lost and found ( for me ? )

DNSSEC: BIND9 managed-kes オプション

[root@hat3 ~]# cat /etc/redhat-release
CentOS release 5.4 (Final)

9.7からこんなオプションができたんだ。。

managed-keys オプション

For BIND 9.7 and later versions, using a managed-key allows automatic tracking of the key using a protocol known as RFC-5011.

https://www.isc.org/software/bind/new-features/9.7

Automated trust anchor maintenance for DNSSEC (RFC 5011)

RFC 5011, Automated Updates of DNS Security (DNSSEC) Trust Anchors, documents a method for automated, authenticated, and authorized updating of DNSSEC "trust anchors" especially for the use of multiple islands of trust.
The new managed-keys statement provides named with trusted keys which are automatically kept up to date using RFC 5011. It differs from the trusted-keys statement with an additional field (second field) containing initial-key keyword which means only use this key the first time.named stores keys in a managed keys database.

[root@hat3 ~]# /usr/local/sbin/named -v
BIND 9.7.1-P2

適当な手段で鍵を登録。

[root@hat3 ~]# dig @127.1 . dnskey | grep 257 > dnskey

[root@hat3 ~]# cat dnskey
.                       86056   IN      DNSKEY  257 3 8 AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq QxA+Uk1ihz0=

[root@hat3 ~]# cat /etc/named.conf
options {
       directory "/var/named";
       max-cache-size 10M;
       recursion yes;
       dnssec-enable yes;
       dnssec-validation yes;
};

zone "." in {
       type hint;
       file "named.ca";
};

key "rndckey" {
     algorithm hmac-md5;
     secret "3dpawGP95zWKVzj8SDhX1w==";
};

controls {
     inet 127.0.0.1 port 953
             allow { 127.0.0.1; } keys { "rndckey"; };
};

managed-keys {
"." initial-key 257 3 8 "AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq QxA+Uk1ihz0=";
};
[root@hat3 ~]#

[root@hat3 ~]# /usr/local/sbin/named

パーミッションのエラーが。

hat3 named[10171]: could not open file '/var/run/named/named.pid': Permission denied
hat3 named[10171]: could not open file '/var/run/named/session.key': Permission denied
hat3 named[10171]: could not create /var/run/named/session.key

named.pid , session.key の保存場所を変更

[root@hat3 ~]# egrep '(pid|session)' /etc/named.conf
       pid-file "/var/named/named.pid";
       session-keyfile "/var/named/session.key";

[root@hat3 ~]# /usr/local/sbin/named

ワーキングディレクトリ ( /var/named ) に managed* と session.key ができた。

[root@hat3 named]# pwd
/var/named
[root@hat3 named]#
[root@hat3 named]# ls
managed-keys.bind  managed-keys.bind.jnl  named.ca  named.pid  session.key
[root@hat3 named]#

managed* は named stores keys in a managed keys database. のことかな。

[root@hat3 named]# cat managed-keys.bind
$ORIGIN .
$TTL 0  ; 0 seconds
@                       IN SOA  . . (
                               2          ; serial
                               0          ; refresh (0 seconds)
                               0          ; retry (0 seconds)
                               0          ; expire (0 seconds)
                               0          ; minimum (0 seconds)
                               )
                       KEYDATA 20100813181024 20100813061024 19700101000000 257 3 8 (
                               AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQ
                               bSEW0O8gcCjFFVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh
                               /RStIoO8g0NfnfL2MTJRkxoXbfDaUeVPQuYEhg37NZWA
                               JQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaDX6RS6CXp
                               oY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3
                               LQpzW5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGO
                               Yl7OyQdXfZ57relSQageu+ipAdTTJ25AsRTAoub8ONGc
                               LmqrAmRLKBP1dfwhYB4N7knNnulqQxA+Uk1ihz0=
                               ) ; key id = 19036
[root@hat3 named]#

[root@hat3 named]# cat managed-keys.bind.jnl
;BIND LOG V9
8[root@hat3 named]#


session.key は DDNS 用っぽい。

Simplified configuration of Dynamic DNS
For easier automatic re-signing, you just need to have the zone be dynamic and have the keys accessible.
The update-policy zone option has been extended to add a local setting to enable Dynamic DNS for a zone. named will generate a TSIG session key known as local-ddns at startup which will be used for these updates. The session key file defaults to /var/run/named/session.key or can be defined using the session-keyfile option.

[root@hat3 named]# cat session.key
key "local-ddns" {
       algorithm hmac-sha256;
       secret "kD4PsVav+kw3X/vOyEeLZnfCQQjeEE0q/wMERmD+X2M=";
};
[root@hat3 named]#

適当に時間が経過して 鍵のアップデートが必要になったら、鍵更新を自動でしてくれるのかなー。
うーん、BIND 9.7 さわってないのでチェックせねば。。。

RFC5011でググったら、こんなコメントが。ふーん。

http://jpinfo.jp/mail/backnumber/event/0082.html

Trust AnchorとはDNSSECによる検証を行う場合に最初の手がかりとなる情報で
あり、DNSSECによる名前検証を行うにあたり、必須となるものです。DNSSECの 仕様では、Trusted AnchorがすべてのDNSキャッシュサーバに設定され、かつ適 切な間隔で更新され続ける必要があります。 Trusted Anchorの更新を自動的に行うためのプロトコル仕様は、RFC 5011によ り規定されています。しかし、RFC 5011で規定されているのは自動更新のプロ トコル仕様のみであり、実際のインターネットにおいて自動更新を具体的にど のように運用するかについては規定されていません。

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.