28 Feb 2014

Delve deep into DNSSEC

BIND 9.10 is the new version of the BIND 9 DNS server from ISC http://isc.org (not to confuse with BIND 10, which is a different DNS server product). I will report in a series of articles about the new features in BIND 9.10. The first beta version of BIND 9.10 has been released this week and can be found at ftp://ftp.isc.org/isc/bind9/9.10.0b1/.

BIND 9.10 contains a new command-line tool to test DNSSEC installations. The tool is called delve and it works very much like the already know dig. It is like dig with special DNSSEC validation powers.

delve checks the DNSSEC validation chain using the same code that is used by the BIND 9 DNS server itself. Compared with the DNSSEC testing function in dig +sigchase, delve is much closer to what really happen inside a DNS server.

1.1 A simple lookup

shell> delve dnsworkshop.org
; fully validated
dnsworkshop.org.        3600    IN      A       91.190.147.212
dnsworkshop.org.        3600    IN      RRSIG   A 8 2 3600 20140318181408 20140216173922 63654 dnsworkshop.org. qS9/slk/jvcMc7+HSTMFD1D7GfuW5LIgBj0J1vCCCP5X+g9puhDdRSMM dURzelY6wsPVaUgtx44azEoJYHmNwFJlSsALPnekC6DWjKYMhzYilpUl OKAIZQh5lZxs3oimZHe6GEpEfkZ3ZV0IDTLLe4pIKRXoxDQ2eRJ543GD iTk=

Without extra arguments, delve will query the local DNS server (taken from /etc/resolv.conf) for an IPv4-Address record at the given domain name. It tries to validate the answer received, prints the result of the validation, the requested data and the RRSIG Record (DNSSEC signature) used to verify the data.

1.2 pretty-printing

As with dig, resource record types and network classes can be given in almost any order on the commandline. The switch +multi (for multiline) enables pretty printing; human readable output that is nearly formatted for a 78 column screen.

shell> delve dnsworkshop.org soa +multi
; fully validated
dnsworkshop.org.        3600 IN SOA ns1.myinfrastructure.org. hostmaster.strotmann.de. (
                                86         ; serial
                                86400      ; refresh (1 day)
                                7200       ; retry (2 hours)
                                3542400    ; expire (5 weeks 6 days)
                                3600       ; minimum (1 hour)
                                )
dnsworkshop.org.        3600 IN RRSIG SOA 8 2 3600 (
                                20140321030247 20140219020247 63654 dnsworkshop.org.
                                O8mmiuNdXIWG6huaLiQrvKabDY3qivQ3R5qRUZ1IG3wp
                                bd0UBnvpazpG01ntk8uZ7wEStScmiY7oYtvRGIHG37mG
                                8GFI60CUx3pdXJIpmodfoUBk8cfGsJXFQODIZCTUQiyk
                                Pv9I6+wjyseDJJTYlrsBCvAEabPExFKZc7v+L+k= )

and IPv6

shell> delve dnsworkshop.org AAAA +multi
; fully validated
dnsworkshop.org.        7200 IN AAAA 2001:470:1f08:f1d::2
dnsworkshop.org.        7200 IN RRSIG AAAA 8 2 7200 (
                                20140321025727 20140219020247 63654 dnsworkshop.org.
                                gqkc1Xq/UveKrhcXpqOwDsN5HFSqMsPkxXOyCqu9bMyx
                                dtnkh0J0Iqukv+uHL/dDQLnPcxjdFqs3N5Jf3BFHdgkG
                                tf0UPhNKsuhlsRdo2H5O+TqmLvA1zCsYhH/72vVvxslR
                                MiiuZ1ILGpLA2EOyiZu70/ZIU3Ypc3nb8+ydgx4= )

1.3 tracing DNSSEC validation

delve comes with a set of trace switches that can help troubleshoot DNSSEC validation issues. The first switch, +rtrace, prints the extra DNS lookups delve performs to validate the answer:

delve dnsworkshop.org mx +multi +rtrace
;; fetch: dnsworkshop.org/MX
;; fetch: dnsworkshop.org/DNSKEY
;; fetch: dnsworkshop.org/DS
;; fetch: org/DNSKEY
;; fetch: org/DS
;; fetch: ./DNSKEY
; fully validated
dnsworkshop.org.        3600 IN MX 100 mail.strotmann.de.
dnsworkshop.org.        3600 IN RRSIG MX 8 2 3600 (
                                20140308193355 20140206183355 63654 dnsworkshop.org.
                                hCOcPJrDCXpcVS82FgGEdUhaUmW3XkxXEuEa4AFvzkzi
                                mDcokYNjrW/Hay4NclSWV0jrBwrXABXik5dh7w7KsPkD
                                WKhw/qVvkuiFCm+T5lb9OVkGQAuPhBOplbVgdbZce9L7
                                N2IVTQTLMECKfzCTfKeOtwupJAMPXCt/Xskd5o4= )

In this example, in addition to the MX-Record (Mail-Exchanger) Record, the DNSKEY record (DNSSEC public key) and the DS record (Delegation signer) for dnsworkshop.org, as well as the DNSKEY and DS records for ORG and the DNSKEY for the root-zone "." have been requested. The trust-anchor for the Internet Root-Zone is compiled into delve and acts as the starting trust anchor for the validation.

The switch +mtrace prints the content of any additional DNS records that have been fetched for validation.

+vtrace prints out the DNSSEC chain of validation:

shell> delve _443._tcp.dnsworkshop.org TLSA  +multi +vtrace
;; fetch: _443._tcp.dnsworkshop.org/TLSA
;; validating _443._tcp.dnsworkshop.org/TLSA: starting
;; validating _443._tcp.dnsworkshop.org/TLSA: attempting positive response validation
;; fetch: dnsworkshop.org/DNSKEY
;; validating dnsworkshop.org/DNSKEY: starting
;; validating dnsworkshop.org/DNSKEY: attempting positive response validation
;; fetch: dnsworkshop.org/DS
;; validating dnsworkshop.org/DS: starting
;; validating dnsworkshop.org/DS: attempting positive response validation
;; fetch: org/DNSKEY
;; validating org/DNSKEY: starting
;; validating org/DNSKEY: attempting positive response validation
;; fetch: org/DS
;; validating org/DS: starting
;; validating org/DS: attempting positive response validation
;; fetch: ./DNSKEY
;; validating ./DNSKEY: starting
;; validating ./DNSKEY: attempting positive response validation
;; validating ./DNSKEY: verify rdataset (keyid=19036): success
;; validating ./DNSKEY: signed by trusted key; marking as secure
;; validating org/DS: in fetch_callback_validator
;; validating org/DS: keyset with trust secure
;; validating org/DS: resuming validate
;; validating org/DS: verify rdataset (keyid=33655): success
;; validating org/DS: marking as secure, noqname proof not needed
;; validating org/DNSKEY: in dsfetched
;; validating org/DNSKEY: dsset with trust secure
;; validating org/DNSKEY: verify rdataset (keyid=21366): success
;; validating org/DNSKEY: marking as secure (DS)
;; validating dnsworkshop.org/DS: in fetch_callback_validator
;; validating dnsworkshop.org/DS: keyset with trust secure
;; validating dnsworkshop.org/DS: resuming validate
;; validating dnsworkshop.org/DS: verify rdataset (keyid=24209): success
;; validating dnsworkshop.org/DS: marking as secure, noqname proof not needed
;; validating dnsworkshop.org/DNSKEY: in dsfetched
;; validating dnsworkshop.org/DNSKEY: dsset with trust secure
;; validating dnsworkshop.org/DNSKEY: verify rdataset (keyid=2611): success
;; validating dnsworkshop.org/DNSKEY: marking as secure (DS)
;; validating _443._tcp.dnsworkshop.org/TLSA: in fetch_callback_validator
;; validating _443._tcp.dnsworkshop.org/TLSA: keyset with trust secure
;; validating _443._tcp.dnsworkshop.org/TLSA: resuming validate
;; validating _443._tcp.dnsworkshop.org/TLSA: verify rdataset (keyid=63654): success
;; validating _443._tcp.dnsworkshop.org/TLSA: marking as secure, noqname proof not needed
; fully validated
_443._tcp.dnsworkshop.org. 3544 IN TLSA 3 0 1 (
                                3E5E70BBA957CA0DAFCB799F15F6236133C0F6C73FA7
                                3762BFFBCA4AF92389CA )
_443._tcp.dnsworkshop.org. 3544 IN RRSIG TLSA 8 4 3600 (
                                20140309145739 20140207135739 63654 dnsworkshop.org.
                                JYkLiFqvrjqiIlm/bA4CaffJ3Iikos31bfEVb2njjIR+
                                /7dudq9pAj898OVZrtqIjmfD7knyCT2nt6Gp/yFYif4k
                                Tt7W2XMhnWecwRnFexhVYp1zg2dkZSw4XcBRMz/F2NkM
                                0xziG9dNFg/6AAs/0ehMurLvRj1ula/UIO/wU5w= )

delve is a very useful tool, not only for BIND 9 admins, but for everyone who needs to troubleshoot and fix DNS- and DNSSEC related issues.