OpenBSD Journal

DNS Security

Contributed by jose on from the never-fully-implemented-standards dept.

Secure DNS (or DNSSec) promises to go a long way towards securing the Internet infrastructure. However, a large number of hurdles need to be overcome before this becomes a reality. As a way of encouraging people to investigate dnssec imlementations using OpenBSD, I offer a handful of links.

The first is to the SANS Reading Room on secure DNS . It has a decent set of links and a fair introduction to the subject. A really good set of documents is housed at the DNSSEC domain . Lastly, the DNSSEC project hosted by NLnet Labs has a good set of things to investigate as well.

I'm looking for documentation on implementing DNS security (in the DNSSec standards) for OpenBSD. If you have any, please share them. Note that BIND9, in ports, offers many of these standards partially implemented.

(Comments are closed)


Comments
  1. By Boris () spam@localhost on --

    How about giving a look at:
    http://cr.yp.to/djbdns/forgery.html
    There are other "views" about DNSSec.

  2. By kremlyn () on

    Alternatively, you could just use djbdns. Smaller, faster, more secure.. no need to reinvent the wheel.

    Whoa. Problem solved.

    Beer anyone?

    //kremlyn

  3. By Skinny Puppy () on http://www.shitbomb.com

    Using DNSSEC to sign the zonefile data will not offer you any more security. This is due to no clients that verify this signed data.

    But one thing that did come out of a DNSSEC, that really has nothing to do with it (maybe it did I never finished reading the RFCs) is the secure zone transfers. You can use this to verify that your slaves and master servers will only respond and deal with each other for exchaning data and update notices. Basicly no man in the middle attacks between your servers. This is a nice feature but I still prefer the ssh method that DJB takes. It is simple and works and is easy as hell to debug (I hate hate hate hate nameds logging messages cryptic and a general a pain in my ass)

    Skinny "Not a DNS admin anymore thank god" Puppy

  4. By Anonymous Coward () on

    dnssec is a stupid idea. why have cryptography tied to the details of one particular protocol? Use IPSEC if you want crypto at that level. I agree with others that djbdns makes dns a much more agreeable experience.

    Comments
    1. By Anonymous Coward () on

      You're suggesting to setup IPSEC links to every DNS sever on the Internet that you want to send queries to? DNSSEC has nothing to do with transfers between your own servers.

    2. By Jakob () jakob@crt.se on mailto:jakob@crt.se

      how would you securtly set up an IPsec/IKE session with someone unknown? at the same speed as a dns query (~50 ms). read draft-ietf-dnsext-dns-threats-02.txt for a good threat analysis of the dns.

      Comments
      1. By niekze () on

        I'm guessing you've never used the magic() function. With it, you don't even need to query; It just *knows*. :)

  5. By Roy Arends () roy@logmess.com on mailto:roy@logmess.com

    Note the difference between Domain Name System SECurity (DNSSEC) and securing a DNS Server. The SANS document describes how to tighten security around (and with) implementations.

    DNSSEC does not protect you against implementation bugs. A secured DNS server does not protect you against a forged DNS message response.

  6. By ArSa () newarsa@yahoo.com on mailto:newarsa@yahoo.com

    Running DNS over same set of checks as SSL (as in https) would be nice, but i just hope they will not require me to purchase $300 a year certificate.
    I do understand that it might cost 300 for site verification, i just don't want to deal with another Verisign...

    Comments
    1. By Matt Ostiguy () on

      Good point. Getting PKI straightened out certainly would be nice. People need to be able to cheaply set up their own CA's, and not be beholded to the big boys for every single cert at 300 or more a whack.

  7. By Jakob () jakob@openbsd.org on mailto:jakob@openbsd.org

    FYI, I'm currently working on moving the relevant OpenBSD-improvements to BIND4 into BIND9 for a future integration. if things works out as planned, I hope to have something ready before 3.3.

    Comments
    1. By Anonymous Coward () on

      Nice.

    2. By Anonymous Coward () on

      Awesome!

    3. By W () on

      One word (imho): djbdns. That said, I can understand why one wanna stick to BIND.

      Comments
      1. By Jakob () jakob@openbsd.org on mailto:jakob@openbsd.org

        IPv6
        IXFR
        Dynamic update
        TSIG
        DNSSEC

        ... the list goes on

        Comments
        1. By RSS () robin-deadly@socha.net on http://socha.net

          1. IPv6: http://www.fefe.de/dns/ because of http://cr.yp.to/djbdns/ipv6mess.html
          2. IXFR: IXFR patch
          3. Dynamic update: http://cr.yp.to/djbdns/res-disaster.html
          4. TSIG: "IPSEC provides better security than TSIG. IPSEC is inherently easier to set up than TSIG: it has the big advantage of applying to all protocols, rather than being glued into the guts of one protocol. There are, similarly, superior alternatives to the DNS update protocol, IXFR, and NOTIFY."
          5. DNSSEC: http://cr.yp.to/djbdns/forgery.html

          And just so you don't get me wrong:
          (root@hellfire):(~)# cat /etc/motd OpenBSD 3.2-current (HELLFIRE) #2: Thu Dec 26 12:31:33 CET 2002

          BIND is a rotten mess - and what were your arguments again?

          Comments
          1. By Roy Arends () roy@logmess.com on mailto:roy@logmess.com

            1+2) So the first 2 are extra (unauthored) patches to do what BIND already does ?

            3) res-disaster was not the reason DJB did not implement dynups. IMHO dynups are not required to have a fully operational authoritative DNS server.

            4) In the eye of the beholder. If you have a dedicated DNS box, (i.e. no other services), I'm happy with TSIG or SIG(0), since its _so_ easy to setup.

            5) Show me an implementation of DJB's top priority Nym-based security for his DJBDNS imps. Note that one of the design goals of DNS to ease the requirement of remembering IP-addresses.

            "The disadvantage is that it requires long host names, too long to remember."

            Think for yourself. Stop blindly quoting others (and at least READ and understand their quotes first), or you're just another quote-zombie.

            Roy

      2. By Anonymous Coward () on

        license problems.

      3. By Jakob () jakob@openbsd.org on mailto:jakob@openbsd.org

        IPv6
        IXFR
        Dynamic update
        TSIG
        DNSSEC

        ... the list goes on

    4. By Anonymous Coward () on

      Thank you!

  8. By W () on

    As a handful of others already have pointed out, take a look at djbdns and some of Bernstein's views for alternatives (http://cr.yp.to/). I use djbdns myself, and simply put: I love it!

    And by the way: MERRY CHRISTMAS!! :-)

    Comments
  9. By Anonymous Coward () on

    I'm currently working on a from-scratch DNS server in pure Java. Why? Because I want something which doesn't suffer the buffer overflow risks that have plagued BIND for years, and it needs to be scalable (multi-threaded) for use on SMP machines. It uses an SQL database (Postgres or any other) instead of a mess of text files to store its zone data. Hopefully my company will be able to release it under a reasonable free/open source license sometime next year. For some users this could be a good replacement for BIND. Oh, I'm sure some of you are wondering about performance: It is about as fast as BIND9 (faster, in some cases). It uses the high-performance java.nio framework. Hopefully there will soon be a release of Java 1.4 for OpenBSD so I can run my favorite language/platform on my favorite OS.

    Comments
    1. By Anonymous Coward () on

      Java will only run on OpenBSD-i386. Not really platform indepedent.

    2. By Roy Arends () roy@logmess.com on mailto:roy@logmess.com

      GREAT !

      Does it use DNSJava ? Or really built from scratch ? Seperate Authoritative & recursive ? Does the recursive side cache ? DNSSEC ? TSIG (TKEY) ? Sec.Dyn.Update ? [AI]FXR ? Views ?

      This is really interesting. You might wanna talk to NLnetLabs/Ripe wrt their DISTEL project to test behaviour:
      http://www.ripe.net/ripe/meetings/archive/ripe-42/presentations/ripe42-dns-distel/

      DNSJava
      http://www.xbill.org/dnsjava/

      Regards,

      Roy

      Comments
      1. By Anonymous Coward () on

        No, it is completely from scratch, no DNSJava code, for both licensing and technical reasons. Right now, it does not do recursive searches at all. This means you couldn't use it as anything other than a primary name server. Obviously, that's not nearly as useful as a more complete server. It's just a start. There are two good things about it right now: one is that the protocol is fully implemented, so all the stuff of converting packets to and from Java objects works correctly. You can do reasonable things like message.getHeader().getAnswerCount(), etc, without worrying about parsing binary stuff. The second is that the database storage structures are built for expansion to be able to do caching, etc, so that is coming later. Also the server framework is completely there; it binds to the port, starts threads, etc, as it needs to. In other words, it's not going to be too hard to expand it to support caching and other features.

        As for DNSSEC, it doesn't support that at all yet. I don't think any clients are using that right now. Maybe I'll put that in later. XFER is not supported at all. I think zone transfers are a broken way to replicate a database. Views are not supported, but it would be easy to add them.

        java.nio is way cool. I get all the safety of Java without losing the speed of C. Its performance is about equal to bind9. Java is definitely the way to go for network daemons that have to handle dangerous input from the net.

        Comments
        1. By Roy Arends () roy@logmess.com on mailto:roy@logmess.com

          Authoritative server only. Thats good, keep concepts separated. A recursive service has totally different design-reqs then authoritative service. Don't let an auth.serv. cache ! Don't let it send any queries ! No need for randomness.

          XFER is the way to replicate individual zones. rsync-ssh is a way to replicate a complete server, but not part of the protocol (no value judgement here on which to use).

          Good luck ! keep me posted !

          Roy

  10. By Anonymous Coward () on

    Okay, so, over and over, people mention djbdns. In fact, whenever just about any protocol comes up, people mention djb's implementation, explain how it saved Earth from certain doom, and tell us we should all use it.

    Let me ask: How can you stand him? I can't; I think he's an ass. (That's why I don't use his software. It might be a stupid reason, but that's why). It's the same reason why I loathe to use anything that's been touched by RMS.

    Now, before someone gets smart and compares djb to Theo, let me point out that while they can both be grating, they have very different personalities. While Theo can be abusive, he is always, always direct, and if he is hostile I feel that it is for good reason. On the other hand, I do not think I have ever read any email or web page by djb that is not condescending or sarcastic. djb feels t, so Iantisocial to me, as if he were hostile not just to certain people but to all of humanity. I can't stand him.

    Comments
    1. By Anonymous Coward () on

      ... and his license sucks!

      Comments
      1. By Anonymous Coward () on

        That is the real reason not to use his stuff. His license is goofy. I have no idea what he is hoping to accomplish with that license, but it means that there's no practical way to distribute his stuff other than in unmodified source code, and that's just goofy and stupid. It should be possible to have a fully-running system without needing to compile anything. Oh, and the whole qmail thing of trying to fake not having a database by using all these separate files where the inode number = the filename (and therefore you can't back up the directory) is also just totally goofy.

        Comments
        1. By Anonymous Coward () on

          and the whole qmail thing of trying to fake not having a database

          iirc it is done for speed, not for faking anything.
          qmail uses cdb for ondisk databases.

          Wonderfull days to all off you!


    2. By Anonymous Coward () on

      You cannot argue with results - look at the security record...

      But the licence... now theres something to not like.

    3. By kremlyn () on

      Un-believable.

      Firstly, don't compare TDR to DJB. Heck, while we're at it, lets compare George W Bush to the toothfairy (although, the jury is out on which would make a better world leader). Each is an individual, and has their own way of dealing with situations, circumstances and individuals. Appreciate it and move on.

      In the Open Source world, code talks and bullshit walks. Here, obviously, DJB's code has spoken loud and clear. It's clean, logical, it works, it's secure.. heck, it's even easy to use. Put aside issues of personality - we're *all* on the same side here.

      In the end if we decide not to use certain software because we don't like the people who wrote it, we're cutting our own noses off in spite of our faces.

      Sure, attack the license; personally, I don't agree with it a whole lot. But think of it this way - the code is good, the code is free, and the code is clean enough such that an install from source will work good anywhere. Hence, no need for a port/package. Also, consider that DJB is his own task master, *he* strives for the same security goals as OpenBSD, but, for whatever reason, he wants to remain authoritative as to what goes into the code and what goes out - same way as Theo remains so for OpenBSD. I assure you, having DJB make the final call is *not* a bad thing. Let Theo do his work (brilliantly) and DJB continue to do his work (brilliantly).

      :wq!

      Comments
      1. By Anonymous Coward () on

        > Put aside issues of personality - we're *all* on the same side here.

        Yes, we are. At least, I'd hope so.

        You see, I really get the feeling that djb does a lot of things just to inflate his ego. And that really bothers me. When I run someone's software, I feel like I'm approving of that person's job. I don't want to approve of arrogance. Maybe that's a distant reason to some of you, but it feels very important and very nearby to me. As I said before, it's the same reasoning that makes me avoid anything done by RMS (though it's his political philosophy that disturbs me so much).

        I'll readily admit that I'm not maintaining a hundred machines; I'm just a hobbyist with a home network, and that gives me the flexibility to accept some of the grief that may come with a low-quality tool. So maybe I am hurting myself here; I don't actually know, because I refuse to try djb's tools. Nevertheless, this is a compelling reason to me, and maybe I'm just close-minded, but I don't see why more people object to him on those grounds. A lot of people object to his license; to me his license is just a demonstration of what I don't like about him.

    4. By W () on

      Code talks. Whether DJB is a good or bad person has nothing to do with the fact that djbdns is awesome. I love that piece of brilliant software. And qmail for that matter. I install it, I configure it, and I relax - for months; He doesn't release a new version of his softwsare fourteen times a week because of some security hole. DJB's software is simply put a BLISS for system administrators (like myself).

    5. By Anonymous Coward () on

      On the other hand, I do not think I have ever read any email or web page by djb that is not condescending or sarcastic. djb feels t, so Iantisocial to me, as if he were hostile not just to certain people but to all of humanity. I can't stand him.

      Perhaps you don't understand his dry humor.

    6. By Lars Hansson () lars@unet.net.ph on mailto:lars@unet.net.ph

      Ain't that just a bitch. You dont like him. Who gives a flying fuck? If you select software based on personality I hope you never get to work with/for me. IMHO, Theo and DJB are very much alike in some ways, wich might explain why they have such problems getting along, but you know what?
      I dont care if they like eachother. I dont care if they get off on humping garden gnomes. It's completely goddamn irrelevant for the quality of their work.

      And why is it that as soon as someone mentions DJB people have to complain over and over about how he's an ass, how much his license sucks, how X is better than is software etc etc ad infinitum.
      It's almost as old and dreafully boring as "my dad is stronger than your dad".

      Comments
      1. By Anonymous Coward () on

        > Ain't that just a bitch. You dont like him. Who gives a flying fuck?

        Ah. Well, you answered my question. I do. Obviously you don't.

  11. By Anonymous Coward () on

    Got a good howto on RBL blocking now?

    :-D

Latest Articles

Credits

Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original deadly.org with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]