DNSSEC supported?

[dqos]

Hello,

Does DNS-UI support DNSSEC? I couldn't find anything about it, but I saw a column DNSSEC in the demo server. So what is it? Where is the documentation?

Thanks!

[thomas-pike]

Hi

It supports it in that it can tell PowerDNS (4.1+) to enable or disable DNSSEC for a zone (effectively the same as running pdnsutil secure-zone example.com for the zone, but done over the REST API) and can report which zones have it enabled, however that is the extent of what it does. The implementation details are left to PowerDNS itself.

Since we are not currently making use of DNSSEC ourselves, I don't really know what additional functionality would actually be useful.

[christianbur]

I will test it in the next few weeks

[dqos]

Okay that's good, but how do I know the DNSSEC records that I have to enter @ my domain registrar? There is only a checkbox.

[thomas-pike]

Right indeed, this is probably the functionality that we really need to add. Currently you can get that information by running pdnsutil show-zone <zone> on the PowerDNS server. As long as we can get that same information via the PowerDNS REST API, it shouldn't be hard to add this information into DNS UI.

[thomas-pike]

Looks like we should also make sure that API-RECTIFY is enabled for the zone.

[dqos]

I guess it should be this call: https://doc.powerdns.com/md/httpapi/api_spec/#url-apiv1serversserver95idzoneszone95namecryptokeys

[thomas-pike]

Thank you, yes this looks like it provides the relevant data. Example output from the API call:

   {
      "bits" : 256,
      "dnskey" : "257 3 13 l1jT2euVAqX602BJK8rDCnYfwEGnpAl4VSKAs1rHRsRKJLw9jWZBeo0NGVkhRu08tTtwBhSNB5q+UaUCXIHArA==",
      "algorithm" : "ECDSAP256SHA256",
      "active" : true,
      "type" : "Cryptokey",
      "ds" : [
         "21093 13 1 5637b2990b8e916ddc29e0e7254f7a766b405991",
         "21093 13 2 0c314d878f38568258e03f50f591e8ef1ed964dcf227266f3aa20bbc2688be3f",
         "21093 13 4 9842aad0de688da02932a00b213309b2d6670f3a43e918d6eb6bb102da0d8f05ac938f2e0574698ea53a00530c370052"
      ],
      "keytype" : "csk",
      "id" : 2,
      "flags" : 257
   }
]

[dqos]

This page contains the relevant data to show in DNS-UI regarding DNSSEC: https://www.domaindiscount24.com/faq/en/dnssec

KeyData Algrorithm
KeyData Pubkey
DSData Keytag
DSData Algorithm
DSData DigestType
Digest

In your output it results into:

KeyData Algrorithm: 3
KeyData Pubkey: l1jT2euVAqX602BJK8rDCnYfwEGnpAl4VSKAs1rHRsRKJLw9jWZBeo0NGVkhRu08tTtwBhSNB5q+UaUCXIHArA==
DSData Keytag: 257
DSData Algorithm: 3
DSData DigestType: ECDSAP256SHA256
Digest: 9842aad0de688da02932a00b213309b2d6670f3a43e918d6eb6bb102da0d8f05ac938f2e0574698ea53a00530c370052

Not 100% sure about the last one, must be confirmed before implementation.

[christianbur]

so i have successfully signed two domains with dnssec. I enabled dnssec in the dns-ui and then uses this two cli commands.

pdnsutil rectify-zone example.com
pdnsutil show-zone example.com

The "key" section from the command pdnsutil show-zone example.com must be sent to the registry (where you bought the domains).

Powerdns default is (algorithm 13, ECDSAP256SHA256). https://doc.powerdns.com/md/authoritative/dnssec/#dnssec-defaults https://www.cloudflare.com/dns/dnssec/ecdsa-and-dnssec/

not all registry support algorithm 13, also for my productive domains I will rather use rsasha256 (algorithm 8). either you have to change the default algroitmus in the config file (pdns.conf) (then you can enable dnssec via dns-ui) or you can use the following commands (NOT pdnsutil secure-zone ZONE):

pdnsutil add-zone-key ZONE ksk 2048 active rsasha256
pdnsutil add-zone-key ZONE zsk 1024 active rsasha256

https://doc.powerdns.com/md/authoritative/dnssec/#from-an-existing-powerdns-installation

the nsec3param parameter cannot yet be set via powerdns api, so command pdnsutil set-nsec3 example.com 'x x x yyyyyyy'must be used. https://doc.powerdns.com/md/httpapi/api_spec/#url-apiv1serversserver95idzones

the api call for "pdnsutil show-zone example.com" is the following: GET /servers/localhost/zones/ZONE/cryptokeys https://doc.powerdns.com/md/httpapi/api_spec/#url-apiv1serversserver95idzoneszone95namecryptokeys

but note there may be more than one key, e.g. DNSSEC KSK Key Rollover https://blog.webernetz.net/dnssec-ksk-key-rollover/

Feature Request: I cannot set TLSA records

[christianbur]

Hello thomas-pike, I just tested the new cryptokeys branch, with "algorithm": "ECDSAP256SHA256" it works, with "RSASHA256" I get an error. I'll take a closer look this weekend.

[thomas-pike]

Interesting. The branch is not currently doing any validation of the data received back from PowerDNS, so I expect that the error is caused by not getting the expected data structure. It would be interesting to see what PowerDNS is actually sending in this case.

[christianbur]

Hello thomas-pike,

The problem is that you made the assumption that there can only be one cryptokey in cryptokeys. But this is wrong, e.g. in the de-zone there can be up to 20 DNSKEYs for a domain, so during a key rollover there are several keys in the powerdns db.

Also each top level domain supports different formats (DS, DNSKEY) and algorithms. Therefore it is not sufficient to display only the DS Key,

DS: .COM .NET .ORG .INFO .BIZ .NAME .CH .LI .LT .LU .UK .ES .SE .NL .PL .AF .GR .PW .XYZ .ME .TV .CC .IN .SX .EMAIL DS up to algorithms 12: .AT DNSKEY up to algorithms 10: .BE .EE DNSKEY up to algorithms 12: .NL .CZ DNSKEY up to algorithms 14: .DE .EU DNSKEY AND DS: .RU .FR .PT .CR .BG All new gTLDs: DNSKEY- and DS-Format

algorithms 3 (DSA/SHA1) 5 (RSA/SHA-1) 6 (DSA-NSEC3-SHA1) 7 (RSASHA1-NSEC3-SHA1) 8 (RSA/SHA-256) 10 (RSA/SHA-512) 12 (ECC-GOST) 13 (ECDSAP256SHA256) 14 (ECDSAP384SHA384)

source

powerdns knows the following keytypes "ksk, zsk, csk"..

Zone with algorithm 8 (RSASHA256)

dns-ui should show ALL blocks with the KSK, with all attributes. I'm not sure if you should display the ZSK at all, if necessary with an option field (true/false).

[
    {
        "active": true, 
        "algorithm": "RSASHA256", 
        "bits": 1024, 
        "dnskey": "256 3 8 AwEAAZoK/JkHYyWkmnpozCUdSCpfTDsmo+4F5bahmY3ciNx93GcTE+IDsHNx73c8IsYhSOOyIDxkRfLchvXvzUgbF2lwRaaaaaaaaaaCUdSCpfTDsmo+4F5bahmY3ciNx93GcTE+IDsHNx73c8IsYhSOOyIDxkRfLchvXvzUgbF2lwRD", 
        "flags": 256, 
        "id": 10, 
        "keytype": "zsk", 
        "type": "Cryptokey"
    }, 
    {
        "active": true, 
        "algorithm": "RSASHA256", 
        "bits": 2048, 
        "dnskey": "257 3 8 AwEAAdQiy2U/BF9VV6t8C41l/TmV3BIDtbs1fvGFjWxzdbe+yLqxED/FcFV7tN3jIqnc5yRVeEubet09AVhf46za5shYyGoqdH6LaGU3ttJKFOuFzM4zDvEgHRtU/BF9VV6t8C41l/TmV3BIDtbs1fvGFjWxzdbe+yLqxED/FcFV7tN3jIqnc5yRVeEubet09AVhf46za5shYyGoqdH6LaGU3ttJKFBleJSgSumNxNKwbgYt2DoMyX0wuG6CZfYj3dBi5ZtljudbmbfZcx44BvG1hwzeTdAV/TsP3FA0/9r/OOJWc87q6AAwWDsbnIq5WT/qludLuB3Ij6K8uD6XuexYU3U=", 
        "ds": [
            "27817 8 1 7a0242f6bf6d3d9bc05d3f00d96af7693faa3cb8", 
            "27817 8 2 7323cbdbd1a01e7078653b388f044bd704781836d6bd0a1819ddff2cf1753bfc", 
            "27817 8 4 0c6571eb43b4039e4280dda5cab9db0e1db3e58a265d08b3d4bb9006042d27fc67323ef5f3d8056ef877184f545f234e"
        ], 
        "flags": 257, 
        "id": 9, 
        "keytype": "ksk", 
        "type": "Cryptokey"
    }
]

---

root@db43f25e449c:/# pdnsutil show-zone example1.com
Mar 30 14:52:05 [bindbackend] Done parsing domains, 0 rejected, 0 new, 0 removed
This zone is owned by admin
This is a Master zone
Last SOA serial number we notified: 2018032304 == 2018032304 (serial in the database)
Metadata items: 
    ALLOW-AXFR-FROM 1.1.1.1
    ALSO-NOTIFY 1.1.1.1
    SOA-EDIT    INCEPTION-INCREMENT
    SOA-EDIT-API    INCEPTION-INCREMENT
Zone has hashed NSEC3 semantics, configuration: 1 0 10 xxyyzzxx
keys: 
ID = 10 (ZSK), flags = 256, tag = 6625, algo = 8, bits = 1024     Active ( RSASHA256 ) 
ID = 9 (KSK), flags = 257, tag = 27817, algo = 8, bits = 2048     Active ( RSASHA256 ) 
KSK DNSKEY = example1.com. IN DNSKEY 257 3 8 AwEAAdQiy2U/BF9VV6t8C41l/TmV3BIDtbs1fvGFjWxzdbe+yLqxED/FcFV7tN3jIqnc5yRVeEubet09AVhf46za5shYyGoqdH6LaGU3ttJKFOuFzM4zDvEgHRtU/BF9VV6t8C41l/TmV3BIDtbs1fvGFjWxzdbe+yLqxED/FcFV7tN3jIqnc5yRVeEubet09AVhf46za5shYyGoqdH6LaGU3ttJKFBleJSgSumNxNKwbgYt2DoMyX0wuG6CZfYj3dBi5ZtljudbmbfZcx44BvG1hwzeTdAV/TsP3FA0/9r/OOJWc87q6AAwWDsbnIq5WT/qludLuB3Ij6K8uD6XuexYU3U= ; ( RSASHA256 )
DS = example1.com. IN DS 27817 8 1 7a0242f6bf6d3d9bc05d3f00d96af7693faa3cb8 ; ( SHA1 digest )
DS = example1.com. IN DS 27817 8 2 7323cbdbd1a01e7078653b388f044bd704781836d6bd0a1819ddff2cf1753bfc ; ( SHA256 digest )
DS = example1.com. IN DS 27817 8 4 0c6571eb43b4039e4280dda5cab9db0e1db3e58a265d08b3d4bb9006042d27fc67323ef5f3d8056ef877184f545f234e ; ( SHA-384 digest )

###############################################################################

Zone with algorithm 13 (ECDSAP256SHA256)

dns-ui should show ALL blocks with the CSK, with all attributes

[
    {
        "active": true, 
        "algorithm": "ECDSAP256SHA256", 
        "bits": 256, 
        "dnskey": "257 3 13 Gbt/TmkhLMvUN4V+Kb+82EhFMvUN4V+Kb+82EhFMvUN4V+Kb+82EhFMvUN4V+Kb+82EMvUN4V+Kb+82EhF56tA==", 
        "ds": [
            "63900 13 1 287bf6e124e80cb341104af815d71508cb32d2d8", 
            "63900 13 2 bb1251f90e71c32f53eca2a509861adeba25076bc98e8edb65abffd1a2d31967", 
            "63900 13 4 86173f7e90f251d7ab0010978d22dd4eaa5f10a110a98d1dd849e0ee6722b3c80099004df9c21ba387d38644cc472d4d"
        ], 
        "flags": 257, 
        "id": 11, 
        "keytype": "csk", 
        "type": "Cryptokey"
    }
]

---

root@db43f25e449c:/# pdnsutil show-zone example2.com
Mar 30 14:52:48 [bindbackend] Done parsing domains, 0 rejected, 0 new, 0 removed
This zone is owned by admin
This is a Master zone
Last SOA serial number we notified: 2018032304 == 2018032304 (serial in the database)
Metadata items: 
    ALLOW-AXFR-FROM 1.1.1.1
    ALSO-NOTIFY 1.1.1.1
    SOA-EDIT    INCEPTION-INCREMENT
    SOA-EDIT-API    INCEPTION-INCREMENT
Zone has NSEC semantics
keys: 
ID = 11 (CSK), flags = 257, tag = 63900, algo = 13, bits = 256    Active ( ECDSAP256SHA256 ) 
CSK DNSKEY = example2.com. IN DNSKEY 257 3 13 Gbt/TmkhLMvUN4V+Kb+82EhFMvUN4V+Kb+82EhFMvUN4V+Kb+82EhFMvUN4V+Kb+82EMvUN4V+Kb+82EhF56tA== ; ( ECDSAP256SHA256 )
DS = example2.com. IN DS 63900 13 1 287bf6e124e80cb341104af815d71508cb32d2d8 ; ( SHA1 digest )
DS = example2.com. IN DS 63900 13 2 bb1251f90e71c32f53eca2a509861adeba25076bc98e8edb65abffd1a2d31967 ; ( SHA256 digest )
DS = example2.com. IN DS 63900 13 4 86173f7e90f251d7ab0010978d22dd4eaa5f10a110a98d1dd849e0ee6722b3c80099004df9c21ba387d38644cc472d4d ; ( SHA-384 digest )

[christianbur]

if dnssec is activated in the config file, we also need the following records in the dns-ui interface:

DS/DNSKEY: for each subdomain a DS/DNSKEY record must be set, otherwise the DNSSEC chain is not complete. For example I use a subdomain for dyndns.

TLSA: for DANE. DANE SMTP Validator

[thomas-pike]

Thanks for the information. This is very useful!

[thomas-pike]

@christianbur please try the latest commit from the cryptokeys branch.

[christianbur]

@thomas-pike looks good :-)

• maybe you could adjust the output a little bit (please also note the "IN")

Cryptokey #10: ZSK
ID = 10 (ZSK), flags = 256, tag = 6625, algo = 8, bits = 1024     Active ( RSASHA256 )

DNSKEY: 
    example1.com. IN DNSKEY 256 3 8 AwEAAZoK/JkHYyWkmnpozCUdSCpfTDsmo+4F5bahmY3ciNx93GcTE+IDsHNx73c8IsYhSOOyIDxkRfLchvXvzUgbF2lwRaaaaaaaaaaCUdSCpfTDsmo+4F5bahmY3ciNx93GcTE+IDsHNx73c8IsYhSOOyIDxkRfLchvXvzUgbF2lwRD

Cryptokey #9: KSK
ID = 9 (KSK), flags = 257, tag = 27817, algo = 8, bits = 2048     Active ( RSASHA256 )

DNSKEY:
    example1.com. IN DNSKEY 257 3 8 AwEAAdQiy2weWRPCUj/qUfK5K4jg7QxbP55ihwm9R0hX/NxXZ38hseF320BxD3sH83nqNnPucz34YB6olPKuTdPMlIw777Tm2x0zbS5ZE9k/ROuFzM4zDvEgHRtU/BF9VV6t8C41l/TmV3BIDtbs1fvGFjWxzdbe+yLqxED/FcFV7tN3jIqnc5yRVeEubet09AVhf46za5shYyGoqdH6LaGU3ttJKFBleJSgSumNxNKwbgYt2DoMyX0wuG6CZfYj3dBi5ZtljudbmbfZcx44BvG1hwzeTdAV/TsP3FA0/9r/OOJWc87q6AAwWDsbnIq5WT/qludLuB3Ij6K8uD6XuexYU3U=

DS:
    example1.com. IN DS 27817 8 1 9fb04053e174e56d5a3a6c7d6ec6bda9c8075133 ; ( SHA-1 digest )
    example1.com. IN DS 27817 8 2 a455556a4b4316d05381e36983325680e8e0932e0893e817b4fd11de8576708f ; ( SHA-256 digest )
    example1.com. IN DS 27817 8 4 60e1dfa831c94a8ac082f50b7273f3d95d7381d59259b4140f6503c30a468fa9da4dfcf3102232b490c5ec36049a312c ; ( SHA-384 digest )

• active = false --> Inactive; active = true --> Active

• "algo" number is in the DNSKEY (... 257 3 8 ...)

• digest form DNYKEY

  • "IN DS 27817 8 1" --> ( SHA-1 digest )
  • "IN DS 27817 8 2" --> ( SHA-256 digest )
  • "IN DS 27817 8 4" --> ( SHA-384 digest )
  • if neither 1,2 nor 4 simply show nothing.

• "tag" is not required for registration but may be helpful for troubleshooting (http://dnsviz.net).

https://lists.isc.org/pipermail/bind-users/2010-October/081724.html I tested it, it works, but python.

import struct
def key2keytag(flags, alg1, alg2, keydata):
     data = struct.pack('!HBB', flags, alg1, alg2)
     data += keydata.decode('base64')
     v = 0
     for i in range(len(data)):
         if i & 1:
             v += ord(data[i])
         else:
             v += ord(data[i]) << 8
     v += (v >> 16) & 0xffff
     return v & 0xffff

print key2keytag(257, 3, 13, "l1jT2euVAqX602BJK8rDCnYfwEGnpAl4VSKAs1rHRsRKJLw9jWZBeo0NGVkhRu08tTtwBhSNB5q+UaUCXIHArA==")
  -> 21093

here is php https://github.com/openfactory-ch/dnssec-key2ds

Here are a few examples of how to enter the values at the provider https://support.cloudflare.com/hc/en-us/articles/209114378-How-do-I-add-a-DS-Record-to-my-registrar-

[christianbur]

one little thing is still missing "NSEC3PARAM". see "pdnsutil show-zone" output: Zone has hashed NSEC3 semantics, configuration: 1 0 10 xxyyzzxx

At present, this parameter cannot be set via the API. However, it would be nice if we had a generic way (key:value) to set zones parameters (separate tab or in "Zone configuration")

- ALLOW-AXFR-FROM | 1.2.3.4
- ALSO-NOTIFY | 1.2.3.4
- SOA-EDIT-API | INCEPTION-INCREMENT
- SOA-EDIT | INCEPTION-INCREMENT
- NSEC3PARAM | 1 0 10 xxyyzzxx

[christianbur]

Deactivate the dnssec option in the "Zone configuration" menu is very dangerous. When deactivating DNSSEC is not simply deactivated but all private keys are deleted. If you don't have a backup, the zone is insecure and therefore not usable.

[thomas-pike]

Okay, sounds like we need to make it less likely for users to break their DNSSEC setup then. Something like the "delete zone" UI perhaps, though not sure if we want to have the 2-user confirmation that we have there.

[christianbur]

Thanks for the two commits https://github.com/operasoftware/dns-ui/commit/55f0a41323c75fe8a12b73fa839cccf6d128fe16 https://github.com/operasoftware/dns-ui/commit/9d7d3bbd825176b77eadfa2e38ef499f079020d1

Two things just occurred to me

• please add "tag" (as already described), this is very helpful. See for example http://dnsviz.net/d/denic.de/dnssec/ If "tag" is missing you still have to go on the cli.
• "Disable DNSSEC" is displayed several times, with three keys it is displayed three times.

[thomas-pike]

I converted the RFC 4034 tag calculation algorithm to PHP and added it as commit 3582179 in the cryptokeys branch.

The repeated "Disable DNSSEC" issue was a silly bug that was fixed in c6604a2.