Real-time updates to signed zones using dynamic update, OpenDNSSEC - - PowerPoint PPT Presentation

real time updates to signed zones using dynamic update
SMART_READER_LITE
LIVE PREVIEW

Real-time updates to signed zones using dynamic update, OpenDNSSEC - - PowerPoint PPT Presentation

Aug 18, 2023 307 likes •509 views

Real-time updates to signed zones using dynamic update, OpenDNSSEC and BIND views Gavin Brown <gavin.brown@centralnic.com> ICANN 50 London PRIVATE & CONFIDENTIAL A Brief History of CentralNics DNS System 1994: Altos Series 1000

slide-1
SLIDE 1

PRIVATE & CONFIDENTIAL

Real-time updates to signed zones using
 dynamic update, OpenDNSSEC and
 BIND views

Gavin Brown <gavin.brown@centralnic.com> ICANN 50 London

slide-2
SLIDE 2

PRIVATE & CONFIDENTIAL

A Brief History of CentralNic’s DNS System

2

1994: Altos Series 1000 + Informix => UUCP => SunOS

Kickin’ it old school!

slide-3
SLIDE 3

PRIVATE & CONFIDENTIAL

A Brief History of CentralNic’s DNS System

3

2000: Slackware + BIND8 Later: BIND9, migration to CentOS, addition of NSD, Anycast

Praise “Bob”

slide-4
SLIDE 4

PRIVATE & CONFIDENTIAL

A Brief History of CentralNic’s DNS System

4

2007: Initial DNSSEC Deployment

slide-5
SLIDE 5

PRIVATE & CONFIDENTIAL

A Brief History of CentralNic’s DNS System

5

2012: new deployment to support new gTLDs

slide-6
SLIDE 6

PRIVATE & CONFIDENTIAL

Signer Configuration

  • Genzone writes zone files to disk
  • Tells ODS to sign
  • ODS tells BIND to reload
  • BIND sends NOTIFY to slave(s)

6

slide-7
SLIDE 7

PRIVATE & CONFIDENTIAL

2013: dynamic DNS update

  • Real-time update of zone data
  • Application code assembles update packet (RFC 2136) and sends to

master server for unsigned zone

  • Updated zone data is then signed and distributed
  • Problem: unsigned zone data must now be exposed over port 53 so

dynamic updates can be accepted

7

slide-8
SLIDE 8

PRIVATE & CONFIDENTIAL

Dynamic Update: Requirements

  • No new infrastructure (physical or virtual)
  • Both unsigned and signed zones served over port 53 from the same

system

  • Solution: BIND views

8

slide-9
SLIDE 9

PRIVATE & CONFIDENTIAL

BIND Views

  • Essentially virtual DNS servers inside the same BIND process
  • Similar to HTTP virtual hosts
  • Routing determined by source or destination address of query

packet

  • Views can contain the same zones but use different zone files

9

slide-10
SLIDE 10

PRIVATE & CONFIDENTIAL

Implementation

  • Add additional IP addresses as alias on server’s network adapter
  • one extra for BIND
  • one for OpenDNSSEC
  • Configure ODS to listen on IP and accept NOTIFY packets/do XFRs
  • Configure BIND with two views based on destination address:
  • “unsigned”:
  • uses zone files produced by genzone
  • accepts dynamic updates from SRS
  • sends NOTIFY packets to ODS
  • “signed”
  • uses zone files produced by ODS
  • sends NOTIFY packets to slave(s)

10

slide-11
SLIDE 11

PRIVATE & CONFIDENTIAL

Implementation

11

slide-12
SLIDE 12

PRIVATE & CONFIDENTIAL

Configuration - BIND

  • ptions {

listen-on { 192.168.1.199; 192.168.1.219; }; notify explicit; # more goes here }; view "unsigned" { match-destinations { 192.168.1.199; }; notify-source 192.168.1.199; also-notify { 192.168.1.198; }; allow-update { key ”srs-update-key.tsig"; }; include “gtlds-unsigned.conf"; }; view "signed" { match-destinations { 192.168.1.219; }; notify-source 192.168.1.219; also-notify { 192.168.1.150; }; allow-update { none; }; include “gtlds-signed.conf"; };

12

slide-13
SLIDE 13

PRIVATE & CONFIDENTIAL

Configuration - OpenDNSSEC

conf.xml:

<Configuration> <!-- more goes here --> <Signer> <Listener> <Interface> <Address>192.168.1.198</Address> <Port>53</Port> </Interface> </Listener> <NotifyCommand>/usr/sbin/rndc reload %zone in signed</NotifyCommand> </Signer> </Configuration>

13

slide-14
SLIDE 14

PRIVATE & CONFIDENTIAL

Configuration - OpenDNSSEC

addns.xml:

<?xml version="1.0" encoding="utf-8"?> <Adapter> <DNS> <Inbound> <RequestTransfer> <Remote> <Address>192.168.1.199</Address> </Remote> </RequestTransfer> <AllowNotify> <Peer> <Prefix>192.168.1.199</Prefix> </Peer> </AllowNotify> </Inbound> </DNS> </Adapter>

14

slide-15
SLIDE 15

PRIVATE & CONFIDENTIAL

Configuration - OpenDNSSEC

zonelist.xml:

<Zone name=”tld"> <Policy>default</Policy> <SignerConfiguration>/var/opendnssec/signconf/tld.xml</SignerConfiguration> <Adapters> <Input> <Adapter type="DNS">/etc/opendnssec/addns.xml</Adapter> </Input> <Output> <Adapter type="File">/var/opendnssec/signed/tld</Adapter> </Output> </Adapters> </Zone>

15

slide-16
SLIDE 16

PRIVATE & CONFIDENTIAL

Comments

  • Use externally visible IPs to allow for debugging + monitoring
  • Genzone still used to process updates for batch processes
  • Genzone has to “freeze” and “thaw” the zone in the unsigned view

before generating a new file

  • i.e. rndc [free|thaw] $zone in unsigned
  • OpenDNSSEC DNS adapter has some issues
  • Getting great support from Sara and Matthijs!

16

slide-17
SLIDE 17

PRIVATE & CONFIDENTIAL 17

Questions

slide-18
SLIDE 18

PRIVATE & CONFIDENTIAL

Contact Details:

CentralNic Global Headquarters CentralNic Ltd. 35-39 Moorgate, London, EC2R 6AR, UK 
 Tel: +44 (0)20 33 88 0600 Fax: +44 (0)20 33 88 0601 PRIVATE & CONFIDENTIAL