Context Navigation

Version 5 (modified by ahu, 3 years ago)
--

Everything you need to know about PowerDNSSEC

The very latest and greatest can be found on http://svn.powerdns.com/dnssec-wild-testing/ PowerDNS is currently in a very wild state, and is completely unsuitable for production use. Even compiling it is surprisingly hard.

Compiling

Get the latest source snapshot from the 'dnssec-wild-testing' URL above, and untar:

$ tar xzf pdns-3.0-pre.tar.gz
$ cd pdns-3.0-pre
$ ./configure --with-modules="" (if you have MySQL, leave out --with-modules="")
$ make -j2 
wait

You will probably get an error about missing 'boost' libraries right now. If you are lucky, you can simply install packages like 'boost-filesystem-dev' and 'boost-program-options-dev', and re-run make. If installing these packages worked, but 'make' still does not complete successfully, try editing pdns/Makefile.am and pdns/modules/bind/Makefile.am and replace -lboost_*-mt by -lboost_*.

Packages

Check the 'dnssec-wild-testing' URL in a while, packages might have appeared

Configuring

For now, use only the BIND backend. A suggested named-dnssec.conf consists of:

zone "powerdnssec.org" {
        type master;
        file "powerdnssec.org";
};

The 'reference' powerdnssec.org zone can be found in the regression tests here (click 'download original format').

Place this file in the directory where you put the 'named-dnssec.conf'.

Next change to the 'pdns' subdirectory, and create your key-repository:

$ mkdir keys

Now add keys for the powerdnssec.org zone:

$ ./pdnssec sign-zone powerdnssec.org
Created KSK with tag 13837
There are now 2 ZSKs
Tag = 46582	Active: 1
Tag = 2461	Active: 0

(may take some time)

Now launch PowerDNS from the command line:

$ ./pdns_server --no-config --local-port=5300 --daemon=no --socket-dir=./ --launch=bind --bind-config=./named-dnssec.conf --cache-ttl=0
Apr 21 15:15:20 Reading random entropy from '/dev/urandom'
Apr 21 15:15:20 This is a standalone pdns
Apr 21 15:15:20 Listening on controlsocket in './pdns.controlsocket'
Apr 21 15:15:20 It is advised to bind to explicit addresses with the --local-address option
Apr 21 15:15:20 UDP server bound to 0.0.0.0:5300
Apr 21 15:15:20 TCP server bound to 0.0.0.0:5300
Apr 21 15:15:20 PowerDNS 3.0-pre (C) 2001-2010 PowerDNS.COM BV (Apr 21 2010, 14:56:25, gcc 4.4.1) starting up
Apr 21 15:15:20 PowerDNS comes with ABSOLUTELY NO WARRANTY. This is free software, and you are welcome to redistribute it according to the terms of the GPL version 2.
Apr 21 15:15:20 Creating backend connection for TCP
Apr 21 15:15:20 [bindbackend] Parsing 1 domain(s), will report when done
Start loadconfig sort of 17 records
Done loadconfig sorting
Apr 21 15:15:20 [bindbackend] Done parsing domains, 0 rejected, 1 new, 0 removed
Apr 21 15:15:20 About to create 3 backend threads for UDP
Apr 21 15:15:20 Done launching threads, ready to distribute questions

(and leave this running)

And now you are in business! To verify, ask your new PowerDNSSEC a question from another terminal:

$ dig -t A powerdnssec.org @127.0.0.1 -p 5300
;; ANSWER SECTION:
powerdnssec.org.	3600	IN	A	212.123.148.70
powerdnssec.org.	3600	IN	RRSIG	A 5 2 3600 20100429000000 20100415000000 46582 powerdnssec.org. P4d1fdry3oeaXz7VfZVVIdhjNT8LgUd00SjBqSIPryumTB1h12natGyl UML7vaQbhojbfkyyiSpqhSVhPmoPKjvE45jH2HhAkP13DrSP7gfye46/ 3z3ptYcRWDssqQvGhJKHkHoYMTMFn4gU/hjt/8FesMNgps7sighXF2Bg pWk=

To verify that DNSSEC is working correctly, we can check if 'dig' will validate our DNSSEC output. First we extract our Key Signing Key using 'pdnssec':

$ pdnssec show-zone powerdnssec.org
KSK present:
Tag = 13837
KSK DNSKEY = powerdnssec.org IN DNSKEY 257 3 5 AwEAAae8HOmM48I0JyvH/6PfJmyQI6cjxuim303imTlHxK0uTwos9uuP3Jq6vpsPXopOpvZHS7Mfp3ltU54QCOq9ZZwT5bAIJmu+tpXHorw7BJppwPsSRdCeqji0DKG2ZMmOCjK6HYTBzUgDADZDO6Q22Xv5zDDo5wiUs0tMIS8F+4r8P49RgAroi/ME8s/6+Npro1Ysfdxuvj9YmHL7Mca5XF721JENj9WI5R6Y3PCXKDDjN34F1XGqYiizEQ4ru2ElMHQ2QUUKQVL6AICaNhMBz7FWWVIUlwKgcEajwUePxfEtfnPQWEu6Wb9mpo86I5tQ3Vp+msnpsgHXLL7hdxtr6mE=
DS = powerdnssec.org IN DS 13837 5 1 df1170736092c3e499d4284ac234a558f18ca78a

ZSKs for zone 'powerdnssec.org':
Tag = 46582	Active: 1, Thu Apr 15 02:00:00 2010 - Thu Apr 29 02:00:00 2010
Tag = 2461	Active: 0, Thu Apr 29 02:00:00 2010 - Thu May 13 02:00:00 2010

Now we copy/past the third line on the right side of the 'equals' sign into a file called trusted-keys. So this starts with 'powerdnssec.org IN DNSKEY ...'.

Then we can run 'dig' in 'signature chase mode':

$ dig +dnssec +sigchase +trusted-key=./trusted-key -t A powerdnssec.org @127.0.0.1 -p 5300
...
;; WE HAVE MATERIAL, WE NOW DO VALIDATION
;; VERIFYING A RRset for powerdnssec.org. with DNSKEY:46582: success
;; OK We found DNSKEY (or more) to validate the RRset
;; Ok, find a Trusted Key in the DNSKEY RRset: 13837
;; VERIFYING DNSKEY RRset for powerdnssec.org. with DNSKEY:13837: success

;; Ok this DNSKEY is a Trusted Key, DNSSEC validation is ok: SUCCESS

Success!

Download in other formats:

Plain Text