I am trying to make a caching / forwarding only DNS server using Bind9 with DNSSEC validation being enabled by default.
Assume you have the following informations from my config file:
acl "home-net"
{
127.0.0.1;
::1;
192.168.1.0/24;
2000:db8:cafe:100::/64;
};
options
{
forwarders
{
# Use Google DNS either by IPv6 or IPv4 is fine.
2001:4860:4860::8888;
2001:4860:4860::8844;
8.8.8.8;
8.8.4.4;
};
dnssec-enable yes;
dnssec-validation auto;
allow-query { any; };
allow-query-cache { home-net; };
allow-recursion { home-net; };
};
zone "subdomain.example.net" {
type forward;
forward only;
forwarders
{
# SAMBA PDC1 (Active Directory)
2000:db8:cafe:100::1;
# SAMBA PDC2 (Active Directory)
2000:db8:cafe:100::2;
};
};
As far as I understand:
Whenever I want to lookup a host registered un the subdomain subdomain.example.net
the nameserver would then contact one of the two SAMBA PDC that I have listed in the forwarders section in the zone configuration.
The nameserver would in turn do DNSSEC validation to ensure that the two SAMBA PDC's is actually authorized to reply for requests to the domain subdomain.example.net
.
If the reply from SAMBA PDC's cannot be validated through DNSSEC, then the name server will turn to Google DNS and ask if they can provide a DNSSEC validated response.
Now here is the problem:
As I understand there are no DNSSEC support in SAMBA neither through using SAMBA INTERNAL_DNS or through BIND9_DLZ hence you cannot ever do DNSSEC validation on any zones maintained by SAMBA.
As far I understand there are 3 options:
- Disable DNSSEC validation globally.
- Use negative trust anchors.
- Use the 'validate-except' option.
I will handle them one by one.
Disable DNSSEC
It is not really an option in my book. It basically reduces your setup to "works worldwide" ... except you particular small corner of the world, so better disable it alltogether.
It can be done by just changing the value of dnssec-enable
and dnssec-validation
to no
.
I will only use it as a temporary fix until I can activate DNSSEC again.
Use negative trust anchors
At first my interest was peaked. The idea is you register a special encrypted key with rndc
and then it won't do any DNSSEC validation for the domain you want.
However it is a temporary fix, since the key has a lifetime of at most one week.
That means you have todo the same kind of sourcery as certificates from Let's Encrypt - only that the cron job have to be triggered more often.
Use the 'validate-except' option
In theory this should be the easiest solution of them all.
I just have to add a new section to options
called validate-except
.
Like so:
options
{
dnssec-enable yes;
dnssec-validation auto;
validate-except
{
"subdomain.example.net";
"another.example.net";
};
};
Sounds simple enough - right? :-)
... Except my nameserver didn't start due to "unknown option - validate-except".
EDIT: Turn out Raspberry OS uses Bind version 9.11 while the validate-except
option was only implemented in Bind version 9.13.
For reference sake Ubuntu 20.04 for Raspberry uses Bind version 9.16.
So does anyone out there have experience with a mixed mode setup regarding DNSSEC?
... or would the easiest solution be admit failure and install Ubuntu 20.04? :-)
Don't know if this is still hot, but I think that making BIND configs complex invites a lot of unpaid workhours fighting the server. Although you don't list your system's specs, if it is an option it would be best to overhaul the thing and be done with it. The hardest part about such configs is the fight for simplicity. The simplest option it to have everything "just work", so... Go with Ubuntu 20.04 LTS. As far as your SAMBA config goes, (again, not knowing your specs) going with 20.04 allows you to use BIND DLZ with ease, along with dhcpd updates even. If there are hardware considerations, ubuntu server has minimal configs available with little additional impact on system resources.
Ubuntu 20.04 LTS for Rpi
About Ubuntu Core
The MagPi: Build a RasPi SAMBA Server
Matthias Kerstner: Setting up an Active Directory domain controller with Samba 4 on a Raspberry Pi 3
Manually installing BIND