[designate] Support for DNSSEC // Bump in the wire signer via BIND9 or Knot
Hello,
I was wondering is anybody knew about the current state of DNSSEC signing for Designate-managed zones. Since Designate MDNS serves as primary they actually should do the signing / provide already signed zones via zone transfers. Adding support for DNSSEC this was last discussed for Kilo [1], but that spec was never finished, DNSSEC support never implemented.
One approach to do this is using a bump in the wire signer [2][3][4] and have an intermediate BIND9 or Knot server doing the signing. Has anybody implemented something of this kind? If so, how do your users receive their initial DS / DNSKEY for the parent zone?
Regards
Christian
[1] https://review.opendev.org/c/openstack/designate-specs/+/132571 [2] https://bind9.readthedocs.io/en/latest/dnssec-guide.html#bump-in-the-wire-si... [3] https://jpmens.net/2023/07/22/adieu-opendnssec-bienvenido-knot-dns/ [4] https://labs.ripe.net/author/anandb/dnssec-signer-migration/
Hi Christian,
I definitely think we should consider enhancing Designate to support DNSSEC. Bump-in-the-wire may be an interim solution, but I think we should pursue a native solution.
This topic is on our PTG etherpad. We definitely can cover both topics. What time during our session works best for you?
Michael
On Tue, Mar 26, 2024 at 1:17 PM Christian Rohmann christian.rohmann@inovex.de wrote:
Hello,
I was wondering is anybody knew about the current state of DNSSEC signing for Designate-managed zones. Since Designate MDNS serves as primary they actually should do the signing / provide already signed zones via zone transfers. Adding support for DNSSEC this was last discussed for Kilo [1], but that spec was never finished, DNSSEC support never implemented.
One approach to do this is using a bump in the wire signer [2][3][4] and have an intermediate BIND9 or Knot server doing the signing. Has anybody implemented something of this kind? If so, how do your users receive their initial DS / DNSKEY for the parent zone?
Regards
Christian
[1] https://review.opendev.org/c/openstack/designate-specs/+/132571 [2] https://bind9.readthedocs.io/en/latest/dnssec-guide.html#bump-in-the-wire-si... [3] https://jpmens.net/2023/07/22/adieu-opendnssec-bienvenido-knot-dns/ [4] https://labs.ripe.net/author/anandb/dnssec-signer-migration/
Thanks for getting back to me on this one!
On 09.04.24 5:26 AM, Michael Johnson wrote:
I definitely think we should consider enhancing Designate to support DNSSEC. Bump-in-the-wire may be an interim solution, but I think we should pursue a native solution.
Good point to discuss. Maybe there are also existing libraries (e.g. https://www.dnspython.org/) that could be leveraged? Otherwise using an existing and proven DNS server software to do the signing is no crime. Dealing with key creation, rollover and storage is plenty to do and implementing all of the DNSSEC workflows and staying current with them does create the requirement to keep up.
Unfortunately there seems to be no standard API like there is with Catalog Zones to integrate bump in the wire signers. So implementation specific API calls are necessary, creating somewhat of a mess in itself again.
Native support would immediately enable all secondaries to receive signed zones and also avoid all those orchestration and synchronization issues that come with provisioning the bump in the wire signer for each zone. Also it avoids the single point of failure that again has the be mitigated.
This topic is on our PTG etherpad. We definitely can cover both topics. What time during our session works best for you?
Can we do DNSSEC 15:00 UTC (so 17:00 CEST for me)? I suppose you are doing Meetpad for conferencing? So URL https://meetpad.opendev.org/apr2024-ptg-designate ?
Thanks again, Regards
Christian
Hi,
Why not use PowerDNS's automatic signing? It is able to transparently sign zones.
Cheers, Kees
On 09-04-2024 09:01, Christian Rohmann wrote:
Thanks for getting back to me on this one!
On 09.04.24 5:26 AM, Michael Johnson wrote:
I definitely think we should consider enhancing Designate to support DNSSEC. Bump-in-the-wire may be an interim solution, but I think we should pursue a native solution.
Good point to discuss. Maybe there are also existing libraries (e.g. https://www.dnspython.org/) that could be leveraged? Otherwise using an existing and proven DNS server software to do the signing is no crime. Dealing with key creation, rollover and storage is plenty to do and implementing all of the DNSSEC workflows and staying current with them does create the requirement to keep up.
Unfortunately there seems to be no standard API like there is with Catalog Zones to integrate bump in the wire signers. So implementation specific API calls are necessary, creating somewhat of a mess in itself again.
Native support would immediately enable all secondaries to receive signed zones and also avoid all those orchestration and synchronization issues that come with provisioning the bump in the wire signer for each zone. Also it avoids the single point of failure that again has the be mitigated.
This topic is on our PTG etherpad. We definitely can cover both topics. What time during our session works best for you?
Can we do DNSSEC 15:00 UTC (so 17:00 CEST for me)? I suppose you are doing Meetpad for conferencing? So URL https://meetpad.opendev.org/apr2024-ptg-designate ?
Thanks again, Regards
Christian
On 2024-04-09 09:21:55 +0200 (+0200), Kees Meijs | Nefos wrote:
Why not use PowerDNS's automatic signing? It is able to transparently sign zones.
[...]
BIND has automatic zone signing as well, for that matter. We use it to sign the zones hosted from the opendev.org name servers. I even use BIND's automatic functionality to provide DNSSEC for the domains I host on my own personal name servers; I've never needed to manually sign any of my zones.
Thanks for your interest in the matter !
There will be a PTG slot tomorrow at 15:00 UTC - https://etherpad.opendev.org/p/apr2024-ptg-designate Please come and join the discussion around DNSSEC for Designate (or not).
See my comments and thoughts below ....
On 09.04.24 9:21 AM, Kees Meijs | Nefos wrote:
Why not use PowerDNS's automatic signing? It is able to transparently sign zones.
On 09.04.24 2:18 PM, Jeremy Stanley wrote:
BIND has automatic zone signing as well, for that matter. We use it to sign the zones hosted from the opendev.org name servers. I even use BIND's automatic functionality to provide DNSSEC for the domains I host on my own personal name servers; I've never needed to manually sign any of my zones.
Certainly BIND [1] , Knot [2] and PowerDNS [3] all can do automatic signing and zone maintenance.
Any following the bump-in-the-wire idea [4], they could simply do just that and sit between Designate mDNS and the actual secondaries. With catalog zones provisioning the zones, this could all be one happy DNS server family. One downside is that the bump in the wire signing server has to be made HA somehow to not introduce a SPoF. PowerDNS seems to cover this nicely with a replicated database [5]? How would that work for BIND? Manually create keys and distribute them to multiple DNS servers?
Maybe Designate could leverage some aspect of the multi-signer model and the MUSIC protocol ... * https://blog.apnic.net/2023/06/22/testing-the-multi-signer-dnssec-model-in-b... * https://github.com/DNSSEC-Provisioning/music but that's a whole rabbit hole in itself.
To me the main questions in relation to Designate then are:
1) Could there be any integration with the signer server(s) to support such setups?
The provisioning of DNS zones on the signer could just work via catalog zone, so not much to do there. But how will the end user receive their zones DS, DSKEY or CDS, /CDSKEY/ records for them to configure in the parent zone [6]? Should this be something Designate would need to use it's implementation specific drivers for? Or is there any way to make this implementation agnostic?
How could this look like without a single bump in the wire signer? Could Designate create keys and distribute them to all the secondary DNS servers for them to use for inline-signing?
2) Why not implement DNSSEC signing (via some existing libraries)?
Implementing DNSSEC itself allows for "dumb" secondaries to just work.
Regards
Christian
[1] https://bind9.readthedocs.io/en/latest/dnssec-guide.html#enabling-automated-... [2] https://www.knot-dns.cz/docs/2.6/html/configuration.html#automatic-dnssec-si... [3] https://doc.powerdns.com/authoritative/dnssec/modes-of-operation.html#dnssec... [4] https://bind9.readthedocs.io/en/latest/dnssec-guide.html#bump-in-the-wire-si... [5] https://doc.powerdns.com/authoritative/dnssec/modes-of-operation.html#online... [6] https://bind9.readthedocs.io/en/latest/dnssec-guide.html#working-with-the-pa...
Hi again,
(Sorry for top posting.)
Thank you for the invitation, but unfortunately the time frame doesn't fit any free slot in my calendar.
On 09-04-2024 18:13, Christian Rohmann wrote:
PowerDNS seems to cover this nicely with a replicated database [5]
To give my two cents anyway: one should have a HA database solution such as Galera anyway. It is more than convenient to have PowerDNS use this database as well running multiple nodes (for both MariaDB and PowerDNS obviously) and implement zones in NATIVE mode instead of a classic MASTER / SLAVE approach. Should work like a charm, I reckon.
Cheers, Kees
On 09-04-2024 18:13, Christian Rohmann wrote:
Thanks for your interest in the matter !
There will be a PTG slot tomorrow at 15:00 UTC - https://etherpad.opendev.org/p/apr2024-ptg-designate Please come and join the discussion around DNSSEC for Designate (or not).
See my comments and thoughts below ....
On 09.04.24 9:21 AM, Kees Meijs | Nefos wrote:
Why not use PowerDNS's automatic signing? It is able to transparently sign zones.
On 09.04.24 2:18 PM, Jeremy Stanley wrote:
BIND has automatic zone signing as well, for that matter. We use it to sign the zones hosted from the opendev.org name servers. I even use BIND's automatic functionality to provide DNSSEC for the domains I host on my own personal name servers; I've never needed to manually sign any of my zones.
Certainly BIND [1] , Knot [2] and PowerDNS [3] all can do automatic signing and zone maintenance.
Any following the bump-in-the-wire idea [4], they could simply do just that and sit between Designate mDNS and the actual secondaries. With catalog zones provisioning the zones, this could all be one happy DNS server family. One downside is that the bump in the wire signing server has to be made HA somehow to not introduce a SPoF. PowerDNS seems to cover this nicely with a replicated database [5]? How would that work for BIND? Manually create keys and distribute them to multiple DNS servers?
Maybe Designate could leverage some aspect of the multi-signer model and the MUSIC protocol ...
https://blog.apnic.net/2023/06/22/testing-the-multi-signer-dnssec-model-in-b...
but that's a whole rabbit hole in itself.
To me the main questions in relation to Designate then are:
- Could there be any integration with the signer server(s) to support
such setups?
The provisioning of DNS zones on the signer could just work via catalog zone, so not much to do there. But how will the end user receive their zones DS, DSKEY or CDS, /CDSKEY/ records for them to configure in the parent zone [6]? Should this be something Designate would need to use it's implementation specific drivers for? Or is there any way to make this implementation agnostic?
How could this look like without a single bump in the wire signer? Could Designate create keys and distribute them to all the secondary DNS servers for them to use for inline-signing?
- Why not implement DNSSEC signing (via some existing libraries)?
Implementing DNSSEC itself allows for "dumb" secondaries to just work.
Regards
Christian
[1] https://bind9.readthedocs.io/en/latest/dnssec-guide.html#enabling-automated-... [2] https://www.knot-dns.cz/docs/2.6/html/configuration.html#automatic-dnssec-si... [3] https://doc.powerdns.com/authoritative/dnssec/modes-of-operation.html#dnssec... [4] https://bind9.readthedocs.io/en/latest/dnssec-guide.html#bump-in-the-wire-si... [5] https://doc.powerdns.com/authoritative/dnssec/modes-of-operation.html#online... [6] https://bind9.readthedocs.io/en/latest/dnssec-guide.html#working-with-the-pa...
I'd like to give an update to not leave this threat dangling ....
On 09.04.24 6:13 PM, Christian Rohmann wrote:
There will be a PTG slot tomorrow at 15:00 UTC - https://etherpad.opendev.org/p/apr2024-ptg-designate Please come and join the discussion around DNSSEC for Designate (or not).
Outcome of the discussion at the PTG ([1] was to add DNSSEC signing support into Designate and to revive the existing (by never finished) spec [2].
Regards
Christian
[1] https://etherpad.opendev.org/p/apr2024-ptg-designate#L50 [2] https://review.opendev.org/c/openstack/designate-specs/+/132571
participants (4)
-
Christian Rohmann
-
Jeremy Stanley
-
Kees Meijs | Nefos
-
Michael Johnson