Not sure if and why DNSSEC not working

Beeblebrox · June 23, 2014, 1:50pm

Using unbound v_1.4.22 on different LAN IP (my resolv.conf points to
192.168.2.xx as DNS resolver, a VM on the LAN). syslog from unbound
startup shows key & hints files being read. But, neither "drill -TD
-k /var/unbound/root.key" nor web-based checks show active DNSSEC (for
ex http://dnssec.vs.uni-due.de/ gives "No, your DNS resolver does NOT
validate DNSSEC signatures"). unbound.conf has no forward-zones.

The VM syslog shows: chdir to /var/unbound
d unbound: [4730:0] debug: drop user privileges, run as unbound
d unbound: [4730:0] debug: module config: "validator iterator"
d unbound: [4730:0] debug: reading autotrust anchor
file /var/unbound/root.key d unbound: [4730:0] debug: validator
nsec3cfg keysz 1024 mxiter 150 d unbound: [4730:0] debug: validator
nsec3cfg keysz 2048 mxiter 500 d unbound: [4730:0] debug: validator
nsec3cfg keysz 4096 mxiter 2500 d unbound: [4730:0] debug: event
mini-event-1.4.22 uses not_obtainable method. d unbound: [4730:0]
debug: Reading root hints from /var/unbound/root.hints

Drill was run both on workstation and from the DNS resolver VM
drill for google.com gives:
;; Domain: com.
[T] com. 86400 IN DNSKEY 256 3 8 ;{id = 56657 (zsk), size = 1024b}
com. 86400 IN DNSKEY 257 3 8 ;{id = 30909 (ksk), size = 2048b}
[T] Existence denied: google.com. DS
;; No ds record for delegation
;; Domain: google.com.
;; No DNSKEY record found for google.com.

While drill for ip4afrika.nl gives correct result:
[T] ip4afrika.nl. 7200 IN DS 42364 8 2
af88bf947340253dcf01bcd2406ea0f6d756bd53124ee74446f04129f5db6be7 ;;
Domain: ip4afrika.nl. [T] ip4afrika.nl. 3600 IN DNSKEY 257 3 8 ;{id =
42364 (ksk), size = 2048b} ip4afrika.nl. 3600 IN DNSKEY 256 3 8 ;{id =
33895 (zsk), size = 1024b} ip4afrika.nl. 3600 IN DNSKEY 256 3 8 ;{id =
19819 (zsk), size = 1024b} [T] Existence denied: ip4afrika.nl. A
;;[S] self sig OK; [B] bogus; [T] trusted

What am I missing here?

Jaap · June 23, 2014, 3:08pm

Using unbound v_1.4.22 on different LAN IP (my resolv.conf points to
    192.168.2.xx as DNS resolver, a VM on the LAN). syslog from unbound
    startup shows key & hints files being read. But, neither "drill -TD
    -k /var/unbound/root.key" nor web-based checks show active DNSSEC (for
    ex http://dnssec.vs.uni-due.de/ gives "No, your DNS resolver does NOT
    validate DNSSEC signatures"). unbound.conf has no forward-zones.

Shouldn't that be /etc/unbound/root.key? That is what man drill tells
me.

jaap

Beeblebrox · June 23, 2014, 3:19pm

Shouldn't that be /etc/unbound/root.key? That is what man drill tells me.

Hello jaap,

In FreeBSD, /etc/unbound is a sym-link to /var/unbound where the actual
files reside.

In drill, "-k" points to whatever path you want it to be (as you know)..

Beeblebrox · June 24, 2014, 9:11am

I'm stuck on how to debug this.
Are there any other tests I can run so as to find what's happening on
my end?

My unbound.conf is below and may have some "UNusual settings" with
regards to 127.0.0.1. That's because normally dnscrypt-proxy is
running inside the same FreeBSD jail (VM) and unbound should forward
queries to it as a forward zone.

unbound.conf:
server:
verbosity: 3
chroot: ""

    interface: 127.0.0.1
    port: 53
    do-ip4: yes
    do-ip6: no
    do-udp: yes
    do-tcp: yes

    root-hints: "/var/unbound/root.hints"
    auto-trust-anchor-file: "/var/unbound/root.key"
    hide-identity: yes
    hide-version: yes
    harden-glue: yes
    harden-dnssec-stripped: yes
    harden-short-bufsize: yes
    harden-large-queries: yes
    unwanted-reply-threshold: 10000
    val-clean-additional: yes
    use-caps-for-id: yes
    cache-min-ttl: 43200
    cache-max-ttl: 172800
    prefetch: yes
    prefetch-key: yes

    num-threads: 1
    msg-cache-slabs: 4
    rrset-cache-slabs: 4
    infra-cache-slabs: 4
    key-cache-slabs: 4
    rrset-cache-size: 32m
    msg-cache-size: 16m

private-address: 192.168.1.0/24
private-address: 192.168.2.0/24

# private-address: 127.0.1.0/28 - breaks dnscrypt-proxy
do-not-query-localhost: no

# Disabled_for_DNSSEC_debuging
# forward-zone:
# name: "."
# forward-addr: 192.168.2.xx@9040 #_setting 127.0.0.1@9040 does not
work for some odd reason.
/EOF

Michael_Van_Der_Beek · June 24, 2014, 10:49am

Hi Beelbebrox,

I think the necessary steps are

1) unbound-anchor -a /var/unbound/root.key
2) fetch ftp://ftp.internic.net/domain/named.cache and save the file as root.hints
3) fetch http://ftp.isc.org/www/dlv/dlv.isc.org.key and setup the configuration in your unbound.conf
dlv-anchor-file: "/var/unbound/dlv.isc.org.key"

Now restart unbound.

That should make it work. I had the same problem.

Dlv is necessary as many top domains are not signed yet, so users have to use dlv as an alternative signatory.

Regards,

Michael

Beeblebrox · June 24, 2014, 12:45pm

Hi Michael,

1) unbound-anchor -a /var/unbound/root.key
2) fetch ftp://ftp.internic.net/domain/named.cache and save the file
as root.hints 3) fetch http://ftp.isc.org/www/dlv/dlv.isc.org.key and
setup the configuration in your unbound.conf dlv-anchor-file:
"/var/unbound/dlv.isc.org.key"

I had steps 1&2 already done, but not #3. I also have root.hints being
fetched periodically by cron job and I added the dlv key file to that
script. No need to do that for the anchor file since
"AUTO-trust-anchor-file" (rather than trust-anchor-file) instructs
unbound to run "unbound-anchor" each time.

dnscrypt-proxy definitely NOT working with DNSSEC though. Works if
DNSSEC is not enabled in unbound.

Thanks for the help & regards.

Michael_Van_Der_Beek · June 30, 2014, 8:46am

Hi All,

Is there anything in unbound that I can configure to minimise the effects of such attacks?

Regards,

Michael

Maurice_Walker · July 1, 2014, 5:28am

As an IAP have experimented with the following with some success...

access-control: <IP address>/24 deny # test to block DDOS