DNSSEC Howto?

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

DNSSEC Howto?

Francesc Peñalvez-2
I have the dns of the domain managed externally, configured with dnssec,
and another host running postfix. How could I integrate that postfix use
the dnssec configuration? Would it be enough to add the dns of the
external service to the postfix resolv.conf?
--


smime.p7s (6K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: DNSSEC Howto?

Viktor Dukhovni
On Sat, Mar 27, 2021 at 12:51:36PM +0100, Francesc Peñalvez wrote:

> I have the dns of the domain managed externally, configured with
> dnssec, and another host running postfix. How could I integrate that
> postfix use the dnssec configuration? Would it be enough to add the
> dns of the external service to the postfix resolv.conf?

As written, the question makes no sense.  You'll need to
explain your goals in more detail.

    - If your domain is already signed, then clients
      resolving data about your domain are able (when
      suitably configured) to validate the integrity
      of that data.

    - If you're looking to use DNSSEC as a client, to
      validate DNS records of remote domains, all you
      need is a local (running on the Postfix server
      itself, listening on 127.0.0.1:53) validating
      resolver, such as unbound, Knot, BIND, ...

* The DNSSEC status of your own domain is irrelevant
  for validating remote domains.

* Validating remote domains does not directly do anything
  to ensure data integrity for your own domains when queried
  by others.

See:

    https://stats.dnssec-tools.org/explore/?almogavers.net
    https://dnsviz.net/d/almogavers.net/YFjc3g/dnssec/

I would perhaps recommed either switching to algorithm 13 (ECDSA P256),
which has better security at a lower key size, or use a ZSK that is
shorter than 2048 bits (1280 bits is what .COM uses), which tends to be
a bit too large for unfragmented UDP when responses carry multiple
signatures (e.g.  NSEC3 negative answers).  Fragmented UDP is not
reliable these days over wide-area networks.

For small zones with no names to hide, just use NSEC.

--
    Viktor.
Reply | Threaded
Open this post in threaded view
|

Re: DNSSEC Howto?

Francesc Peñalvez-2
I have a connection of the domestic type, with 7 computers in an
internal network, in which I do not have access to make any changes to
the ip. I use external dns service to manage the bind9 service, although
I have another installed and running locally.
Both in the external and internal services of bind I have the same
configuration of dmarc and dkim and of course I would like to know, I am
really a novice in system administration, if the external dnssec
configuration that manages the domain, zoneedit, is enough to use dnssec
correctly?

El 27/03/2021 a las 13:34, Viktor Dukhovni escribió:

> On Sat, Mar 27, 2021 at 12:51:36PM +0100, Francesc Peñalvez wrote:
>
>> I have the dns of the domain managed externally, configured with
>> dnssec, and another host running postfix. How could I integrate that
>> postfix use the dnssec configuration? Would it be enough to add the
>> dns of the external service to the postfix resolv.conf?
>
> As written, the question makes no sense.  You'll need to
> explain your goals in more detail.
>
>      - If your domain is already signed, then clients
>        resolving data about your domain are able (when
>        suitably configured) to validate the integrity
>        of that data.
>
>      - If you're looking to use DNSSEC as a client, to
>        validate DNS records of remote domains, all you
>        need is a local (running on the Postfix server
>        itself, listening on 127.0.0.1:53) validating
>        resolver, such as unbound, Knot, BIND, ...
>
> * The DNSSEC status of your own domain is irrelevant
>    for validating remote domains.
>
> * Validating remote domains does not directly do anything
>    to ensure data integrity for your own domains when queried
>    by others.
>
> See:
>
>      https://stats.dnssec-tools.org/explore/?almogavers.net
>      https://dnsviz.net/d/almogavers.net/YFjc3g/dnssec/
>
> I would perhaps recommed either switching to algorithm 13 (ECDSA P256),
> which has better security at a lower key size, or use a ZSK that is
> shorter than 2048 bits (1280 bits is what .COM uses), which tends to be
> a bit too large for unfragmented UDP when responses carry multiple
> signatures (e.g.  NSEC3 negative answers).  Fragmented UDP is not
> reliable these days over wide-area networks.
>
> For small zones with no names to hide, just use NSEC.
>


smime.p7s (6K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: DNSSEC Howto?

Viktor Dukhovni
On Sat, Mar 27, 2021 at 01:59:56PM +0100, Francesc Peñalvez wrote:

> I have a connection of the domestic type, with 7 computers in an
> internal network, in which I do not have access to make any changes to
> the ip. I use external dns service to manage the bind9 service,
> although I have another installed and running locally.

OK, so you have an outsourced public authoritative server for your
DNSSEC signed domain

> Both in the external and internal services of bind I have the same
> configuration of dmarc and dkim and of course I would like to know, I
> am really a novice in system administration, if the external dnssec
> configuration that manages the domain, zoneedit, is enough to use
> dnssec correctly?

You still have not explained what "use DNSSEC" means.  Your DNS
works.  The RSA ZSK is larger than I'd recommend, but otherwise
no issues.

Are you looking to enable inbound or outbound DANE on your Postfix
server?  What is the concrete Postfix-related goal for which you're
seeking advice?

--
    Viktor.
Reply | Threaded
Open this post in threaded view
|

Re: DNSSEC Howto?

Francesc Peñalvez-2
Right now dnssec is activated in the external manager zoneedit.com, in
which I cannot modify the type of encryption or the length of the key.

And if I am looking to activate inbound and outbound dnssec with my postfix

El 28/03/2021 a las 1:03, Viktor Dukhovni escribió:

> On Sat, Mar 27, 2021 at 01:59:56PM +0100, Francesc Peñalvez wrote:
>
>> I have a connection of the domestic type, with 7 computers in an
>> internal network, in which I do not have access to make any changes to
>> the ip. I use external dns service to manage the bind9 service,
>> although I have another installed and running locally.
>
> OK, so you have an outsourced public authoritative server for your
> DNSSEC signed domain
>
>> Both in the external and internal services of bind I have the same
>> configuration of dmarc and dkim and of course I would like to know, I
>> am really a novice in system administration, if the external dnssec
>> configuration that manages the domain, zoneedit, is enough to use
>> dnssec correctly?
>
> You still have not explained what "use DNSSEC" means.  Your DNS
> works.  The RSA ZSK is larger than I'd recommend, but otherwise
> no issues.
>
> Are you looking to enable inbound or outbound DANE on your Postfix
> server?  What is the concrete Postfix-related goal for which you're
> seeking advice?
>


smime.p7s (6K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: DNSSEC Howto?

Viktor Dukhovni
On Sun, Mar 28, 2021 at 01:08:44AM +0100, Francesc Peñalvez wrote:

> Right now dnssec is activated in the external manager zoneedit.com, in
> which I cannot modify the type of encryption or the length of the key.

If there are no key size or algorithm settings in zoneedit.com, then
indeed you're set.  The largish ZSK is typically OK, just risks some
trouble with UDP fragmentation for a small fraction of clients on
networks that doesn't work well.

> And if I am looking to activate inbound and outbound dnssec with my postfix

There is no such thing as inbound DNSSEC specifically for Postfix.  If
your domain is signed, then validating resolvers will check the
signatures as a routine part of MX and A/AAAA lookups.

For outbound DNSSEC, just turn on DNSSEC validation in your local
resolver.  There again nothing Postfix-specific to be done.

DNSSEC only comes into play if you're looking to do DANE.

    http://www.postfix.org/TLS_README.html#client_tls_dane

See also the resource links at:

    https://stats.dnssec-tools.org/explore/?.

--
    Viktor.
Reply | Threaded
Open this post in threaded view
|

Re: DNSSEC Howto?

Francesc Peñalvez-2
thanks Viktor

El 28/03/2021 a las 1:21, Viktor Dukhovni escribió:

> On Sun, Mar 28, 2021 at 01:08:44AM +0100, Francesc Peñalvez wrote:
>
>> Right now dnssec is activated in the external manager zoneedit.com, in
>> which I cannot modify the type of encryption or the length of the key.
>
> If there are no key size or algorithm settings in zoneedit.com, then
> indeed you're set.  The largish ZSK is typically OK, just risks some
> trouble with UDP fragmentation for a small fraction of clients on
> networks that doesn't work well.
>
>> And if I am looking to activate inbound and outbound dnssec with my postfix
>
> There is no such thing as inbound DNSSEC specifically for Postfix.  If
> your domain is signed, then validating resolvers will check the
> signatures as a routine part of MX and A/AAAA lookups.
>
> For outbound DNSSEC, just turn on DNSSEC validation in your local
> resolver.  There again nothing Postfix-specific to be done.
>
> DNSSEC only comes into play if you're looking to do DANE.
>
>      http://www.postfix.org/TLS_README.html#client_tls_dane
>
> See also the resource links at:
>
>      https://stats.dnssec-tools.org/explore/?.
>


smime.p7s (6K) Download Attachment