Sep 122015
 

Well, I just had a “fun” afternoon.  For the past few weeks, the free DNS provider I was using, yi.org, has been unresponsive.  I had sent numerous emails to the administrator of the site, but heard nothing.  Fearing the worst, I decided it was time to move.  I looked around, and found I could get an id.au domain cheaply, so here I am.

I’d like to thank Tyler MacDonald for providing the yi.org service for the last 10 years.  It helped a great deal, and until recently, was a real great service.  I’d still recommend it to people if the site was up.

So, I put the order in on a Saturday, and the domain was brought online on Monday evening.  I slowly moved my Internet estates across to it, and so I had my old URLs redirecting to new ones, the old email address became an alias of the new one, moving mailing list subscriptions over, etc.  Most of the migration would take place this weekend, when I’d set things up proper.

One of the things I thought I’d tackle was DNSSEC.  There are a number of guides, and I followed this one.

Preparations

Before doing anything, I installed dnssec-tools as well as the dependencies, bind-utils and bind. I had to edit some things in /etc/dnssec-tools/dnssec-tools.conf to adjust some paths on Gentoo, and to set preferred signature options (I opted for RSASHA512 signatures, 4096-bit key-signing keys and 2048-bit zone-signing keys).

Getting the zone file

I constructed a zone file using what I could extract using dig:

The following is a dump of more or less what I got. Obviously the nameservers were for my domain registrar initially and not the ones listed here.

$ dig any @192.168.xxx.xxx longlandclan.id.au 
;; Truncated, retrying in TCP mode.

; <<>> DiG 9.10.2-P2 <<>> any @192.168.xxx.xxx longlandclan.id.au
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 60996
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 22, AUTHORITY: 0, ADDITIONAL: 10

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;longlandclan.id.au.            IN      ANY

;; ANSWER SECTION:
longlandclan.id.au.     86400   IN      SOA     ns.longlandclan.id.au. stuartl.longlandclan.id.au. 2015091231 10800 3600 604800 3600
longlandclan.id.au.     86400   IN      NS      h.ns.buddyns.com.
longlandclan.id.au.     86400   IN      NS      atomos.longlandclan.yi.org.
longlandclan.id.au.     86400   IN      NS      b.ns.buddyns.com.
longlandclan.id.au.     86400   IN      NS      ns.longlandclan.id.au.
longlandclan.id.au.     3600    IN      A       150.101.176.226
longlandclan.id.au.     3600    IN      MX      10 mail.longlandclan.id.au.
longlandclan.id.au.     3600    IN      TXT     "v=spf1 a a:atomos.longlandclan.id.au ip6:2001:44b8:21ac:7000::/56 ip4:150.101.176.226 a:mail.internode.on.net ~all"
longlandclan.id.au.     3600    IN      AAAA    2001:44b8:21ac:7000::1

;; ADDITIONAL SECTION:
b.ns.buddyns.com.       8439    IN      A       173.244.206.25
h.ns.buddyns.com.       8439    IN      A       119.252.20.56
h.ns.buddyns.com.       170395  IN      AAAA    2401:1400:1:1201:0:1:7853:1a5
ns.longlandclan.id.au.  3600    IN      A       150.101.176.226
ns.longlandclan.id.au.  3600    IN      AAAA    2001:44b8:21ac:7000::1
atomos.longlandclan.yi.org. 86400 IN    A       192.168.5.1
atomos.longlandclan.yi.org. 86400 IN    AAAA    2001:44b8:21ac:7000::1
mail.longlandclan.id.au. 3600   IN      A       150.101.176.226
mail.longlandclan.id.au. 3600   IN      AAAA    2001:44b8:21ac:7000::1

;; Query time: 3 msec
;; SERVER: 192.168.xxx.xxx#53(192.168.xxx.xxx)
;; WHEN: Sat Sep 12 16:40:38 EST 2015
;; MSG SIZE  rcvd: 4715

I needed to translate this into a zone file. If there’s any secret sauce missing, now’s the time to add it. I wound up with a zone file (called longlandclan.id.au) that looked like this:

$TTL 3600
$ORIGIN longlandclan.id.au.
@	86400	IN	SOA	ns.longlandclan.id.au. stuartl.longlandclan.id.au. (2015091231 10800 3600 604800 3600 )
@	86400   IN      NS      ns.longlandclan.id.au.
@	86400   IN      NS      atomos.longlandclan.yi.org.
@	86400   IN      NS      h.ns.buddyns.com.
@	86400   IN      NS      b.ns.buddyns.com.
@	3600	IN	MX	10 mail.longlandclan.id.au.
@	3600	IN	TXT	"v=spf1 a a:atomos.longlandclan.id.au ip6:2001:44b8:21ac:7000::/56 ip4:150.101.176.226 a:mail.internode.on.net ~all"
@	3600	IN	A	150.101.176.226
@	3600	IN	AAAA	2001:44b8:21ac:7000::1
atomos	3600	IN	A	150.101.176.226
atomos	3600	IN	AAAA	2001:44b8:21ac:7000::1
mail	3600	IN	A	150.101.176.226
mail	3600	IN	AAAA	2001:44b8:21ac:7000::1
ns	3600	IN	A	150.101.176.226
ns	3600	IN	AAAA	2001:44b8:21ac:7000::1
*	3600	IN	A	150.101.176.226
*	3600	IN	AAAA	2001:44b8:21ac:7000::1

Signing the zone

Next step, is to create domain keys and sign it.

$ zonesigner -genkeys longlandclan.id.au

This generates a heap of files. Apart from the keys themselves, two are important as far as your DNS server are concerned: dsset-longlandclan.id.au. and longlandclan.id.au.signed. The former contains the DS keys that you’ll need to give to your regristrar, the latter is what your DNS server needs to serve up.

Updating DNS

I figured the safest bet was to add the domain records first, then come back and do the DS keys since there’s a warning that messing with those can break the domain. At this time I had Zuver (my registrar) hosting my DNS, so over I trundle to add a record to the zone, except I discover that there aren’t any options there to add the needed records.

Okay, maybe they’ll appear when I add the DS keys“, I think. Their DS key form looks like this:

Zuver's DS Key Data form

Zuver’s DS Key Data form

dsset-longlandclan.id.au. for me looked like this:

longlandclan.id.au.     IN DS 12345 10 1 7AB4...
longlandclan.id.au.     IN DS 12345 10 2 DE02...

Turns out, the 12345 goes by a number of names, such as key ID and in the Zuver interface, key tag.  So in they went.  The record literally is in the form:

${DOMAIN} IN DS ${KEY_ID} ${ALGO} ${DIGEST_TYPE} ${DIGEST}

The digest, if it has spaces, is to be entered without spaces.

Oops, I broke it!

So having added these keys, I note (as I thought might happen), the domain stopped working. I found I still couldn’t add the records, so I had to now move (quickly) my DNS over to another DNS server. One that permitted these kinds of records. I figured I’d do it myself, and get someone to act as a secondary.

First step was to take that longlandclan.id.au.signed file and throw it into the bind server’s data directory and point named.conf at it. To make sure you can hook a slave to it, create a ACL rule that will match the IP addresses of your possible slaves, and add that to the allow-transfer option for the zone:

acl buddyns {
        173.244.206.26;
        88.198.106.11;
        2607:f0d0:1005:72::100;
        2a01:4f8:d12:d01::10:100;
};
acl stuartslan { ... };

zone "longlandclan.id.au" IN {
        type master;
        file "pri/longlandclan.id.au.signed";
        allow-transfer { buddyns; localhost; stuartslan; };
        allow-query { any; };
        allow-update { localhost; stuartslan; };
        notify no;
};

Make sure that from another machine in your network, you can run dig +tcp axfr @${DNS_IP} ${DOMAIN} and get a full listing of your domain’s contents.

I really needed a slave DNS server and so went looking around, found one in BuddyNS. I then spent the next few hours arguing with bind as to whether it was authoritative for the domain or not. Long story short, make sure when you re-start bind, that you re-start ALL instances of it. In my case I found there was a rogue instance running with the old configuration.

BuddyNS was fairly simple to set up (once BIND worked). You basically sign up, pick out two of their DNS servers and submit those to your registrar as the authorative servers for your domain. I ended up picking two DNS servers, one in the US and one in Adelaide. I also added in an alias to my host using my old yi.org domain.

Adding nameservers
Adding nameservers

Working again

After doing that, my domain worked again, and DNSSEC seemed to be working. There are a few tools you can use to test it.

Updating the zone later

If for whatever reason you wish to update the zone, you need to sign it again. In fact, you’ll need to sign it periodically as the signatures expire. To do this:

$ zonesigner longlandclan.id.au

Note the lack of -genkeys.

My advice to people trying DNSSEC

Before proceeding, make sure you know how to set up a DNS server so you can pull yourself out of the crap if it comes your way. Setting this up with some registrars is a one-way street, once you’ve added keys, there’s no removing them or going back, you’re committed.

Once domain signing keys are submitted, the only way to make that domain work will be to publish the signed record sets (RRSIG records) in your domain data, and that will need a DNS server that can host them.