:0:0 GMT. How to configure a secure zone. Create a directory to contain your zone files. Create a output directory for the signer output. Put in a boot file that includes the files from that zone. Create a KEY for the zone by running key_gen, Name the key . Run signer on your zone writing to the output directory . Signer will rewrite the boot file to include new directive "pubkey" of the key used to sign the file. If there where any pubkey declarations in the input boot file they will be deleted. Signer generates files that correspond to the load files specified. In case of load file that $INCLUDEs another load file, signer will merge them to the output file. You will notice that the output files are significantly larger. The output files will be in a different order than the input files, all records are sorted into DNSSEC sort order. NXT and SIG records have been added. If there are any NS records for a name other than the zone name of each input file you will see messages that NULL KEY records have been created, if this is not correct behavior, add the correct KEY RRs. For each domain name that has a NS record but is not a zone name of load file you will see a file named .PARENT, this file contains the KEY record for that name and an NXT record + 2 SIG records. This file needs to be sent to the nameserver that is primary for that zone. There are two reasons for this: 1. To support Certification Hierarchy, each zone key is signed by the parent zone key. 2. Zone is the most trustworthy source for itself unless these records are loaded into the primary server for the zone, the records may not get propagated. how to run SEC_NAMED: Included in the distribution there is a small test setup: # run signer ./signer boot-f simple_test/test.boot [out-dir /tmp] # or make test # This takes few minutes to run depending on your machine and the size # of the key selected # all output files will be stored in /tmp unless out-dir is specified # # Now we are ready to run named cd ../named ./named -p 12345 -b /tmp/test.boot.save [-d x] # # you can now check for data in the data base # using the new dig. # cd ../tools ./dig @yourhost snore.foo.bar. any in -p 12345 # # Output from new dig will be something like this # ; <<>> DiG 2.1 <<>> @dnssrv snore.foo.bar. any in -p ; (1 server found) ;; res options: init recurs defnam dnsrch ;; got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10 ;; flags: qr rd ra; Ques: 1, Ans: 11, Auth: 0, Addit: 1 ;; QUESTIONS: ;; snore.foo.bar, type = ANY, class = IN ;; ANSWERS: snore.foo.bar. 259200 A 10.17.3.20 snore.foo.bar. 259200 SIG A ( 1 3; alg labels 259200 ; TTL 19950506200636 ; Signature expiration 19950406200659 ; time signed 47437 ; Key foot print foo.bar. ; Signers name FsqeW3hstM8Q6v8PMCGPsVMfO6dEpHjFgKm2dJRaofFtCQ/CT9O6Vo7J5zgkV+5ciWQwuZwvzW071jnZ1i27Ip/8vqdKGHC63tjWkCHSZV0= ) ; END Signature snore.foo.bar. 259200 MX 96 who.foo.bar. snore.foo.bar. 259200 MX 100 foo.bar. snore.foo.bar. 259200 MX 120 xxx.foo.bar. snore.foo.bar. 259200 MX 130 maGellan.foo.bar. snore.foo.bar. 259200 MX 140 bozo.foo.bar. snore.foo.bar. 259200 SIG MX ( 1 3; alg labels 259200 ; TTL 19950506200636 ; Signature expiration 19950406200659 ; time signed 47437 ; Key foot print foo.bar. ; Signers name EV0cJqF3pUOgktggTrFf55YGwQFbUqPJAMTnAkHK3+Z/Ya6GgwwNOGRzq/FYm5P4E+yIj6WUYFh9Ex5eX5TwiIsjM/hy173lSa3qm/ljDk8= ) ; END Signature snore.foo.bar. 259200 NXT xxx.foo.bar. snore.foo.bar. 259200 SIG NXT ( 1 3; alg labels 259200 ; TTL 19950506200636 ; Signature expiration 19950406200659 ; time signed 47437 ; Key foot print foo.bar. ; Signers name eJUHVm5Q5qYQYFVOW0L5Of67HQvQ9+7T7sQqHv7ayTT2sMnXudxviYv43vALMMwBcJFXFEhLhwYwN7pUDssD/w5si/6JJQTi1o30S8si3zE= ) ; END Signature ;; Total query time: 195 msec ;; FROM: dnssrv to SERVER: dnssrv 10.17.3.1 ;; WHEN: Thu Apr 6 16:20:32 1995 ;; MSG SIZE sent: 31 rcvd: 662