Development issues regarding the cerowrt test router project
 help / color / mirror / Atom feed
From: Chuck Anderson <cra@WPI.EDU>
To: cerowrt-devel@lists.bufferbloat.net
Subject: Re: [Cerowrt-devel] Full blown DNSSEC by default?
Date: Sun, 20 Apr 2014 11:41:02 -0400	[thread overview]
Message-ID: <20140420154101.GA16334@angus.ind.WPI.EDU> (raw)
In-Reply-To: <157885.1398007005@turing-police.cc.vt.edu>

On Sun, Apr 20, 2014 at 11:16:45AM -0400, Valdis.Kletnieks@vt.edu wrote:
> On Sun, 20 Apr 2014 10:01:45 -0400, Chuck Anderson said:
> 
> > The first effect of using a client-side DNSSEC validator is that
> > gw.home.lan doesn't work:
> > 
> > Apr 20 00:12:32 a unbound[1885]: [1885:1] info: validation failure <gw.home.lan. A IN>: no NSEC3 records from 172.30.42.65 for DS lan. while building chain of trust
> > 
> > To make this work, you have to tell unbound that home.lan is an
> > insecure domain:
> > 
> > unbound-control insecure_add home.lan.
> 
> Ouch.
> 
> This wouldn't be so bad, if there was some way to tell it to believe
> *your* instance of home.lan, but not trust the babbling of any other
> instance you might come across.  What we *really* want to do with unbound
> is this stuff in the unbound.conf file:
> 
>        trust-anchor-file: <filename>
>               File  with  trusted  keys  for  validation.  Both  DS and DNSKEY
>               entries can appear in the file. The format of the  file  is  the
>               standard  DNS  Zone  file  format.   Default  is "", or no trust
>               anchor file.
> 
>        auto-trust-anchor-file: <filename>
>               File with trust anchor for  one  zone,  which  is  tracked  with
>               RFC5011  probes.   The  probes are several times per month, thus
>               the machine must be online frequently.  The initial file can  be
>               one  with  contents as described in trust-anchor-file.  The file
>               is written to when the anchor is updated, so  the  unbound  user
>               must have write permission.
> 
>        trust-anchor: <"Resource Record">
>               A  DS  or  DNSKEY  RR  for a key to use for validation. Multiple
>               entries can be given to specify multiple trusted keys, in  addi‐
>               tion  to the trust-anchor-files.  The resource record is entered
>               in the same format as 'dig' or 'drill'  prints  them,  the  same
>               format  as in the zone file. Has to be on a single line, with ""
>               around it. A TTL can be specified for ease of cut and paste, but
>               is ignored.  A class can be specified, but class IN is default.
> 
>        trusted-keys-file: <filename>
>               File  with  trusted  keys  for validation. Specify more than one
>               file  with  several  entries,   one   file   per   entry.   Like
>               trust-anchor-file  but  has  a  different file format. Format is
>               BIND-9 style format, the trusted-keys {  name  flag  proto  algo
>               "key";  };  clauses  are  read.  It is possible to use wildcards
>               with this statement, the wildcard is expanded on  start  and  on
>               reload.
> 
> Having said that, I admit not having in hand an easy way to feed unbound
> the needed info.  Not sure if 'dig home.lan ds > trust-anchor-here' will do
> it, as the unbound on my laptop isn't configured to talk to DNS learned via
> DHCP, so home.lan doesn't resolve at all for me...

Well, home.lan isn't DNSSEC signed on CeroWrt is it?  I don't know how
one would manage the private trust anchors needed to make such a setup
work, and even then it would have to override the root's NSEC proof of
non-existence of "lan."  Maybe in the DNSSEC world, such private DNS
zones will need to go away and be replaced by real, publically
registered DNS zones?

I'm using dnssec-triggerd which installs the DHCP nameserver as a
forwarder for unbound after checking to make sure it works with
DNSSEC:

# dnssec-trigger-control status
at 2014-04-20 09:26:13
http fedoraproject.org (209.132.181.16): OK 
cache 172.30.42.65: OK 
state: cache secure

# unbound-control forward
172.30.42.65
# unbound-control list_forwards
. IN forward: 172.30.42.65

  reply	other threads:[~2014-04-20 15:41 UTC|newest]

Thread overview: 16+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2014-04-13  4:26 Dave Taht
2014-04-13  7:51 ` Török Edwin
2014-04-13 15:04   ` Dave Taht
2014-04-13 10:05 ` Toke Høiland-Jørgensen
2014-04-13 14:57   ` Dave Taht
2014-04-13 17:59   ` Chuck Anderson
2014-04-13 23:24     ` Dave Taht
2014-04-14  9:29       ` Aaron Wood
2014-04-17 21:01       ` Simon Kelley
2014-04-17 21:19         ` Dave Taht
2014-04-20 14:01     ` Chuck Anderson
2014-04-20 15:16       ` Valdis.Kletnieks
2014-04-20 15:41         ` Chuck Anderson [this message]
2014-04-13 16:16 ` dpreed
2014-04-13 16:40   ` Dave Taht
2014-04-13 17:57     ` Toke Høiland-Jørgensen

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

  List information: https://lists.bufferbloat.net/postorius/lists/cerowrt-devel.lists.bufferbloat.net/

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20140420154101.GA16334@angus.ind.WPI.EDU \
    --to=cra@wpi.edu \
    --cc=cerowrt-devel@lists.bufferbloat.net \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox