Discussion:
[Opendnssec-user] Playing with 2.0.1
Mark Elkins
2016-08-30 14:10:19 UTC
Permalink
I've been playing with OpenDNSSEC-2.0.1, compiled from scratch on a
Gentoo box. I have three virtual servers, server one is BIND with
unsigned zones - pretending to be the Zone Generator.
Server 3 is also running BIND - pretending to be a distribution master
or "Master" name server.
The Man in the middle (Bump on the wire) is running OpenDNSSEC and uses
the DNS Adapters. As this is all testing - all my timing values are
quite low. I'm using NSEC3, Opt-Out - etc.

Everything is humming along nicely.

I've written a simple shell script to check the consistency of the
signed zone vs the original unsigned zone. This is done by a "dig axfr"
of the before and after zones - followed by various tests.

a) I look for differences between signed and unsigned zones (after
removing DNSSEC Records)
b) I follow NSEC3 Chains - till I get back to the "start"
c) I make sure all secured delegations have NSEC3 records
d) I make sure that the signer is still re-signing by looking at the
expire time of the "nearest" RRSIG records, bringing into the picture
the current time and the values of Refresh and Resign...
If there is anything amiss - I get e-mail. So far, so good.
I disable the signer every day or so for about 10 minutes to make sure
the detection is working.

Much to my annoyance, OpenDNSSEC converts to lower case the Left Hand
side of all zones (the name part, before the TTL). Can this modification
of data be switched off?

BIND-9.10 does not do that and I think it would be better behaviour if
OpenDNSSEC followed suit. I'm well aware that there is no functional
difference between DNS names with Upper and Lower case when looking them
up - but I don't think signing software should be fiddling with it.
--
Mark James ELKINS - Posix Systems - (South) Africa
***@posix.co.za Tel: +27.128070590 Cell: +27.826010496
For fast, reliable, low cost Internet in ZA: https://ftth.posix.co.za
Yuri Schaeffer
2016-08-30 14:41:43 UTC
Permalink
Post by Mark Elkins
Much to my annoyance, OpenDNSSEC converts to lower case the Left Hand
side of all zones (the name part, before the TTL). Can this modification
of data be switched off?
Agreed and the next release will have a fix for this.

https://github.com/opendnssec/opendnssec/pull/479/commits/9094d7623335c78ff18fdc606e30efdc340646b9

There is no run-time option for this.

//Yuri
Mark Elkins
2016-08-30 15:04:03 UTC
Permalink
And in the creation of NSEC3 records, the "next link of the chain"
(which is currently in upper case) means the "chained-to" record will
also be in Upper Case???

eg...

13bu1nqrimn19lbkq6cvqume6thbsebr.web.za. 300 IN NSEC3 1 1 5
A021CAFA36A752AC 1ALJ0RMHHSFU8I2RQ6HB0T74JE03MGC1 MX RRSIG

||
\||/ <-- a down pointing arrow
\/

1alj0rmhhsfu8i2rq6hb0t74je03mgc1.web.za. 300 IN NSEC3 1 1 5
A021CAFA36A752AC 1NRSLBF0FHCATO1CB7E13OP7DHHVPAUT MX RRSIG

So in the next release, the line above will be written as:

1ALJ0RMHHSFU8I2RQ6HB0T74JE03MGC1.web.za. 300 IN NSEC3 1 1 5
A021CAFA36A752AC 1NRSLBF0FHCATO1CB7E13OP7DHHVPAUT MX RRSIG

Please.
Post by Yuri Schaeffer
Post by Mark Elkins
Much to my annoyance, OpenDNSSEC converts to lower case the Left Hand
side of all zones (the name part, before the TTL). Can this modification
of data be switched off?
Agreed and the next release will have a fix for this.
https://github.com/opendnssec/opendnssec/pull/479/commits/9094d7623335c78ff18fdc606e30efdc340646b9
There is no run-time option for this.
//Yuri
--
Mark James ELKINS - Posix Systems - (South) Africa
***@posix.co.za Tel: +27.128070590 Cell: +27.826010496
For fast, reliable, low cost Internet in ZA: https://ftth.posix.co.za
Yuri Schaeffer
2016-08-30 15:20:58 UTC
Permalink
Hi Mark,
Post by Mark Elkins
And in the creation of NSEC3 records, the "next link of the chain"
(which is currently in upper case) means the "chained-to" record will
also be in Upper Case???
I'm unsure what you mean. In what case are the hashes published in
uppercase by ODS?

The point of the proposed patch is to make sure the published records in
the signed zone will be unmodified from the input zone. Not for any
technical reason but merely for 'least surprises'. Any records generated
by ODS itself do not need to fall under this policy.

//Yuri
Post by Mark Elkins
eg...
13bu1nqrimn19lbkq6cvqume6thbsebr.web.za. 300 IN NSEC3 1 1 5
A021CAFA36A752AC 1ALJ0RMHHSFU8I2RQ6HB0T74JE03MGC1 MX RRSIG
||
\||/ <-- a down pointing arrow
\/
1alj0rmhhsfu8i2rq6hb0t74je03mgc1.web.za. 300 IN NSEC3 1 1 5
A021CAFA36A752AC 1NRSLBF0FHCATO1CB7E13OP7DHHVPAUT MX RRSIG
1ALJ0RMHHSFU8I2RQ6HB0T74JE03MGC1.web.za. 300 IN NSEC3 1 1 5
A021CAFA36A752AC 1NRSLBF0FHCATO1CB7E13OP7DHHVPAUT MX RRSIG
Please.
Post by Yuri Schaeffer
Post by Mark Elkins
Much to my annoyance, OpenDNSSEC converts to lower case the Left Hand
side of all zones (the name part, before the TTL). Can this modification
of data be switched off?
Agreed and the next release will have a fix for this.
https://github.com/opendnssec/opendnssec/pull/479/commits/9094d7623335c78ff18fdc606e30efdc340646b9
There is no run-time option for this.
//Yuri
_______________________________________________
Opendnssec-user mailing list
https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
Mark Elkins
2016-08-30 16:05:38 UTC
Permalink
Post by Yuri Schaeffer
Hi Mark,
Post by Mark Elkins
And in the creation of NSEC3 records, the "next link of the chain"
(which is currently in upper case) means the "chained-to" record will
also be in Upper Case???
I'm unsure what you mean. In what case are the hashes published in
uppercase by ODS?
NSEC3 records chain from one to the next. In the NSEC3 record, the 9th
field is the name of the next link. Its always in upper case (ODS & BIND).

In ODS, the "Chained to" record is currently in lower case. I think it
should be in upper case. In BIND - the "chained to" record is in upper
case - ie "preserving" the Case.

If one is writing checking tools that work for both BIND and ODS, then
this would be a difference to code around because of the way that the
two signers work.

I'm not saying BIND is better but they are regarded as "standard".

Its a small change but would provide conformance and that is what I am
looking for.
Post by Yuri Schaeffer
The point of the proposed patch is to make sure the published records in
the signed zone will be unmodified from the input zone. Not for any
technical reason but merely for 'least surprises'. Any records generated
by ODS itself do not need to fall under this policy.
//Yuri
Post by Mark Elkins
eg...
13bu1nqrimn19lbkq6cvqume6thbsebr.web.za. 300 IN NSEC3 1 1 5
A021CAFA36A752AC 1ALJ0RMHHSFU8I2RQ6HB0T74JE03MGC1 MX RRSIG
||
\||/ <-- a down pointing arrow
\/
1alj0rmhhsfu8i2rq6hb0t74je03mgc1.web.za. 300 IN NSEC3 1 1 5
A021CAFA36A752AC 1NRSLBF0FHCATO1CB7E13OP7DHHVPAUT MX RRSIG
1ALJ0RMHHSFU8I2RQ6HB0T74JE03MGC1.web.za. 300 IN NSEC3 1 1 5
A021CAFA36A752AC 1NRSLBF0FHCATO1CB7E13OP7DHHVPAUT MX RRSIG
Please.
Post by Yuri Schaeffer
Post by Mark Elkins
Much to my annoyance, OpenDNSSEC converts to lower case the Left Hand
side of all zones (the name part, before the TTL). Can this modification
of data be switched off?
Agreed and the next release will have a fix for this.
https://github.com/opendnssec/opendnssec/pull/479/commits/9094d7623335c78ff18fdc606e30efdc340646b9
There is no run-time option for this.
//Yuri
_______________________________________________
Opendnssec-user mailing list
https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
_______________________________________________
Opendnssec-user mailing list
https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
--
Mark James ELKINS - Posix Systems - (South) Africa
***@posix.co.za Tel: +27.128070590 Cell: +27.826010496
For fast, reliable, low cost Internet in ZA: https://ftth.posix.co.za
Loading...