Re: DNSSEC Readiness

[Mark Andrews <marka () isc org>]

In message <4B7A502F.8000204 () knownelement com>, Charles N Wyble writes:
> > Repeat for IPv6.
> >
> > dig -6 ns . +norec @l.root-servers.net
> > dig -6 ns . +dnssec +cd +norec @l.root-servers.net
> > dig -6 any . +dnssec +cd +norec @l.root-servers.net
> > dig -6 any . +dnssec +cd +norec @l.root-servers.net +vc
> >  
> > Mark
>
> Thank you. That's a nice quick/dirty test.
>
> All 4 commands worked.
>
> If folks are curious, my setup is Ubuntu 9.10 client, Ubuntu 9.10 server
> running bind and a cisco 1841 running 12.4(18). I don't have a Windows
> box handy to test on. How would one test with nslookup anyway? Or does
> it only matter if the local DNS server can do the lookup and clients
> will just work? Though one would still need to test from Windows if you
> have AD for DNS I suppose. *shrugs*
>
> Ok.... that's the client side.

That's a path test.  Next are system tests.  You should get answers
to all of below and you should have "ad" set in the "se" query.

named.test.conf:

trusted-keys {
        dlv.isc.org. 257 3 5 
"BEAAAAPHMu/5onzrEE7z1egmhg/WPO0+juoZrW3euWEn4MxDCE1+lLy2brhQv5rN32RKtMzX6Mj70jdzeND4XknW58dnJNPCxn8+jAGl2FZLK8t+1uq4W+nnA3qO2+DL+k6BD4mewMLbIYFwe0PG73Te9fZ2kJb56dhgMde5ymX4BI/oQ+cAK50/xvJv00Frf8kw6ucMTwFlgPe+jnGxPPEmHAte/URkY62ZfkLoBAADLHQ9IrS2tryAe7mbBZVcOwIeU/Rw/mRx/vwwMCTgNboMQKtUdvNXDrYJDSHZws3xiRXF1Rf+al9UmZfSav/4NWLKjHzpT59k/VStTDN0YUuWrBNh";
};

options {
        listen-on port 4444 { 127.0.0.1; };
        dnssec-enable yes;
        dnssec-validation yes;
        dnssec-lookaside . trust-anchor dlv.isc.org;
};

dig -p 4444 @127.0.0.1 +dnssec se soa
dig -p 4444 @127.0.0.1 +dnssec .
dig -p 4444 @127.0.0.1 +dnssec www.microsoft.com

Once you are confident you can add these to you normal named.conf.
See https://www.isc.org/solutions/dlv for more details and subscribe
to dlv-announce () isc org so you will get reminders about when to
update the trusted-keys statement.

When the root is signed you will want to add a trusted-keys clause
for it as well.  I wouldn't suggest tracking more trusted keys than
that for the moment.

> How about the server side?
>
> I'm currently using my registrars DNS servers. I haven't seen anything
> in their control panel about DNSSEC. One item on my TODO list is to move
> DNS to my BIND servers.
>
> Quick search turns up
> http://www.howtoforge.com/debian_bind9_master_slave_system which
> mentions a few commands and couple stanzas. Is that all it takes?
> How do you verify that you are .... compliant? complete? I mean SSL
> based PKI is pretty straightforward and I understand it and can verify
> that I'm compliant/complete (run my own ca, issue certs, delegate trust
> etc). Guess I need to do more reading on DNSSEC and how to integrate
> into the global DNSSEC infrastructure (such as it is and will emerge to
> be). I have a test domain that I use for things like this. I would like
> to setup DNSSEC and then positively/negatively test it. Just not sure
> how. Presumably one should attempt to MITM the request and make sure the
> resolver complains yes?
>
> This is at my home network and as such I have a great degree of
> latitude.  For folks who have managers to report to, what are the
> justifications for deploying DNSSEC?
>
> I think one would do it in stages
>
> 1)Make sure their infrastructure can at least handle the DNS protocol
> changes that DNSSEC brings about (ie the 4 test commands above pass)
>
> 2)Implement a parallel environment with and without DNSSEC (is this
> possible/desirable?)
>
> 3)Sign their records.
>
> Anyway just some thoughts.
>
> Thanks to folks who have responded so far.
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.9 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>
> iEYEARECAAYFAkt6UCoACgkQJmrRtQ6zKE/bAACgtNtqptEN0X1deA+gbr+HilOx
> OJ0AoKyLc6soMTi4aKQI4u6HUTWxr7tt
> =r7yW
> -----END PGP SIGNATURE-----
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka () isc org