Context Navigation

Version 13 (modified by ahu, 3 years ago)
--

Everything you need to know about PowerDNSSEC

The very latest and greatest can be found on http://svn.powerdns.com/dnssec-wild-testing/

PowerDNS is currently in a very wild state, and is completely unsuitable for production use. Even compiling it is surprisingly hard.

Compiling

Get the latest source snapshot from the 'dnssec-wild-testing' URL above, and untar:

$ tar xzf pdns-3.0-pre.tar.gz
$ cd pdns-3.0-pre
$ ./configure --with-modules="" (if you have MySQL, leave out --with-modules="")
$ make -j2 
wait

You will probably get an error about missing 'boost' libraries right now. If you are lucky, you can simply install packages like 'boost-filesystem-dev' and 'boost-program-options-dev', and re-run make. If installing these packages worked, but 'make' still does not complete successfully, try editing pdns/Makefile.am and pdns/modules/bind/Makefile.am and replace -lboost_*-mt by -lboost_*.

Packages

Check the 'dnssec-wild-testing' URL in a while, packages might have appeared

Configuring

To isolate your experiments from your production (Power)DNS, everything is run from a local directory.

For now, use only the BIND backend. A suggested named-dnssec.conf for PowerDNS consists of:

zone "powerdnssec.org" {
        type master;
        file "powerdnssec.org";
};

Change to the 'pdns' subdirectory of the just compiled PowerDNS. This is where the 'pdns_server' program lives, and put the above configuration in 'named-dnssec.conf'.

The 'reference' powerdnssec.org zone can be found in the regression tests here (click 'download original format'). Place this file in the same 'pdns' directory where you also put 'named-dnssec.conf'.

Now create your key-repository:

$ mkdir keys

Next, add keys for the powerdnssec.org zone:

$ ./pdnssec sign-zone powerdnssec.org
Created KSK with tag 13837
There are now 2 ZSKs
Tag = 46582	Active: 1
Tag = 2461	Active: 0

(may take some time)

Now launch PowerDNS from the command line:

$ ./pdns_server --no-config --local-port=5300 --daemon=no --socket-dir=./ --launch=bind --bind-config=./named-dnssec.conf --cache-ttl=0
Apr 21 15:15:20 Reading random entropy from '/dev/urandom'
Apr 21 15:15:20 This is a standalone pdns
Apr 21 15:15:20 Listening on controlsocket in './pdns.controlsocket'
Apr 21 15:15:20 It is advised to bind to explicit addresses with the --local-address option
Apr 21 15:15:20 UDP server bound to 0.0.0.0:5300
Apr 21 15:15:20 TCP server bound to 0.0.0.0:5300
Apr 21 15:15:20 PowerDNS 3.0-pre (C) 2001-2010 PowerDNS.COM BV (Apr 21 2010, 14:56:25, gcc 4.4.1) starting up
Apr 21 15:15:20 Creating backend connection for TCP
Apr 21 15:15:20 [bindbackend] Parsing 1 domain(s), will report when done
Start loadconfig sort of 17 records
Done loadconfig sorting
Apr 21 15:15:20 [bindbackend] Done parsing domains, 0 rejected, 1 new, 0 removed
Apr 21 15:15:20 About to create 3 backend threads for UDP
Apr 21 15:15:20 Done launching threads, ready to distribute questions

(and leave this running)

You are now in business! To verify, ask your new PowerDNSSEC a question from another terminal:

$ dig +dnssec -t A powerdnssec.org @127.0.0.1 -p 5300
;; ANSWER SECTION:
powerdnssec.org.	3600	IN	A	212.123.148.70
powerdnssec.org.	3600	IN	RRSIG	A 5 2 3600 20100429000000 20100415000000 46582 powerdnssec.org. P4d1fdry3oeaXz7VfZVVIdhjNT8Lg ... pWk=

To verify that DNSSEC is working correctly, we can check if 'dig' will validate our DNSSEC output. First we extract our Key Signing Key using 'pdnssec':

$ ./pdnssec show-zone powerdnssec.org
KSK present:
Tag = 13837
KSK DNSKEY = powerdnssec.org IN DNSKEY 257 3 5 AwEAAae8HOmM48I0JyvH/6PfJmyQI6cjxuim303imTlHx ... 6mE=
DS = powerdnssec.org IN DS 13837 5 1 df1170736092c3e499d4284ac234a558f18ca78a

ZSKs for zone 'powerdnssec.org':
Tag = 46582	Active: 1, Thu Apr 15 02:00:00 2010 - Thu Apr 29 02:00:00 2010
Tag = 2461	Active: 0, Thu Apr 29 02:00:00 2010 - Thu May 13 02:00:00 2010

Now we copy/paste the third output line on the right side of the 'equals' sign into a file called 'trusted-keys'. So this starts with 'powerdnssec.org IN DNSKEY ...'.

Then we can run 'dig' in 'signature chase mode':

$ dig +dnssec +sigchase +trusted-key=./trusted-keys -t A powerdnssec.org @127.0.0.1 -p 5300
...
;; WE HAVE MATERIAL, WE NOW DO VALIDATION
;; VERIFYING A RRset for powerdnssec.org. with DNSKEY:46582: success
;; OK We found DNSKEY (or more) to validate the RRset
;; Ok, find a Trusted Key in the DNSKEY RRset: 13837
;; VERIFYING DNSKEY RRset for powerdnssec.org. with DNSKEY:13837: success

;; Ok this DNSKEY is a Trusted Key, DNSSEC validation is ok: SUCCESS

Success!

Things to be aware of

Do NOT run the above in production! Problems right now are:

Your install will crash in two weeks unless you've run 'pdnssec update-keys' in the meantime
Your install may crash anyhow if it feels like it
Only privacy-violating NSEC is supported right now, not yet NSEC3
Over 75% of the PowerDNS Regression tests run correctly on PowerDNSSEC!

The completely live & auto-signing nature of PowerDNSSEC is not what everyone wants. Other DNSSEC modes will be added soon.

Download in other formats:

Plain Text