Context Navigation

Version 48 (modified by ahu, 2 years ago)
--

Everything you need to know about PowerDNSSEC

The very latest and greatest can be found on http://powerdnssec.org/downloads/

Documentation can be found on http://doc.powerdns.com/powerdnssec-auth.html

PowerDNSSEC is currently settling down, and is not quite suitable for unattended production use.

Compiling

Get the latest DEB/RPM/32-bit/64-bit linux packages from here.

Alternatively, get the tar.gz and compile:

$ tar xzf pdns-3.0-pre.tar.gz
$ cd pdns-3.0-pre
$ ./configure --with-modules="gsqlite3 gmysql" (at least one of these has to be here, even for BIND operation only)
$ make -j2 
wait

You will probably get an error about missing 'boost' libraries right now. You should install packages like 'boost-filesystem-dev' and 'boost-program-options-dev', and re-run make.

The following works on most Debian and Ubuntu systems:

# apt-get install g++ libboost-program-options-dev libboost-serialization-dev libpqclient-dev libmysqlclient-dev libsqlite3-dev

Note that you need to compile in either gsqlite3, gpqsql or gmysql - the built-in BIND backend can't store DNSSEC keying materials natively!

Help with compiling or installing

The pdns-dev mailing list is a good place to discuss PowerDNSSEC compilation problems. Our irc channel #powerdns on irc.oftc.net can also be helpful. Development news is also available tweeted via @PowerDNS_Bert.

Packages

An experimental static package is available for Debian, Ubuntu and RPM based 32 & 64 bit platforms. See http://powerdnssec.org/downloads

Configuring

To isolate your experiments from your production (Power)DNS, everything is run from a local directory.

For now, use the sqlite3 or Generic MySQL backend. Generic PostgreSQL probably works, but is not as well tested.

Change to the 'pdns' subdirectory of the just compiled PowerDNS. This is where the 'pdns_server' program lives, and put the configuration below in 'named-dnssec.conf':

zone "powerdnssec.org" {
        type master;
        file "powerdnssec.org";
};

The 'reference' powerdnssec.org zone can be found in the regression tests here (click 'download original format'). Place this file in the same 'pdns' directory where you also put 'named-dnssec.conf'.

If you don't already have a working PowerDNS MySQL or SQLite3 database, please head here or here respectively. Make sure PowerDNS can connect to your database.

Now update the database with the DNSSEC schema update, which can be found here (gmysql) and here (sqlite3).

$ mysql -u root powerdns < dnssec.schema.mysql.sql
or
$ sqlite3 powerdns.sqlite3 < dnssec.schema.sqlite3.sql

And tell PowerDNS to use the DNSSEC schema by specifying the 'gmysql-dnssec' or 'gpgsql-dnssec' or 'gsqlite3-dnssec' setting in your pdns.conf. A sample pdns.conf:

launch=gsqlite3
gsqlite3-database=/home/you/pdns-3.0-pre/powerdns.sqlite3
gsqlite3-dnssec

Then run:

$ ./backends/bind/zone2sql --gmysql --dnssec --named-conf=./named-dnssec.conf > zonedata.sql

And feed 'zonedata.sql' into your database. Note, --gmysql works for both MySQL and SQLite3!

Ok, once you have your databases setup, add keys for the powerdnssec.org zone:

$ ./pdnssec secure-zone powerdnssec.org
configname: '/usr/local/etc/pdns.conf'
Created KSK with tag 30367
There are now 2 ZSKs
id = 2, tag = 40051, algo = 5, bits = 1024	Active: 1
id = 3, tag = 42163, algo = 5, bits = 1024	Active: 0

(may take some time)

Now launch PowerDNS from the command line:

$ ./pdns_server --local-port=5300 --daemon=no --socket-dir=./ 
Apr 21 15:15:20 PowerDNS 3.0-pre (C) 2001-2011 PowerDNS.COM BV (Apr 21 2010, 14:56:25, gcc 4.4.1) starting up
(...)
Apr 21 15:15:20 Done launching threads, ready to distribute questions

(and leave this running)

You are now in business! To verify, ask your new PowerDNSSEC a question from another terminal:

$ dig +dnssec -t A powerdnssec.org @127.0.0.1 -p 5300
;; ANSWER SECTION:
powerdnssec.org.	3600	IN	A	212.123.148.70
powerdnssec.org.	3600	IN	RRSIG	A 5 2 3600 20100429000000 20100415000000 46582 powerdnssec.org. P4d1fdry3oeaXz7VfZVVIdhjNT8Lg ... pWk=

To verify that DNSSEC is working correctly, we can check if 'dig' will validate our DNSSEC output. To do so, let's export our so called 'Key Signing Key':

$ ./pdnssec export-zone-dnskey powerdnssec.org 1 | grep DNSKEY > trusted-keys

Then we can run 'dig' in 'signature chase mode':

$ dig +dnssec +sigchase +trusted-key=./trusted-keys -t A powerdnssec.org @127.0.0.1 -p 5300
...
;; WE HAVE MATERIAL, WE NOW DO VALIDATION
;; VERIFYING A RRset for powerdnssec.org. with DNSKEY:46582: success
;; OK We found DNSKEY (or more) to validate the RRset
;; Ok, find a Trusted Key in the DNSKEY RRset: 13837
;; VERIFYING DNSKEY RRset for powerdnssec.org. with DNSKEY:13837: success

;; Ok this DNSKEY is a Trusted Key, DNSSEC validation is ok: SUCCESS

Success!

BIND backend

The BIND backend can also serve DNSSEC information, but being file based, it can't easily store keying material. So if you want to run with DNSSEC, make sure to also configure a database, SQLite3 comes highly recommended since it does not need an actual database server.

To make this happen, set: 'launch=gsqlite3,bind' in your pdns.conf. Assuming your domain is already in BIND, next execute:

$ echo 'insert into domains (name, type) values ('powerdnssec.org', 'NATIVE') | sqlite3 ./powerdns.sqlite3

Now you can configure your new domain with 'pdnssec' as usual. Note: the 'insert' step will be automated soon, but is needed for now. Note 2: instead of sqlite, you can also use gmysql.

NSEC3

To turn on NSEC3, run:

$ ./pdnssec set-nsec3 powerdnssec.org
$ ./pdnssec rectify-zone powerdnssec.org

Do be aware that this changes your KSK and thence your DS, which will cause downtime for the world! Optionally, specify the NSEC3 details:

$ ./pdnssec set-nsec3 powerdnssec.org '1 0 1 -' narrow
$ ./pdnssec rectify-zone powerdnssec.org

This configures so called 'narrow' NSEC3 records which do not need an ordered zone.

Development

Developers can find more information here.

Details

Details about philosophy, key schedules can be found here.

Things to be aware of

Problems right now are:

~~Your install will crash in two weeks unless you've run 'pdnssec update-keys' in the meantime~~
~~Your install may crash anyhow if it feels like it~~
Best keep *all* your TTLs at 3600, all bets are off otherwise for now
~~AXFR adds NSEC records to NSEC3-enabled zones (oops)~~
~~Only privacy-violating NSEC is supported right now, not yet NSEC3~~
~~Over 75% of the PowerDNS Regression tests run correctly on PowerDNSSEC~~
~~You'll need to 'rsync' your key repository to your slaves~~
For large zones, you may not be able (initially) to serve thousands of queries/second
Only BIND, Generic sqlite3 and Generic MySQL (gmysql), Generic PostgreSQL backend right now
~~You MUST run with 'cache-ttl=0' which can put a damper on database performance~~
~~There is a bug on 64 bit platforms that breaks RRSIG generation~~

The completely live & online signing nature of PowerDNSSEC is not what everyone wants. ~~Other DNSSEC modes will be added soon.~~

Download in other formats:

Plain Text