Recursive Server

From DNSSEC-Tools
Jump to: navigation, search

This is a brief description of the parts of DNSSEC-Tools an administrator for a DNSSEC aware recursive name server could find useful. The server could operate on a small scale (a single machine or small network where DNSSEC validation of DNS queries is desired) or it could be an a large scale (an enterprise or ISP that wants to have a DNS server supporting DNSSEC look-ups). The DNS resolver will be configured with a list of zones that DNS results are checked for DNSSEC compliance (which could be every zone). It would do this by comparing the DNS answers and the digital signatures that accompanied it. The validating resolver will continuing validating results up the DNS chain until it gets to an associated Trust Anchor (TA). Only after the answers have been properly validated will the server return the results to its client.

Contents

Recursive Server Administrator

DNSSEC-Tools has several tools to help manage a validating recursive server. See dnssec-deployment.org and dnssec.net for information on obtaining recursive servers that support DNSSEC. Most DNS server software (and all the major ones) support DNSSEC. Setting up a DNS server itself is out of scope of this document. The DNSSEC-Tools software components trustman and the logwatch patch are most helpful with Bind software in particular. The current version of logwatch has incorperated this patch and will scan for BIND/DNSSEC output from a Bind server. Trustman can manage Bind's named.conf file's Trust Anchors (TAs).

Trustman

DNSSEC-Tools Component
trustman
This describes trustman, which in the Recursive Server Tools category within the DNSSEC-Tools Components framework of tools.
Tool Name: trustman
Tool Type: Recursive Server Tools
Manual: Manual
CLI: Help

Trustman is used as a tool to check and notify the administrator of changes in Trust Anchors (TAs). It can check the TAs in Bind's named.conf file and in DNSSEC-Tool's dnsval.conf. dnsval.conf is the configuration file for DNSSEC-Tool's validation libraries and is usually found in /usr/local/etc/dnssec-tools/dnsval.conf or /etc/dnssec-tools/dnsval.conf. In order for trustman to verify the keys it needs to manage the libval and libsres libraries need to be installed (which come with the DNSSEC-Tools package).

An administrator can load the TA's to be managed into the dnsval.conf and/or named.conf files and have trustman run as a daemon and routinely check those configured zones for TA changes. When trustman is run it will notify the administrator of any changes between the local configuration files and the published TAs for one or more zones. Trustman can also be configured to add the newly found TAs to these files. By default trustman runs in daemon mode and can be configured to send email to an administrator when it notices any changes in the Trust Anchors. It can also be run on as a command-line utility as well with verbose output so operators can examine in detail the steps it is taking to analyze newly found keys.

This tool was designed so that an operator of a validating recursive server can automatically be notified of any changes in the TAs used by an administered server.

Getting started with trustman

To get started with trustman you can run the following steps (after you've configured the dnssec-tools.conf so that it at least contains valid tasmtpserver and tacontact settings).

  • Given a dnsval.conf file that has been configured with the Trust Anchors (TAs) you wish to keep track of you can then run trustman to check on them. This example shows a new key being detected for the dnssec-tools.org zone. If run again in the future (86400 seconds later) or if it was run continuously in the background it would eventually add this new key to the /etc/dnssec-tools/dnsval.conf.

> trustman -f -S -k /etc/dnssec-tools/dnsval.conf -a /etc/dnssec-tools/trustman.storage
reading and parsing trust keys from /usr/local/etc/dnssec-tools/dnsval.conf
Reading and parsing trust keys from /etc/dnssec-tools/dnsval.conf
 Found a key for dnssec-tools.org
Checking zone keys for validity
 Checking the live "dnssec-tools.org" key
  dnssec-tools.org ...  refresh_secs=43200, refresh_time=1209637099
  adding holddown for new key in dnssec-tools.org (1209680299 seconds from now)
sending mail to root@hardakers.net
Writing new keys to /etc/dnssec-tools/trustman.storage
checking new keys for timing
 hold down timer for dnssec-tools.org still in the future (86400 seconds)

  • The '-f' flag runs trustman in the foreground and the '-S' flag forces it to run once and then quit. By default, trustman will run in daemon mode. It will run in the background and notify an administrator via E-Mail when it discovers an action it will eventually take or is taking.

Running trustman as a daemon

For daemon mode the following should be added to the dnssec-tools.conf file usually locate in /usr/local/etc/dnssec-tools/dnssec-tools.conf:

tacontact        admin@example.com
tasmtpserver     localhost
tasleeptime      3600
taanchorfile     /usr/local/etc/dnssec-tools/trustman.anchorfile
tadnsvalconffile /usr/local/etc/dnssec-tools/dnsval.conf
tacontact Address to send emails to
tasmtpserver Host name of outgoing mail server to use
tasleeptime Time in seconds between checking for TA changes (in daemon mode)
taanchorfile File that trustman can store TAs it downloads for comparisons/updates
tadnsvalconffile Location of the dnsval.conf file

Logwatch

DNSSEC-Tools Component
logwatch
This describes logwatch, which in the Error Checking Tools category within the DNSSEC-Tools Components framework of tools.
Tool Name: logwatch
Tool Type: Error Checking Tools
Manual: Manual
Example: Example
CLI: Help

The logwatch update patch included within the DNSSEC-Tools release is now included in current versions of Logwatch so you shouldn't need it if you are running a recent version of logwatch. It parses DNSSEC information out of Bind's output and adds it to logwatch's output summary information.

Getting started with logwatch

  • Obtain a version of logwatch that is at least version 7.1 or higher.
  • When using it, these types of summary messages should appear in your logwatch messages if you are running BIND as a validating resolver:
 --------------------- DNSSEC Begin ------------------------

 No Valid Signature received 6 times

 Detail >= 5 log messages:
    Marking as secure 97 times
    Verified rdataset succeeded 97 times
    Attempted positive response validation 96 times
    Nonexistence proof found 20 times
    Attempted negative response validation 18 times
    Validation OK 2 times

 ---------------------- DNSSEC End -------------------------


 --------------------- Resolver Begin ------------------------


    Received validation completion event  171 times
    Validation OK  125 times
    Nonexistence validation OK received  46 times

 ---------------------- Resolver End -------------------------

Dnspktflow

DNSSEC-Tools Component
dnspktflow
This describes dnspktflow, which in the Error Checking Tools category within the DNSSEC-Tools Components framework of tools.
Tool Name: dnspktflow
Tool Type: Error Checking Tools
Manual: Manual
Example: Example
CLI: Help

Dnspktflow is a tool that parses a tcpdump file and graphically displays the DNS and DNSSEC specific network traffic. It can be used to check DNSSEC traffic at a server in order to track down or check for errors.

Getting Started With Dnspktflow

  • Given a tcpdump file called tcpdump.out with DNS traffic in it.
>dnspktflow -t -q -a -A -x -l -r 'dnssec-tools' -o dnspktflow.png tcpdump.out
>
  • The command line arguments above add extra information to the picture (type, query, answers, authoritative and extra information), while reducing the data to DNS packets involving hosts with 'dnssec-tools' in their names. See the dnspktflow manual page for further details.
dnspktflow picture of DNS packet's regarding hosts matching 'dnssec-tools'

General Error Checking Tools

For more DNSSEC error checking and debugging tools, check out the DNSSEC error checking tools summary below. It includes general DNSSEC error checking tools as well as tools that error check for a specific type of use or user. Some of the tools may be useful to debugging validating DNSSEC servers.

Software Summary

Recursive Domain Name Server Tools
trustman Manual
CLI Help
Detects key changes in trust anchors (TAs), it can update TAs and it can run as a daemon.
DNSSEC-Nodes Graphically depicts the DNSSEC results from a lookup from logfiles
dnspktflow Manual
Example
CLI Help
Dnspktflow.png
Visually trace DNS packets being sent on the network.
logwatch Example Included in current versions of logwatch
A logwatch plugin for DNSSEC parsing of the BIND server's system logging messages.
DNS Error Checking Tools
DNSSEC-Check
Dnssec-check.png
Check your resolvers for DNSSEC compliance.
dnspktflow Manual
Example
CLI Help
Dnspktflow.png
Visually trace DNS packets being sent on the network.
validate Manual
CLI Help
command line DNS validation checking (similar to dig). This is part of the libval and libsres package.
mapper Manual
Example
CLI Help
Mapper5.png
Graphically display the contents of your zone
trustman Manual
CLI Help
Detects key changes in trust anchors (TAs), it can update TAs and it can run as a daemon.
donuts Manual
Example
CLI Help
Donuts4.png
Error check the contents of your zone.
You can extend it by Writing your own rules
donuts does general DNS error checking including DNSSEC-specific checks.
logwatch Example Included in current versions of logwatch
A logwatch plugin for DNSSEC parsing of the BIND server's system logging messages.
Personal tools