Rob Gallagher
Networking
First steps towards DNSSEC
Apr 3rd
I recently began deploying DNSSEC within HEAnet. Things are at an early stage, but I’m hoping to have some signed zones up and running in the next few months.
For testing, I wanted to find a practical application of DNSSEC, rather than simply stating “now our zones are secure against attack A, B and C”.
RFC4255 provides exactly this, with automatic verification and trusting of SSH host keys through a combination of the SSHFP record type and DNSSEC validation. This removes the need to maintain a known_hosts file on each client, key fingerprints can simply be distributed through DNS.
I started by generating our zone signing key (ZSK) and key signing key (KSK) for the secure zone, login.heanet.ie. These are 1024bit RSASHA1 keypairs.
mkdir /etc/bind/keys cd !$ dnssec-keygen -r /dev/random -a RSASHA1 \ -b 1024 -n ZONE login.heanet.ie dnssec-keygen -r /dev/random -f KSK \ -a RSASHA1 -b 1024 -n ZONE login.heanet.ie
Then, I imported the trust anchor (KSK public part) for the zone into the DNS resolver. We are using Unbound but BIND etc. configuration is somewhat similar.
cp Klogin.heanet.ie.+005+61342.key /etc/unbound/anchors/login.heanet.ie.anchor ... vi /etc/unbound/unbound.conf ... # # login.heanet.ie test signed zone - robertg@heanet.ie 20090309 # trust-anchor-file: "/etc/unbound/anchors/login.heanet.ie.anchor" ...
To prepare the zone for signing, I published the ZSK and KSK public keys at the apex of the zone, ie: after NS records but before any other records are defined.
@ IN NS ns.heanet.ie. ; DNSSEC public keys $INCLUDE /etc/bind/keys/Klogin.heanet.ie.+005+01530.key ;ZSK $INCLUDE /etc/bind/keys/Klogin.heanet.ie.+005+61342.key ;KSK ; hosts charlene IN A 193.1.219.75 charlene IN AAAA 2001:770:18:2::193.1.219.75 charlene IN SSHFP 1 1 d343493a92fdd26281dddc26e90440e5504c3b1a charlene IN SSHFP 2 1 4fad90afa04a6b62371091662f88685822b07ebb
Now, to actually sign the zone! I signed the RRsets in the zone with dnssec-signzone and the ZSK and KSK keypairs we generated earlier. This produces a signed version of the zonefile, of the form zonefile.signed. The KSK (61342) is used to sign the keys we entered at the apex of the zone earlier, and the ZSK (01530) is used to sign all the other records in the zone.
dnssec-signzone -r /dev/random -o login.heanet.ie \ -k /etc/bind/keys/Klogin.heanet.ie.+005+61342.key \ login.heanet.ie /etc/bind/keys/Klogin.heanet.ie.+005+01530.key
Then, I loaded the .signed file into the authoritative nameserver.
zone "login.heanet.ie" {
type master;
file "pz/forward/login.heanet.ie.signed";
};
After doing this, it’s a good idea to check for any errors in name server log.
As a first test, I made a DNSSEC query to the resolvers. It should follow the chain of trust and securely resolve the query. The “ad” – authenticated data – flag in the flags: section of the dig output confirms that the zone data is signed and has been verified as authentic. The +dnssec option sets the DO (DNSSEC OK) bit on the query and the +multiline option is simply used for readability purposes.
dig @resolver0.heanet.ie charlene.login.heanet.ie +dnssec +multiline ; <<>> DiG 9.5.0-P2 <<>> @resolver0.heanet.ie charlene.login.heanet.ie +dnssec +multiline ; (2 servers found) ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 42200 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;; QUESTION SECTION: ;charlene.login.heanet.ie. IN A ;; ANSWER SECTION: charlene.login.heanet.ie. 3600 IN A 193.1.219.75 charlene.login.heanet.ie. 3600 IN RRSIG A 5 4 3600 20090429144034 ( 20090330144034 1530 login.heanet.ie. dw8qCGcHEBA8kSfv3CTr7sTM7FEJvoGyY8tz9bEgIsNK adSgG3eUfHIQ5nMFVYvg7/MEXLfhUyXmByNjPuuMhfi0 mvX4GV0z+MqIRfVBb6bH8kPBlAjdXisny4e8rhrheRwu P8FyONy88cyy5OqTattjzz8bBtMevZo4wN/KfQs= ) ;; AUTHORITY SECTION: login.heanet.ie. 3600 IN NS ns.heanet.ie. login.heanet.ie. 3600 IN RRSIG NS 5 3 3600 20090429144034 ( 20090330144034 1530 login.heanet.ie. C7C54YAIMVqp9UJfrrM56dRd2U8OB+zkxHV2G2YN0QsR 7XFZHVcBEjw/9l8r1E6yiRIyAx2P3XGWT/tAvYvssAG8 p143UAn29Gqnibf5mGzhRQFGN/huCdmFSIL7yK2jinhA rw/ZgOrVkBnWiGYNRe4BWtIhkHbcVYZ6roWXlo8= ) ;; Query time: 2 msec ;; SERVER: 2001:770:f8::c101:ba02#53(2001:770:f8::c101:ba02) ;; WHEN: Wed Apr 1 17:07:12 2009 ;; MSG SIZE rcvd: 436
Now to test the signed SSHFP records. On the client, I added the following to resolv.conf.
options edns0
Also, I edited ~/.ssh/config and added this line in the Host section
VerifyHostKeyDNS yes
When ssh'ing to a the machine with signed SSHFP records, the user should not be prompted to accept the host key, even if it is "unknown".
ssh -v heanet@charlene.login.heanet.ie OpenSSH_5.1, OpenSSL 0.9.7j 04 May 2006 ... debug1: found 2 secure fingerprints in DNS debug1: matching host key fingerprint found in DNS debug1: ssh_rsa_verify: signature correct ...
Presto! No known_hosts file. Profit! etc.. No need to maintain host keys across multiple clients, simply distribute your SSH fingerprints through DNS.
$ ls -al /home/rob/.ssh/ total 16 drwx------ 2 rob users 512 Mar 31 14:35 . drwxr-xr-x 3 rob users 512 Mar 31 14:15 .. -rw------- 1 rob users 613 Mar 31 17:23 authorized_keys -rw-r--r-- 1 rob users 120 Mar 31 14:35 config
Of course there are a number of issues. I haven't gone through the required key rollover and resigning processes, however these are reasonably straightforward and can be automated with freely available tools.
Refreshing ftp.heanet.ie
Dec 16th
Here’s a presentation I gave at the ILUG AGM on the new architecture powering ftp.heanet.ie; our well-known mirror server and consumer of copious amounts of bandwidth.
Wireless Death Star
May 29th
OK this thing is a bit mad. If it’s real that is..
Mmm…spiky.
It’s called the Slurpr and it’s capable of combining up to six wireless networks into a single channel, effectively giving you one phat connection that hoses any open wireless in the vicinity. Of course these have to be unsecured networks – but the Slupr’s 266mhz processor and onboard memory opens up the possibility of cracking encryption such as WEP on the fly. Badass.
Followup to ng_fec saga
May 18th
So everything seems to have remained stable over the past few days – and theres now a commit to the ng_fec code:
Deadly! 
IPv6 and ng_fec
May 15th
We managed to finally (hopefully) fix an annoying problem with one of our FreeBSD boxes and IPv6.
For some background; we used the ng_fec (4) device on FreeBSD 6.2-RELEASE to make a logical network interface out of two physical interfaces. This is referred to as bonding on Linux, IP Multipathing on Solaris and I think Cisco call it Ether Channel. Whatever way you go about it, the end result is that you get a network interface that is reachable via a multiple different paths. If each physical interface is plugged into a different switch, you get a nice amount of resiliency.
This works great in FreeBSD with ng_fec, however if you try to use an IPv6 address on the logical interface thats where things start to get interesting. Without getting into too much detail – the problems relate to how IPv6 maps IP addresses to MAC addresses, this is done by way of “neighbour advertisement” messages sent via multicast. However the ng_fec driver was not telling the physical network interfaces to join the correct multicast groups so these neighbour advertisement messages could not be processed correctly, which led to very flaky and mostly unavailable IPv6 connectivity. From what I can gather, you can use other drivers in -CURRENT that don’t exhibit this problem.
But with some diagnoses and a patch to ng_fec.c from Dave Malone we managed to correct the issue. This may make it up into the FreeBSD source tree at some point.
Hopefully things will stay stable from now on
Edit: Ah, there is a bug report raised for this already.
