Recursive Server
From DNSSEC-Tools Wiki
This is a brief description of the parts of DNSSEC-Tools an administrator for a DNSSEC aware recursive name server could find useful. The server could operate on a small scale (a single machine or small network where DNSSEC validation of DNS queries is desired) or it could be an a large scale (an enterprise or ISP that wants to have a DNS server supporting DNSSEC look-ups). The DNS resolver will be configured with a list of zones that DNS results are checked for DNSSEC compliance (which could be every zone). It would do this by comparing the DNS answers and the digital signatures that accompanied it. The validating resolver will continuing validating results up the DNS chain until it gets to an associated Trust Anchor (TA). Only after the answers have been properly validated will the server return the results to its client.
Contents |
Recursive Server Administrator
DNSSEC-Tools has several tools to help manage a validating recursive server. See dnssec-deployment.org and dnssec.net for information on obtaining recursive servers that support DNSSEC. Most DNS server software (and all the major ones) support DNSSEC. Setting up a DNS server itself is out of scope of this document. The DNSSEC-Tools software components trustman and the logwatch patch are most helpful with Bind software in particular. The current version of logwatch has incorperated this patch and will scan for BIND/DNSSEC output from a Bind server. Trustman can manage Bind's named.conf file's Trust Anchors (TAs).
Trustman
| DNSSEC-Tools Component | |
| trustman | |
| This describes trustman, which in the Recursive Server Tools category within the DNSSEC-Tools Components framework of tools. | |
| Tool Name: | trustman |
| Tool Type: | Recursive Server Tools |
| Manual: | Manual |
|---|---|
| CLI: | Help |
Trustman is used as a tool to check and notify the administrator of changes in Trust Anchors (TAs). It can check the TAs in Bind's named.conf file and in DNSSEC-Tool's dnsval.conf. dnsval.conf is the configuration file for DNSSEC-Tool's validation libraries and is usually found in /usr/local/etc/dnssec-tools/dnsval.conf or /etc/dnssec-tools/dnsval.conf. In order for trustman to verify the keys it needs to manage the libval and libsres libraries need to be installed (which come with the DNSSEC-Tools package).
An administrator can load the TA's to be managed into the dnsval.conf and/or named.conf files and have trustman run as a daemon and routinely check those configured zones for TA changes. When trustman is run it will notify the administrator of any changes between the local configuration files and the published TAs for one or more zones. Trustman can also be configured to add the newly found TAs to these files. By default trustman runs in daemon mode and be configured to send email to an administrator when it notices any changes in the Trust Anchors. It can also be run on as a command-line utility as well with verbose output so operators can examine in detail the steps it is taking to analyze newly found keys.
This tool was designed so that an operator of a validating recursive server can automatically be notified of any changes in the TAs used by an administered server.
Getting started with trustman
To get started with trustman you can run the following steps (after you've configured the dnssec-tools.conf so that it at least contains valid tasmtpserver and tacontact settings).
- Given a dnsval.conf file that has been configured with the Trust Anchors (TAs) you wish to keep track of you can then run trustman to check on them. This example shows a new key being detected for the dnssec-tools.org zone. If run again in the future (86400 seconds later) or if it was run continuously in the background it would eventually add this new key to the /etc/dnssec-tools/dnsval.conf.
> trustman -f -S -k /etc/dnssec-tools/dnsval.conf -a /etc/dnssec-tools/trustman.storage reading and parsing trust keys from /usr/local/etc/dnssec-tools/dnsval.conf Reading and parsing trust keys from /etc/dnssec-tools/dnsval.conf Found a key for dnssec-tools.org Checking zone keys for validity Checking the live "dnssec-tools.org" key dnssec-tools.org ... refresh_secs=43200, refresh_time=1209637099 adding holddown for new key in dnssec-tools.org (1209680299 seconds from now) sending mail to root@hardakers.net Writing new keys to /etc/dnssec-tools/trustman.storage checking new keys for timing hold down timer for dnssec-tools.org still in the future (86400 seconds)
- The '-f' flag runs trustman in the foreground and the '-S' flag forces it to run once and then quit. By default, trustman will run in daemon mode. It will run in the background and notify an administrator via E-Mail when it discovers an action it will eventually take or is taking.
Running trustman as a daemon
For daemon mode the following should be added to the dnssec-tools.conf file usually locate in /usr/local/etc/dnssec-tools/dnssec-tools.conf:
tacontact admin@example.com tasmtpserver localhost tasleeptime 3600 taanchorfile /usr/local/etc/dnssec-tools/trustman.anchorfile tadnsvalconffile /usr/local/etc/dnssec-tools/dnsval.conf
| tacontact | Address to send emails to |
| tasmtpserver | Host name of outgoing mail server to use |
| tasleeptime | Time in seconds between checking for TA changes (in daemon mode) |
| taanchorfile | File that trustman can store TAs it downloads for comparisons/updates |
| tadnsvalconffile | Location of the dnsval.conf file |
Logwatch
| DNSSEC-Tools Component | |
| logwatch | |
| This describes logwatch, which in the Error Checking Tools category within the DNSSEC-Tools Components framework of tools. | |
| Tool Name: | logwatch |
| Tool Type: | Error Checking Tools |
| Manual: | Manual |
|---|---|
| Example: | Example |
| CLI: | Help |
The logwatch update patch included within the DNSSEC-Tools release is now included in current versions of Logwatch so you shouldn't need it if you are running a recent version of logwatch. It parses DNSSEC information out of Bind's output and adds it to logwatch's output summary information.
Getting started with logwatch
- Obtain a version of logwatch that is at least version 7.1 or higher.
- When using it, these types of summary messages should appear in your logwatch messages if you are running BIND as a validating resolver:
--------------------- DNSSEC Begin ------------------------
No Valid Signature received 6 times
Detail >= 5 log messages:
Marking as secure 97 times
Verified rdataset succeeded 97 times
Attempted positive response validation 96 times
Nonexistence proof found 20 times
Attempted negative response validation 18 times
Validation OK 2 times
---------------------- DNSSEC End -------------------------
--------------------- Resolver Begin ------------------------
Received validation completion event 171 times
Validation OK 125 times
Nonexistence validation OK received 46 times
---------------------- Resolver End -------------------------
Dnspktflow
| DNSSEC-Tools Component | |
| dnspktflow | |
| This describes dnspktflow, which in the Error Checking Tools category within the DNSSEC-Tools Components framework of tools. | |
| Tool Name: | dnspktflow |
| Tool Type: | Error Checking Tools |
| Manual: | Manual |
|---|---|
| Example: | Example |
| CLI: | Help |
Dnspktflow is a tool that parses a tcpdump file and graphically displays the DNS and DNSSEC specific network traffic. It can be used to check DNSSEC traffic at a server in order to track down or check for errors.
Getting Started With Dnspktflow
- Given a tcpdump file called tcpdump.out with DNS traffic in it.
>dnspktflow -t -q -a -A -x -l -r 'dnssec-tools' -o dnspktflow.png tcpdump.out >
- The command line arguments above add extra information to the picture (type, query, answers, authoritative and extra information), while reducing the data to DNS packets involving hosts with 'dnssec-tools' in their names. See the dnspktflow manual page for further details.
General Error Checking Tools
For more DNSSEC error checking and debugging tools, check out the DNSSEC error checking tools summary below. It includes general DNSSEC error checking tools as well as tools that error check for a specific type of use or user. Some of the tools may be useful to debugging validating DNSSEC servers.
Software Summary
|
[edit] Recursive Domain Name Server Tools | ||
| trustman | Manual CLI Help | Detects key changes in trust anchors (TAs), it can update TAs and it can run as a daemon. |
| dnspktflow | Manual Example CLI Help | |
| logwatch | Example | Included in current versions of logwatch A logwatch plugin for DNSSEC parsing of the BIND server's system logging messages. |
|
[edit] DNS Error Checking Tools | ||
| dnspktflow | Manual Example CLI Help | |
| validate | Manual CLI Help | command line DNS validation checking (similar to dig). This is part of the libval and libsres package. |
| mapper | Manual Example CLI Help |  |
| trustman | Manual CLI Help | Detects key changes in trust anchors (TAs), it can update TAs and it can run as a daemon. |
| donuts | Manual Example CLI Help |  You can extend it by Writing your own rules donuts does general DNS error checking including DNSSEC-specific checks. |
| logwatch | Example | Included in current versions of logwatch A logwatch plugin for DNSSEC parsing of the BIND server's system logging messages. |
