[gentoo-dev] DNSSEC (w/ DLV) live on *.dev.gentoo.org

[gentoo-dev] DNSSEC (w/ DLV) live on *.dev.gentoo.org

[Robin H. Johnson]

Just a heads up,

DNSSEC is now live on *.dev.gentoo.org hosts.

There is a DLV anchor registered at dlv.isc.org, so all public DNSSEC
lookups within the domain should work fine.

Here's visualisation on my two test cases:
http://dnsviz.net/d/dev.gentoo.org/dnssec/
http://dnsviz.net/d/mv78100.arm.dev.gentoo.org/dnssec/

If there are no problems reported in a week or two, I'm going to enable
this for the rest of our DNS zones, as well as registering the DS
records with the TLD. Thereafter, I'd also like to deploy DANE and SSH
fingerprints in DNS, and remove our reliance any elements of the CA
chain.

I haven't implemented NSEC3 by way of a conscious choice. I don't see
the need for any private information in our DNS records - simply
obscuring them isn't really security.

-- 
Robin Hugh Johnson
Gentoo Linux: Developer, Trustee & Infrastructure Lead
E-Mail     : robbat2@gentoo.org
GnuPG FP   : 11ACBA4F 4778E3F6 E4EDF38E B27B944E 34884E85

Re: [gentoo-dev] DNSSEC (w/ DLV) live on *.dev.gentoo.org

[Doug Goldstein]

On Sun, Jan 6, 2013 at 7:31 PM, Robin H. Johnson <robbat2@gentoo.org> wrote:
> Just a heads up,
>
> DNSSEC is now live on *.dev.gentoo.org hosts.

So for those that had to look up some or all of what Robin mentioned,
I'll summarize below.

>
> There is a DLV anchor registered at dlv.isc.org, so all public DNSSEC
> lookups within the domain should work fine.

DLV allows you to break out of the traditional each parent needs to be
signed and has an aside database that can confirm a specific node.
Very useful when the TLD didn't support signing or if a DNS provider
you use doesn't support DNSSEC. Stands for DNSSEC Lookaside
Validation.

>
> Here's visualisation on my two test cases:
> http://dnsviz.net/d/dev.gentoo.org/dnssec/
> http://dnsviz.net/d/mv78100.arm.dev.gentoo.org/dnssec/
>
> If there are no problems reported in a week or two, I'm going to enable
> this for the rest of our DNS zones, as well as registering the DS
> records with the TLD.

Basically getting rid of the need for the DLV and having the whole
chain signed from the root down to each domain.


> Thereafter, I'd also like to deploy DANE and SSH
> fingerprints in DNS, and remove our reliance any elements of the CA
> chain.

SSH supports a specific record called SSHFP which stores the hosts key
for validation. To against it when it enabled you should be able to do
something like:

$ ssh dev.gentoo.org -o VerifyHostKeyDNS=yes

DANE is DNS-based Authentication of Named Entities. Looks like its a
working group to add more public keys into DNS and get applications or
protocols to support it.

>
> I haven't implemented NSEC3 by way of a conscious choice. I don't see
> the need for any private information in our DNS records - simply
> obscuring them isn't really security.

NSEC3 is related to exposing the entities in your whole DNS record.
With DNSSEC you end up getting the whole zone to verify that its
signed. This has the side effect if you had www.mycompany.com but you
also had secret.mycompany.com, with DNSSEC your hostname secret would
be reveled as existing. NSEC3 attempts to mitigate this.

For more info on everything see:
http://en.wikipedia.org/wiki/Domain_Name_System_Security_Extensions
>
> --
> Robin Hugh Johnson
> Gentoo Linux: Developer, Trustee & Infrastructure Lead
> E-Mail     : robbat2@gentoo.org
> GnuPG FP   : 11ACBA4F 4778E3F6 E4EDF38E B27B944E 34884E85
>

Excellent job getting us DNSSEC support btw!

-- 
Doug Goldstein

Re: [gentoo-dev] DNSSEC (w/ DLV) live on *.dev.gentoo.org

[Sven Vermeulen]

On Sun, Jan 06, 2013 at 10:01:00PM -0600, Doug Goldstein wrote:
> On Sun, Jan 6, 2013 at 7:31 PM, Robin H. Johnson <robbat2@gentoo.org> wrote:
> > Just a heads up,
> >
> > DNSSEC is now live on *.dev.gentoo.org hosts.
> 
> So for those that had to look up some or all of what Robin mentioned,
> I'll summarize below.

Feels like I'm on reddit now...

Upvote for you for the explanation, and an upvote to Robin for implementing it for
us!

Wkr,
	Sven Vermeulen

Re: [gentoo-dev] DNSSEC (w/ DLV) live on *.dev.gentoo.org

["Paweł Hajdan, Jr."]

[-- Attachment #1: Type: text/plain, Size: 268 bytes --]

On 1/6/13 5:31 PM, Robin H. Johnson wrote:
> Just a heads up,
> 
> DNSSEC is now live on *.dev.gentoo.org hosts.

Wow, that sounds pretty cool to me!

This could be a nice news: "Gentoo one of the first to deploy DNSSEC" -
what do you think? :)

Paweł



[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 203 bytes --]

Re: [gentoo-dev] DNSSEC (w/ DLV) live on *.dev.gentoo.org

[Maxim Kammerer]

On Mon, Jan 7, 2013 at 3:31 AM, Robin H. Johnson <robbat2@gentoo.org> wrote:
> Thereafter, I'd also like to deploy DANE and SSH
> fingerprints in DNS, and remove our reliance any elements of the CA
> chain.

Isn't DANE highly experimental and only supported by a couple of
browser plugins? Also, how widespread is client DNSSEC support? E.g.,
I enabled DNSSEC for my domain, but not sure yet whether DNS
resolution anywhere will fail in case DNS responses are spoofed.

-- 
Maxim Kammerer
Liberté Linux: http://dee.su/liberte

Re: [gentoo-dev] DNSSEC (w/ DLV) live on *.dev.gentoo.org

[Peter Stuge]

Maxim Kammerer wrote:
> Also, how widespread is client DNSSEC support? E.g., I enabled
> DNSSEC for my domain, but not sure yet whether DNS resolution
> anywhere will fail in case DNS responses are spoofed.

There is a gap between applications asking resolvers to do lookups
and resolvers which can do authenticated lookups, which still needs
to be bridged.

That gap bubbles up into a user interface problem, which is a domain
that all DNSSEC efforts have completely overlooked.

It will take some more time before applications settle on some UI
for communicating DNSSEC things to users, and on top of that the
users will need to understand what is actually going on.


//Peter

Re: [gentoo-dev] DNSSEC (w/ DLV) live on *.dev.gentoo.org

[Robin H. Johnson]

On Mon, Jan 07, 2013 at 04:34:09PM +0200, Maxim Kammerer wrote:
> On Mon, Jan 7, 2013 at 3:31 AM, Robin H. Johnson <robbat2@gentoo.org> wrote:
> > Thereafter, I'd also like to deploy DANE and SSH
> > fingerprints in DNS, and remove our reliance any elements of the CA
> > chain.
> Isn't DANE highly experimental and only supported by a couple of
> browser plugins? 
RFCs so far:
http://tools.ietf.org/html/rfc6698
http://tools.ietf.org/html/rfc6394

Firefox: 
Plugin needed:
https://os3sec.org/

Chrome: 
Already included in stock, see
http://www.imperialviolet.org/2011/06/16/dnssecchrome.html

> Also, how widespread is client DNSSEC support? E.g.,
> I enabled DNSSEC for my domain, but not sure yet whether DNS
> resolution anywhere will fail in case DNS responses are spoofed.
Most resolvers support it, but many have validation turned off :-(.

-- 
Robin Hugh Johnson
Gentoo Linux: Developer, Trustee & Infrastructure Lead
E-Mail     : robbat2@gentoo.org
GnuPG FP   : 11ACBA4F 4778E3F6 E4EDF38E B27B944E 34884E85

Re: [gentoo-dev] DNSSEC (w/ DLV) live on *.dev.gentoo.org

[Maxim Kammerer]

On Mon, Jan 7, 2013 at 10:59 PM, Robin H. Johnson <robbat2@gentoo.org> wrote:
> Firefox:
> Plugin needed:
> https://os3sec.org/

Doesn't work for me (no effect), stalls browser for long periods of time.

> Chrome:
> Already included in stock, see
> http://www.imperialviolet.org/2011/06/16/dnssecchrome.html

What seems to be included now is support for TYPE257 records, not DANE.
So https://dnssec.imperialviolet.org/ works, but I don't have success
with sites listed at
http://www.internetsociety.org/deploy360/resources/dane-test-sites/.

At least DANE can be enabled for CA-based certificates, providing a
migration path.

-- 
Maxim Kammerer
Liberté Linux: http://dee.su/liberte

Re: [gentoo-dev] DNSSEC (w/ DLV) live on *.dev.gentoo.org

[Benjamin Lee]

[-- Attachment #1: Type: text/plain, Size: 804 bytes --]

On 01/07/2013 06:34 AM, Maxim Kammerer wrote:
> browser plugins? Also, how widespread is client DNSSEC support? E.g.,
> I enabled DNSSEC for my domain, but not sure yet whether DNS
> resolution anywhere will fail in case DNS responses are spoofed.

Comcast runs dnssec-failed.org, which is convenient for testing out some
DNSSEC validation failure cases.  Using a validating resolver, my client
sees SERVFAIL:

$ host dnssec-failed.org.
Host dnssec-failed.org not found: 2(SERVFAIL)

and here are some example logs from the resolver (running BIND):

named[80369]: validating @0x804ee5500: dnssec-failed.org DNSKEY: no valid signature found (DS)
named[80369]: error (no valid RRSIG) resolving 'dnssec-failed.org/DNSKEY/IN': 68.87.76.228#53


-- 
Benjamin Lee
http://www.b1c1l1.com/


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 899 bytes --]

Re: [gentoo-dev] DNSSEC (w/ DLV) live on *.dev.gentoo.org

[Michael Weber]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On 01/08/2013 12:39 AM, Benjamin Lee wrote:
> On 01/07/2013 06:34 AM, Maxim Kammerer wrote:
>> browser plugins? Also, how widespread is client DNSSEC support?
>> E.g., I enabled DNSSEC for my domain, but not sure yet whether
>> DNS resolution anywhere will fail in case DNS responses are
>> spoofed.
> 
> Comcast runs dnssec-failed.org, which is convenient for testing out
> some DNSSEC validation failure cases.  Using a validating resolver,
> my client sees SERVFAIL:
> 
> $ host dnssec-failed.org. Host dnssec-failed.org not found:
> 2(SERVFAIL)

The AD flag is missing on the answer (see bottom).
Programs don't really use that lack of coping with that information.

Openssh works,
Firefox has an plugin http://www.dnssec-validator.cz/

I don't think SERVFAIL or NXDOMAIN is the right way to communicate an
validation order.

Michael

p.s. there's dnssec-system-tray to have an eye on the unbound log. I
can provide you with a setup description iff you like.

michael@x ~ % dig dnssec-failed.org

; <<>> DiG 9.9.2 <<>> dnssec-failed.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 62274
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;dnssec-failed.org.		IN	A

;; AUTHORITY SECTION:
dnssec-failed.org.	7200	IN	SOA	dns101.comcast.org.
dnsadmin.comcast.net. 2010101559 900 180 604800 7200

;; Query time: 1852 msec
;; SERVER: ::1#53(::1)
;; WHEN: Fri Jan 18 00:38:07 2013
;; MSG SIZE  rcvd: 117

michael@x ~ % dig xmw.de

; <<>> DiG 9.9.2 <<>> xmw.de
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 30196
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;xmw.de.				IN	A

;; ANSWER SECTION:
xmw.de.			42	IN	A	176.9.87.236

;; Query time: 1 msec
;; SERVER: ::1#53(::1)
;; WHEN: Fri Jan 18 00:39:53 2013
;; MSG SIZE  rcvd: 51


- -- 
Michael Weber
Gentoo Developer
web: https://xmw.de/
mailto: Michael Weber <xmw@gentoo.org>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.19 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iF4EAREIAAYFAlD4jLMACgkQknrdDGLu8JAAEAD8CYwlaeOcfZGIqwDurx4Bnhf8
H9+T1yirfVh/V9njmQUA/jCXhbi0MuLcQJeopyGT/xwR1EUlS1llH4pF8uAh29F8
=Mr9O
-----END PGP SIGNATURE-----

Re: [gentoo-dev] DNSSEC (w/ DLV) live on *.dev.gentoo.org

[Robin H. Johnson]

On Mon, Jan 07, 2013 at 01:31:39AM +0000, Robin H. Johnson wrote:
> If there are no problems reported in a week or two, I'm going to enable
> this for the rest of our DNS zones, as well as registering the DS
> records with the TLD. Thereafter, I'd also like to deploy DANE and SSH
> fingerprints in DNS, and remove our reliance any elements of the CA
> chain.
I haven't heard any problems at all, so I have implemented it on another
domain we own (it probably won't be renewed when it comes up, per
trustees decisions):
gentoo.be

In addition, I have the DS/DNSKEY with the .be domain registrar (the
full-trust variant, instead of relying on the DLV lookaside trust
repository).

I also added in a DNAME entry of:
dev.gentoo.be. DNAME dev.gentoo.org.

So that I could create the following trust chain for testing purposes:
http://dnsviz.net/d/mv78100.arm.dev.gentoo.be/dnssec/

If there are no problems reported by Jan 17th, I'm going to complete the
DNSSEC configuration on gentoo.org and remaining delegated sub-domains.

-- 
Robin Hugh Johnson
Gentoo Linux: Developer, Trustee & Infrastructure Lead
E-Mail     : robbat2@gentoo.org
GnuPG FP   : 11ACBA4F 4778E3F6 E4EDF38E B27B944E 34884E85

Re: [gentoo-dev] DNSSEC (w/ DLV) live on *.dev.gentoo.org

[Robin H. Johnson]

On Sat, Jan 12, 2013 at 10:36:31PM +0000, Robin H. Johnson wrote:
> If there are no problems reported by Jan 17th, I'm going to complete the
> DNSSEC configuration on gentoo.org and remaining delegated sub-domains.
Everything is in place except the final trust binding from the org. zone
to gentoo.org, that will take a couple of hours, but I'm holding off to
detect more breakage.

-- 
Robin Hugh Johnson
Gentoo Linux: Developer, Trustee & Infrastructure Lead
E-Mail     : robbat2@gentoo.org
GnuPG FP   : 11ACBA4F 4778E3F6 E4EDF38E B27B944E 34884E85

Re: [gentoo-dev] DNSSEC (w/ DLV) live on *.dev.gentoo.org

[Michael Weber]

On 01/17/2013 11:36 PM, Robin H. Johnson wrote:
> On Sat, Jan 12, 2013 at 10:36:31PM +0000, Robin H. Johnson wrote:
>> If there are no problems reported by Jan 17th, I'm going to complete the
>> DNSSEC configuration on gentoo.org and remaining delegated sub-domains.
> Everything is in place except the final trust binding from the org. zone
> to gentoo.org, that will take a couple of hours, but I'm holding off to
> detect more breakage.
> 
++ for DNSSEC,

Regarding ssh support, can you take a look at [1], please.

And I can't see SSHFP record on dev.g.o.

Thanks

-- 
Michael Weber
Gentoo Developer
web: https://xmw.de/
mailto: Michael Weber <xmw@gentoo.org>

Re: [gentoo-dev] DNSSEC (w/ DLV) live on *.dev.gentoo.org

[Michael Weber]

https://bugs.gentoo.org/show_bug.cgi?id=435372

-- 
Michael Weber
Gentoo Developer
web: https://xmw.de/
mailto: Michael Weber <xmw@gentoo.org>

[gentoo-dev] DNSSEC errors on *.bugs.gentoo.org

[Michael Weber]

Hello Robin,

looks like we have an little issue using DNSSEC for bugs.gentoo.org, but
not signing 339761.bugs.gentoo.org

`dig does-not-exist.bugs.gentoo.org @8.8.8.8`
  returns A record with AD flag.
`dig 339761.bugs.gentoo.org @8.8.8.8`
  returns A record w/o AD flag

Both work with local unbound resolver with forwarders removed.
It looks like stale, unsigned entries.

Did you change anything in the last n days?
Or is the cache of 141.1.1.1 and 8.8.8.8 really compromised?

How do you sign these wildcards anyway? Would be interested.

   Michael


[1] http://domainincite.com/2361-dnssec-to-kill-the-isp-wildcard

-- 
Michael Weber
Gentoo Developer
web: https://xmw.de/
mailto: Michael Weber <xmw@gentoo.org>

Re: [gentoo-dev] DNSSEC errors on *.bugs.gentoo.org

[Michael Weber]

On 01/24/2013 09:02 AM, Michael Weber wrote:
> Did you change anything in the last n days?
> Or is the cache of 141.1.1.1 and 8.8.8.8 really compromised?

Me culpa. Looks like these do not support AD now (or never did)
And my unbound always used the first resolver, which has AD.

As antarus pointed out, [1] and [2] report positive validation.

Michael

[1] http://dnssec-debugger.verisignlabs.com/339761.bugs.gentoo.org
[2] http://dnsviz.net/d/339761.bugs.gentoo.org/dnssec/

-- 
Michael Weber
Gentoo Developer
web: https://xmw.de/
mailto: Michael Weber <xmw@gentoo.org>