So we've generated some keys, run some commands, and uploaded some data to our parent zone. How do we know our zone is signed correctly? Here are a few ways to check.
One of the ways to see if your zone is signed, is to check for the presence of DNSKEY record types. In our example, we created two keys, and we expect to see both keys returned when we query for them.
$ dig @192.168.1.13 example.com. DNSKEY +multiline +noall +answer
; <<>> DiG 9.10.1 <<>> @192.168.1.13 example.com. DNSKEY +multiline +noall +answer
; (1 server found)
;; global options: +cmd
example.com. 300 IN DNSKEY 256 3 8 (
AwEAAclob7q+ccvDwaTVuMM2ddGIynWyMwaZlhFrU6cC
0qknWoPpkq0gIwTrYf3DJY+eIKPVHxrM+o2AoRIVhubG
jfv1bT5wTYrawZstS84ejCQ+ehA+8DxKyeWUEzW0ZMBe
OhyeG0cuQVK/p6Z1E096JLu0DjgbabLspequkw4M+HT7
) ; ZSK; alg = RSASHA256; key id = 17694
example.com. 300 IN DNSKEY 257 3 8 (
AwEAAdQ2ctHx8VmryndiOgpchXPdj3NwxMeUvAre6uYI
5KELlFJUghTHrz+/CzEc8CXG8wwQ4ZvAey0FGV2nJAFC
ENMxoRiCz0oSiQQxryNhACd3RnE2/D7G+ShwlOM6w53E
wUJ/lsgu5UevSxFC+eA3fKeL3TWR44PH4iJQp9QmfW5v
7qG8Sic/HQvBGBdOGfFtHAl0a4jDPBi57imS4YsHcUYD
9bsWmhYWSHJKZ66+JnTiMS0nQM69YwBF43QfDKurs5R6
qPUDiBlaMCzSxmlaBU6fsI1Mu/yIU8w1ewy26a42rUTU
rPBC3Oa/zf9VQ8kpUrMZgJ7LEAA4xmR+qwWDh6U=
) ; KSK; alg = RSASHA256; key id = 06817
Another way to see if your zone data is signed is to check for the presence of signature. With DNSSEC, every record[3]now comes with at least one corresponding signature known as RRSIG.
$ dig @192.168.1.13 example.com. SOA +dnssec +multiline
; <<>> DiG 9.10.1 <<>> @192.168.1.13 example.com. SOA +dnssec +multiline
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 31466
;; flags: qr aa rd; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;example.com. IN SOA
;; ANSWER SECTION:
example.com. 300 IN SOA ns1.example.com. dnsadmin.example.com. (
2014102111 ; serial
10800 ; refresh (3 hours)
1080 ; retry (18 minutes)
2419200 ; expire (4 weeks)
900 ; minimum (15 minutes)
)
example.com. 300 IN RRSIG SOA 8 2 300 (
20141121122105 20141022112105 17694 example.com.
NqPGNLkUs40Lg/qq7Fv+bgyCwVB4s9PsHQOK6p9ZWWk3
36z2Qz2WjM+Q19SlVBAPux9jijvcRcjGb6KREuxER9uX
wdVeiGx9a4X+PaO3qTqdkiXuGS2XkK1kBm1CgwhVHTYV
/nxVPrckU4/mpeUoFVjMnT49JkVJmgck63esPEU= )
The serial number was automatically incremented from the old, unsigned version. Named keeps track of the serial number of the signed version of the zone independently of the unsigned version. If the unsigned zone is updated with a new serial number that's higher than the one in the signed copy, then the signed copy will be increased to match it, but otherwise the two are kept separate.
Our original zone file example.com.db remains
untouched, named has generated 3 additional files automatically for us (shown
below). The signed DNS data is stored in
example.com.db.signed and in the associated journal
file.
#cd /etc/bind/db#lsexample.com.db example.com.db.jbk example.com.db.signed example.com.db.signed.jnl
A quick description of each of the files:
.jbk: transient file used by named
.signed: signed version of the zone in raw
format.signed.jnl: journal file for the signed
version of the zone
These files are stored in raw (binary) format for faster loading. You
could reveal the human-readable version by using named-compilezone
as shown below. In the example below, we are running the command
on the raw format zone example.com.db.signed to produce
a text version of the zone example.com.text:
# named-compilezone -f raw -F text -o example.com.text example.com example.com.db.signed
zone example.com/IN: loaded serial 2014112008 (DNSSEC signed)
dump zone to example.com.text...done
OKAlthough this is not strictly related to whether or not the zone is signed, a critical part of DNSSEC is the trust relationship between the parent and child. Just because we, the child, have all the correctly signed records in our zone doesn't mean it can be fully validated by a validating resolver, unless our parent's data agrees with us. To check if our upload to the parent is successful, ask the parent name server for the DS record of our zone, and we should get back the DS record(s) containing the information we uploaded in the section called “Upload to Parent Zone”:
$ dig example.com. DS
; <<>> DiG 9.10.1 <<>> example.com. DS
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 49949
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;example.com. IN DS
;; ANSWER SECTION:
example.com. 61179 IN DS 06817 8 1 66D47CE4B4F551BE5EDA43AC5F3109E8C98E2FAE
example.com. 61179 IN DS 06817 8 2 71D9335416B7132519190A95685E18CBF478DCF4CA98867062777938F8FEAB89
The easiest ways to see if your domain name is fully secured is to use one of these excellent online tools.
URL: http://dnssec-debugger.verisignlabs.com/
This tool shows a nice summary of checks performed on your domain name, and you can expand to view more details for each of the items checked to get a detailed report.
URL: http://dnsviz.net/
DNSViz provides a visual analysis of the DNSSEC authentication chain for a domain name and its resolution path in the DNS namespace.
[3] Well, almost every record. NS records and glue records for delegations do not have RRSIG records like everyone else. If you do not have any delegations, then yes, every record in your zone will be signed and comes with its own RRSIG.
Gab
Twitter