Made on IRCNow

Blob

Date:: Mon Oct 9 04:00:31 2023 UTC
Message:: Daily backup
Actions:: History | Blame | Raw File
1 version=pmwiki-2.3.20 ordered=1 urlencoded=1
2 agent=Mozilla/5.0 (Windows NT 10.0; rv:102.0) Gecko/20100101 Firefox/102.0
3 author=sylv1a
4 charset=UTF-8
5 csum=nitpick: Restart/Reload rather than Restart/reload
6 ctime=1696731346
7 host=2a03:e600:100::70
8 name=Unbound.DNSSEC
9 rev=5
10 targets=
11 text=DNSSEC (Domain Name System Security Extensions) attempts to add security to DNS while maintaining backward compatibility. [[DNSSEC is a best current practice -> https://datatracker.ietf.org/doc/html/rfc9364]] and it should be used whenever possible to help mitigate [[known attacks on DNS -> https://datatracker.ietf.org/doc/html/rfc3833]].%0a%0aThis tutorial assumes the following:%0a%0a* Your OpenBSD machine has Internet connectivity.%0a* Unbound is enabled and functional.%0a* All @@forward-zone@@ sections in [[unbound.conf(5) -> https://man.openbsd.org/unbound.conf]] have been commented out or deleted.%0a%0a!! Enable DNSSEC%0a%0a!!! Create the trust anchor%0a%0aUse [[unbound-anchor(8) -> https://man.openbsd.org/unbound-anchor]] to create the initial trust anchor in @@/var/unbound/db/root.key@@.%0a[@%0a$ doas -u _unbound unbound-anchor%0a@]%0a%0aIdeally, you should securely verify the contents of this file, as DNSSEC operates by building a chain of trust from the root zone (".") onward. See [[Trust Anchors and Keys -> https://www.iana.org/dnssec/files]] and [[get-trust-anchor -> https://github.com/iana-org/get-trust-anchor]] for more details on verification.%0a%0a!!! Verify DNSSEC is enabled%0a%0aEnsure that @@auto-trust-anchor-file@@ is present somewhere in the @@server@@ block in @@/var/unbound/etc/unbound.conf@@ and that it points to @@/var/unbound/db/root.key@@. Also, @@aggressive-nsec@@ should be commented, absent, or set to @@yes@@.%0a[@%0aserver:%0a	# ... other stuff%0a	auto-trust-anchor-file: "/var/unbound/db/root.key"%0a	aggressive-nsec: yes%0a@]%0a%0a!! Restart/Reload Unbound%0a%0aRestart Unbound so that it uses the new settings.%0a[@%0a# rcctl restart unbound%0aunbound(ok)%0aunbound(ok)%0a@]%0a%0aAnother option is to reload with [[unbound-control(8) -> https://man.openbsd.org/unbound-control]].%0a[@%0a# unbound-control reload%0aok%0a@]%0a%0a!! Test DNSSEC%0a%0aYou can use [[unbound-host(1) -> https://man.openbsd.org/unbound-host]] to test DNS lookups.%0a%0a!!! Test a domain with a valid signature%0a%0a[@%0a$ doas -u _unbound unbound-host -C /var/unbound/etc/unbound.conf -v go.dnscheck.tools%0ago.dnscheck.tools has address 142.93.10.179 (secure)%0ago.dnscheck.tools has IPv6 address 2604:a880:400:d0::256e:b001 (secure)%0ago.dnscheck.tools mail is handled by 10 mail.dnscheck.tools. (secure)%0a@]%0a%0aNotice that the output contains @@(secure)@@.%0a%0a!!! Test a domain with an invalid signature%0a%0a[@%0a$ doas -u _unbound unbound-host -C /var/unbound/etc/unbound.conf -v badsig.go.dnscheck.tools%0abadsig.go.dnscheck.tools has address 142.93.10.179 (BOGUS (security failure))%0avalidation failure %3cbadsig.go.dnscheck.tools. A IN>: signature crypto failed from 149.112.112.112%0abadsig.go.dnscheck.tools has IPv6 address 2604:a880:400:d0::256e:b001 (BOGUS (security failure))%0avalidation failure %3cbadsig.go.dnscheck.tools. AAAA IN>: signature crypto failed from 2620:fe::9%0abadsig.go.dnscheck.tools mail is handled by 10 mail.dnscheck.tools. (BOGUS (security failure))%0avalidation failure %3cbadsig.go.dnscheck.tools. MX IN>: signature crypto failed from 149.112.112.112%0a@]%0a%0aNotice that the output contains @@(BOGUS (security failure))@@.%0a%0a!! DNS Forwarding and DNSSEC%0a%0aIt can be helpful to configure DNS forwarding for Unbound to reduce load on your server. However, each @@forward-addr@@ entry ''must'' point to a DNS resolver that is known to support DNSSEC. Otherwise domain name resolution may break because Unbound can't build the required chain of trust and fails safe.%0a%0aHere is a working @@forward-zone@@ section that uses [[Quad9 -> https://quad9.net/]] and [[Control D -> https://controld.com/free-dns]].%0a[@%0aforward-zone:%0a	name: "."   # use for ALL queries%0a%0a	# Quad9%0a	forward-addr: 9.9.9.9%0a	forward-addr: 149.112.112.112%0a	forward-addr: 2620:fe::fe%0a	forward-addr: 2620:fe::9%0a%0a	# Control D%0a	forward-addr: 76.76.2.1%0a	forward-addr: 76.76.10.1%0a	forward-addr: 2606:1a40::1%0a	forward-addr: 2606:1a40:1::1%0a@]
12 time=1696732333
13 author:1696732333=sylv1a
14 csum:1696732333=nitpick: Restart/Reload rather than Restart/reload
15 diff:1696732333:1696731937:minor=30c30%0a%3c !! Restart/Reload Unbound%0a---%0a> !! Restart/reload Unbound%0a
16 host:1696732333=2a03:e600:100::70
17 author:1696731937=sylv1a
18 csum:1696731937=Restart -> Restart/reload
19 diff:1696731937:1696731770:minor=22c22%0a%3c Ensure that @@auto-trust-anchor-file@@ is present somewhere in the @@server@@ block in @@/var/unbound/etc/unbound.conf@@ and that it points to @@/var/unbound/db/root.key@@. Also, @@aggressive-nsec@@ should be commented, absent, or set to @@yes@@.%0a---%0a> Ensure that @@auto-trust-anchor-file@@ is present somewhere in the @@server@@ block in @@/var/unbound/etc/unbound.conf@@ and that it points to @@/var/unbound/db/root.key@@. Also, @@aggressive-nsec@@ should be commented/absent or set to @@yes@@.%0a30c30%0a%3c !! Restart/reload Unbound%0a---%0a> !! Restart Unbound%0a
20 host:1696731937=2a03:e600:100::70
21 author:1696731770=sylv1a
22 csum:1696731770=Make note of aggressive-nsec since the other page says to disable it for some reason
23 diff:1696731770:1696731526:minor=22c22%0a%3c Ensure that @@auto-trust-anchor-file@@ is present somewhere in the @@server@@ block in @@/var/unbound/etc/unbound.conf@@ and that it points to @@/var/unbound/db/root.key@@. Also, @@aggressive-nsec@@ should be commented/absent or set to @@yes@@.%0a---%0a> Ensure that @@auto-trust-anchor-file@@ is present somewhere in the @@server@@ block in @@/var/unbound/etc/unbound.conf@@ and that it points to @@/var/unbound/db/root.key@@.%0a27d26%0a%3c 	aggressive-nsec: yes%0a
24 host:1696731770=2.58.56.220
25 author:1696731526=sylv1a
26 csum:1696731526='.' -> "."
27 diff:1696731526:1696731346:minor=18c18%0a%3c Ideally, you should securely verify the contents of this file, as DNSSEC operates by building a chain of trust from the root zone (".") onward. See [[Trust Anchors and Keys -> https://www.iana.org/dnssec/files]] and [[get-trust-anchor -> https://github.com/iana-org/get-trust-anchor]] for more details on verification.%0a---%0a> Ideally, you should securely verify the contents of this file, as DNSSEC operates by building a chain of trust from the root zone ('.') onward. See [[Trust Anchors and Keys -> https://www.iana.org/dnssec/files]] and [[get-trust-anchor -> https://github.com/iana-org/get-trust-anchor]] for more details on verification.%0a
28 host:1696731526=2.58.56.220
29 author:1696731346=sylv1a
30 csum:1696731346=Add Unbound.DNSSEC to cover the process of enabling DNSSEC in Unbound
31 diff:1696731346:1696731346:=1,93d0%0a%3c DNSSEC (Domain Name System Security Extensions) attempts to add security to DNS while maintaining backward compatibility. [[DNSSEC is a best current practice -> https://datatracker.ietf.org/doc/html/rfc9364]] and it should be used whenever possible to help mitigate [[known attacks on DNS -> https://datatracker.ietf.org/doc/html/rfc3833]].%0a%3c %0a%3c This tutorial assumes the following:%0a%3c %0a%3c * Your OpenBSD machine has Internet connectivity.%0a%3c * Unbound is enabled and functional.%0a%3c * All @@forward-zone@@ sections in [[unbound.conf(5) -> https://man.openbsd.org/unbound.conf]] have been commented out or deleted.%0a%3c %0a%3c !! Enable DNSSEC%0a%3c %0a%3c !!! Create the trust anchor%0a%3c %0a%3c Use [[unbound-anchor(8) -> https://man.openbsd.org/unbound-anchor]] to create the initial trust anchor in @@/var/unbound/db/root.key@@.%0a%3c [@%0a%3c $ doas -u _unbound unbound-anchor%0a%3c @]%0a%3c %0a%3c Ideally, you should securely verify the contents of this file, as DNSSEC operates by building a chain of trust from the root zone ('.') onward. See [[Trust Anchors and Keys -> https://www.iana.org/dnssec/files]] and [[get-trust-anchor -> https://github.com/iana-org/get-trust-anchor]] for more details on verification.%0a%3c %0a%3c !!! Verify DNSSEC is enabled%0a%3c %0a%3c Ensure that @@auto-trust-anchor-file@@ is present somewhere in the @@server@@ block in @@/var/unbound/etc/unbound.conf@@ and that it points to @@/var/unbound/db/root.key@@.%0a%3c [@%0a%3c server:%0a%3c 	# ... other stuff%0a%3c 	auto-trust-anchor-file: "/var/unbound/db/root.key"%0a%3c @]%0a%3c %0a%3c !! Restart Unbound%0a%3c %0a%3c Restart Unbound so that it uses the new settings.%0a%3c [@%0a%3c # rcctl restart unbound%0a%3c unbound(ok)%0a%3c unbound(ok)%0a%3c @]%0a%3c %0a%3c Another option is to reload with [[unbound-control(8) -> https://man.openbsd.org/unbound-control]].%0a%3c [@%0a%3c # unbound-control reload%0a%3c ok%0a%3c @]%0a%3c %0a%3c !! Test DNSSEC%0a%3c %0a%3c You can use [[unbound-host(1) -> https://man.openbsd.org/unbound-host]] to test DNS lookups.%0a%3c %0a%3c !!! Test a domain with a valid signature%0a%3c %0a%3c [@%0a%3c $ doas -u _unbound unbound-host -C /var/unbound/etc/unbound.conf -v go.dnscheck.tools%0a%3c go.dnscheck.tools has address 142.93.10.179 (secure)%0a%3c go.dnscheck.tools has IPv6 address 2604:a880:400:d0::256e:b001 (secure)%0a%3c go.dnscheck.tools mail is handled by 10 mail.dnscheck.tools. (secure)%0a%3c @]%0a%3c %0a%3c Notice that the output contains @@(secure)@@.%0a%3c %0a%3c !!! Test a domain with an invalid signature%0a%3c %0a%3c [@%0a%3c $ doas -u _unbound unbound-host -C /var/unbound/etc/unbound.conf -v badsig.go.dnscheck.tools%0a%3c badsig.go.dnscheck.tools has address 142.93.10.179 (BOGUS (security failure))%0a%3c validation failure %3cbadsig.go.dnscheck.tools. A IN>: signature crypto failed from 149.112.112.112%0a%3c badsig.go.dnscheck.tools has IPv6 address 2604:a880:400:d0::256e:b001 (BOGUS (security failure))%0a%3c validation failure %3cbadsig.go.dnscheck.tools. AAAA IN>: signature crypto failed from 2620:fe::9%0a%3c badsig.go.dnscheck.tools mail is handled by 10 mail.dnscheck.tools. (BOGUS (security failure))%0a%3c validation failure %3cbadsig.go.dnscheck.tools. MX IN>: signature crypto failed from 149.112.112.112%0a%3c @]%0a%3c %0a%3c Notice that the output contains @@(BOGUS (security failure))@@.%0a%3c %0a%3c !! DNS Forwarding and DNSSEC%0a%3c %0a%3c It can be helpful to configure DNS forwarding for Unbound to reduce load on your server. However, each @@forward-addr@@ entry ''must'' point to a DNS resolver that is known to support DNSSEC. Otherwise domain name resolution may break because Unbound can't build the required chain of trust and fails safe.%0a%3c %0a%3c Here is a working @@forward-zone@@ section that uses [[Quad9 -> https://quad9.net/]] and [[Control D -> https://controld.com/free-dns]].%0a%3c [@%0a%3c forward-zone:%0a%3c 	name: "."   # use for ALL queries%0a%3c %0a%3c 	# Quad9%0a%3c 	forward-addr: 9.9.9.9%0a%3c 	forward-addr: 149.112.112.112%0a%3c 	forward-addr: 2620:fe::fe%0a%3c 	forward-addr: 2620:fe::9%0a%3c %0a%3c 	# Control D%0a%3c 	forward-addr: 76.76.2.1%0a%3c 	forward-addr: 76.76.10.1%0a%3c 	forward-addr: 2606:1a40::1%0a%3c 	forward-addr: 2606:1a40:1::1%0a%3c @]%0a\ No newline at end of file%0a
32 host:1696731346=2.58.56.220