| Version 1 (modified by ahu, 3 years ago) |
|---|
Everything you need to know about PowerDNSSEC
The very latest and greatest can be found on http://svn.powerdns.com/dnssec-wild-testing/
PowerDNSSEC is currently in a very wild state, and is completely unsuitable for production use. Even compiling it is surprisingly hard.
Compiling
Get the latest source snapshot from the 'dnssec-wild-testing' URL above, and untar:
$ svn co svn://svn.powerdns.com/pdns/trunk/ pdns $ cd pdns $ ./bootstrap $ ./configure --with-modules="" (if you have MySQL, you can leave out --with-modules="") $ make -j2 wait
You will probably get an error about missing 'boost' libraries right now. You should install packages like 'boost-filesystem-dev' and 'boost-program-options-dev', and re-run make. If installing these packages worked, but 'make' still does not complete successfully, try editing pdns/Makefile.am and pdns/modules/bind/Makefile.am and replace -lboost_*-mt by -lboost_*.
Help with compiling or installing
The pdns-dev mailing list is a good place to discuss PowerDNSSEC compilation problems. Our irc channel #powerdns on irc.oftc.net can also be helpful.
Configuring
To isolate your experiments from your production (Power)DNS, everything is run from a local directory.
For now, use only the BIND backend. Below you can read how to use the Generic MySQL backend. A suggested named-dnssec.conf for PowerDNS consists of:
zone "powerdnssec.org" {
type master;
file "powerdnssec.org";
};
Change to the 'pdns' subdirectory of the just compiled PowerDNS. This is where the 'pdns_server' program lives, and put the above configuration in 'named-dnssec.conf'.
The 'reference' powerdnssec.org zone can be found in the regression tests here (click 'download original format'). Place this file in the same 'pdns' directory where you also put 'named-dnssec.conf'.
Now create your key-repository:
$ mkdir keys
Next, add keys for the powerdnssec.org zone:
$ ./pdnssec secure-zone powerdnssec.org Created KSK with tag 13837 There are now 2 ZSKs Tag = 46582 Active: 1 Tag = 2461 Active: 0
(may take some time)
Now launch PowerDNS from the command line:
$ ./pdns_server --no-config --local-port=5300 --daemon=no --socket-dir=./ --launch=bind --bind-config=./named-dnssec.conf Apr 21 15:15:20 Reading random entropy from '/dev/urandom' Apr 21 15:15:20 This is a standalone pdns Apr 21 15:15:20 Listening on controlsocket in './pdns.controlsocket' Apr 21 15:15:20 It is advised to bind to explicit addresses with the --local-address option Apr 21 15:15:20 UDP server bound to 0.0.0.0:5300 Apr 21 15:15:20 TCP server bound to 0.0.0.0:5300 Apr 21 15:15:20 PowerDNS 3.0-pre (C) 2001-2010 PowerDNS.COM BV (Apr 21 2010, 14:56:25, gcc 4.4.1) starting up Apr 21 15:15:20 Creating backend connection for TCP Apr 21 15:15:20 [bindbackend] Parsing 1 domain(s), will report when done Start loadconfig sort of 17 records Done loadconfig sorting Apr 21 15:15:20 [bindbackend] Done parsing domains, 0 rejected, 1 new, 0 removed Apr 21 15:15:20 About to create 3 backend threads for UDP Apr 21 15:15:20 Done launching threads, ready to distribute questions
(and leave this running)
You are now in business! To verify, ask your new PowerDNSSEC a question from another terminal:
$ dig +dnssec -t A powerdnssec.org @127.0.0.1 -p 5300 ;; ANSWER SECTION: powerdnssec.org. 3600 IN A 212.123.148.70 powerdnssec.org. 3600 IN RRSIG A 5 2 3600 20100429000000 20100415000000 46582 powerdnssec.org. P4d1fdry3oeaXz7VfZVVIdhjNT8Lg ... pWk=
To verify that DNSSEC is working correctly, we can check if 'dig' will validate our DNSSEC output. First we extract our Key Signing Key using 'pdnssec':
$ ./pdnssec show-zone powerdnssec.org KSK present: Tag = 13837 KSK DNSKEY = powerdnssec.org IN DNSKEY 257 3 5 AwEAAae8HOmM48I0JyvH/6PfJmyQI6cjxuim303imTlHx ... 6mE= DS = powerdnssec.org IN DS 13837 5 1 df1170736092c3e499d4284ac234a558f18ca78a ZSKs for zone 'powerdnssec.org': Tag = 46582 Active: 1, Thu Apr 15 02:00:00 2010 - Thu Apr 29 02:00:00 2010 Tag = 2461 Active: 0, Thu Apr 29 02:00:00 2010 - Thu May 13 02:00:00 2010
Now we copy/paste the third output line on the right side of the 'equals' sign into a file called 'trusted-keys'. So this starts with 'powerdnssec.org IN DNSKEY ...'.
Then we can run 'dig' in 'signature chase mode':
$ dig +dnssec +sigchase +trusted-key=./trusted-keys -t A powerdnssec.org @127.0.0.1 -p 5300 ... ;; WE HAVE MATERIAL, WE NOW DO VALIDATION ;; VERIFYING A RRset for powerdnssec.org. with DNSKEY:46582: success ;; OK We found DNSKEY (or more) to validate the RRset ;; Ok, find a Trusted Key in the DNSKEY RRset: 13837 ;; VERIFYING DNSKEY RRset for powerdnssec.org. with DNSKEY:13837: success ;; Ok this DNSKEY is a Trusted Key, DNSSEC validation is ok: SUCCESS
Success!
Generic MySQL backend
Other backends will soon follow. To start serving DNSSEC from an existing PowerDNS installation that uses the gmysql backend, issue the following on the MySQL prompt for your database
alter table records add ordername VARCHAR(255); alter table records add auth bool; create index orderindex on records(ordername);
This adds the fields needed to get the DNSSEC ordering straight. The ordername needs to be filled out as described in the link, but the 'pdnssec' tool can do this for you, like this:
$ pdnssec order-zone powerdnssec.org
This will set the ordering fields correctly (and in the near future, the auth fields too).
Development
Developers can find more information here.
Details
Details about philosophy, key schedules can be found here.
Things to be aware of
Do NOT run the above in production! Problems right now are:
- Your install will crash in two weeks unless you've run 'pdnssec update-keys' in the meantime
- Your install may crash anyhow if it feels like it
- Only privacy-violating NSEC is supported right now, not yet NSEC3
Over 75% of the PowerDNS Regression tests run correctly on PowerDNSSEC- You'll need to 'rsync' your key repository to your slaves
- For large zones, you may not be able (initially) to serve thousands of queries/second
- Only BIND and Generic MySQL (gmysql) backend right now
You MUST run with 'cache-ttl=0' which can put a damper on database performanceThere is a bug on 64 bit platforms that breaks RRSIG generation
Next
The completely live & auto-signing nature of PowerDNSSEC is not what everyone wants. Other DNSSEC modes will be added soon.
