niclabs / dns-tools Goto Github PK

View Code? Open in Web Editor NEW

16.0 6.0 4.0 296 KB

DNS tools for zone signature (file, pkcs11-hsm) and validation, and zone digest (ZONEMD)

License: MIT License

Go 100.00%

dnssec pkcs11 dns sign digest

dns-tools's People

Contributors

Stargazers

Watchers

Forkers

bartzjegr davidninam huguei despinoza9

dns-tools's Issues

NSEC3 salt and iterations

Hi. I couldn't find a way to configure the salt and iterations in case of NSEC3 signing.
I think the default should be empty salt and 0 iterations, as is the current recommendations, but it should be configurable with something like [--nsec3-iterations [0..100]] [--nsec3-salt-length [1..64]|--nsec3-salt-value <string>] (if given only salt-length, it should generate a random one with the provided length)
Thanks.

Ipv6 is not supported.

When I run the dtcnode in ipv6 server, the error occured. Will you release a version that supports IPv6 in the future?

Error in detail
dtcconfig command :
./dtcconfig create -t 3 -n [240e:eb:8001:e13::156]:1111,[240e:eb:8001:e13::157]:1111,[240e:eb:8001:e13::158]:1111 -H 240e:eb:8001:e13::155 -d /etc/dtc/dtc.sqlite3 -l /etc/dtc/dtc.log

dtcnode-config.yaml :
config:
publickey: :aiwtxFO7/5mC-4nIjQ^jhzm6e}//1frj7X{Q{wJ
privatekey: '*)LBx:^F<XsMqZ2iR&bg7LYKR>93]DgOcNK[/+1T'
host: 240e:eb:8001:e13::156
port: 1111
client:
publickey: 4RIVW<BrU8OxZ=L(i3(hr>ZuHQ=rj5Iq#.R^$RpV
host: 240e:eb:8001:e13::155
rsa:
keys: []
ecdsa:
keys: []

Error info :
root@dmserver:~/dtcnode# ./dtcnode
2021/01/21 03:04:59 AUTH: Starting
2021/01/21 03:04:59 Creating node with ID: dc43ea945b11deab
2021/01/21 03:04:59 Listening message in tcp://240e:eb:8001:e13::156:1111
2021/01/21 03:04:59 AUTH: Stopping
2021/01/21 03:04:59 AUTH: Quitting: received QUIT message
2021/01/21 03:04:59 AUTH: Stopped
Error: error initializing node: no such device

Type-bitmap error in NSEC and NSEC3 records

When signing a zone, the NSEC and NSEC3 records are lacking of the "DNSKEY" type in the apex of the domain.
This can cause problems with validators using "aggressive caching", and also a security problem with DoS and replay attacks.

For example in a live test zone, signed with a fresh dns-tools:

$ dig ns1.dtc.dnssec.lab.nic.cl. cname +dnssec

; <<>> DiG 9.16.5 <<>> ns1.dtc.dnssec.lab.nic.cl. cname +dnssec
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 58520
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1232
;; QUESTION SECTION:
;ns1.dtc.dnssec.lab.nic.cl.	IN	CNAME

;; AUTHORITY SECTION:
ns1.dtc.dnssec.lab.nic.cl. 1800	IN	SOA	ns.niceto.cl. hsalgado.nic.cl. 2021110500 28800 14400 3600000 7200
ns1.dtc.dnssec.lab.nic.cl. 1800	IN	RRSIG	SOA 8 6 1800 20211205140207 20211105140207 3051 ns1.dtc.dnssec.lab.nic.cl. BP+cleMjGtcZWO268XlxN8Qk5np85krHJP+4lLHadGWJKqhT5cN80L+A zVb0/ZmVik4DcT/krgH7BDn16rvs0lEe91MUBgDMxvg2O05Vprt4aX5b YRzA9qrhqx8mvU9uFxwhbrWSFTmi5N2B/x4Br0w9BRUO8sRRS0h7+Wyx c9U=
ns1.dtc.dnssec.lab.nic.cl. 900	IN	NSEC	check.ns1.dtc.dnssec.lab.nic.cl. A NS SOA NSEC ZONEMD
ns1.dtc.dnssec.lab.nic.cl. 900	IN	RRSIG	NSEC 8 6 900 20211205140207 20211105140207 3051 ns1.dtc.dnssec.lab.nic.cl. NiE5mrWDQWXk0hSeRHWRTPXrCMn4A+22US2FBFCHlLPcGAkXp6lPZ6j5 4+K7Jf00gtNfZN+A1luXpXagf2bYOIhAlXRDhWctrq0El7h7x7ujbLnA mtzkdB4c5l3EQEGNRrUFJeSIj+B8wLgBpoacPq3WkAf/i2Vka29hdOMU iYg=

There's no "DNSKEY" type in the NSEC bitmap answer, but certainly there're DNSKEY records in the zone.

This problem is also reported in the extended view of dnsviz validator:
https://dnsviz.net/d/ns1.dtc.dnssec.lab.nic.cl/dnssec/?rr=all&a=all&ds=all&doe=on&ta=.&tk=

DS with SHA256

Hi. When I sign a zone the output gives the corresponding DS record with a SHA1 digest.
DS with SHA1 is deprecated. Can you please change it to SHA256, or give both DS?
Thanks.

NSEC3

It would be nice to have NSEC3 also implemented

Zone file without origin issue

Hi,

I had tested the hsm-tools in Yeti Project, but got only DNSKEY RRSIGs signed.

zone： example.com

$TTL 3600
@ IN SOA ns1 hostmaster.example.com. 2020032600 1800 900 604800 86400
  IN NS ns1
  IN NS ns2

ns1 IN A 127.0.0.1
ns2 IN A 127.0.0.1
www IN A 127.0.0.1

./hsm-tools sign pkcs11 -p ./dtc.so -f ./example.com.old -3 -z example.com -o example.com.signed.1 -a rsa

log:

SigKeys found... checking validity
Checking key class 2 id zsk and valid true
Found valid Public ZSK
Checking key class 3 id zsk and valid true
Found valid Private ZSK
Checking key class 2 id ksk and valid true
Found valid Public KSK
Checking key class 3 id ksk and valid true
Found valid Private KSK
Start signing...
DS: example.com.        0       IN      DS      42415 8 1 DA544820B54CCA739B33E969D6B33CD4FF2E3DC0
File signed successfully.

example.com.signed.1 content:

example.com.    0       IN      RRSIG   DNSKEY 8 2 0 20210330015229 20200330015229 42415 example.com. L4q19RN46EerT4bIhkYwdKKkaE0g45ehgnxm107VVe/i28UEUC2BjRf6Nw6RAr9i1YcF//goOLL4q89fz731ZBFqayuG02luBM/AVD8V0h3YPNbo51rvHMJpfUDarBTBfO0Dx6wljb3PQSan3aXzB8IXS5Pu/bSeGu6aaDT9oIFpD93vo+lTpv1DgzFCe1mE0eBBtBqHAzo0bcU1ruhYBE9cKgj8FeU6U2vy5fIkulZ2JLnz9VxdsurtIgD6vAclXKFJI2WuUBT6A1IXyB/gjJoA1/S8kgZofoTrjAVqV+QaDjDAA4zl4ysQahi7693GHqWStsY///9kUmtsQElR2w==
example.com.    0       IN      DNSKEY  256 3 8 AwEAAV0ze7GaZWRCMIRjPx1dIo8bno9ynq3mB2gRFG2yzR+EdEVZ0xVeqKxuAyO33Tv7gWq4VoPHkXmDO4/YgxLlFNM7G0DjB/Hl0hcvvqhQ4pFNXC9V/saFclS1dAMrfg11ElBqOom+Q2TvwL1XON+uIxFz0JUalWKiFmn1/DAYcdf9
example.com.    0       IN      DNSKEY  257 3 8 AwEAAVvvXb00vf/YjN8CLXFOFGKOfAZhD6lxZYiUj4Z91cMDhufeulnw8xJrMGPEeDKItpXlOUQBEr2v16OsvUQrAYgEsI3cFUInq3EjpaPqcd8CQYZ+PuyMn26KWX32v6xI4zhSS25UjSNshU4+CQPCZD5o/4eCke755P22Ev95Srw1vahxW76ITLpyy98FpMvGx60LdLM1kKCmW3EvHHih/ehfgjxp6KcEuVd12Vif57YxIwMtcI9T9QM5X8bkV6DWX0aQx87GBuT7SeK9TFeo0qe6iz0L4djqmHyYm0CrdclcnLPYaxVf1k01hW7UD+mEtBT6IrHpJcMpzOaX4Bs/HvU=

Finally I found that there is no $ORIGIN include in zone file, hsm-tools can't get the exactly domain name.
After I added the $ORIGIN example.com., i got the whole signed zone.

my suggestions:

i had pass the zone name option '-z', so I think no need to add the origin to zone file.
if the hsm-tools found the wrong zone file, it should panic, and give the error log.

Add ECDSA Support

HSM-Tools now only signs with RSA keys. Explore the usage of ECDSA signatures.

root file can not be sign.

I have a problem. I download root.zone from the root server and delete the signature information in it,then re-sign it with ./dns-tools sign pkcs11 -p ./dtc.so -f ./root.zone -3 -z . -o root.zone.signed -c, and I find it cannot be signed.
Suggested message:
Cannot sign RRSig: PKcs11:0xC0: CKR_SIGNATURE_INVALID.

dtc.log err info :
2020/12/07 14:04:46 signFinal ended
2020/12/07 14:04:46 verifyRSA: invalid signature
2020/12/07 14:04:46 [verifyRSA] invalid signature [Code 192]
2020/12/07 14:04:46 Called: C_Logout
2020/12/07 14:04:46 Logged out.
2020/12/07 14:04:46 Called: C_CloseSession
2020/12/07 14:04:46 Called: C_Finalize
2020/12/07 14:04:46 stopping listening of messages
2020/12/07 14:04:46 stopping listening of messages

root.zone file:
root.zone

Is there any problem with my operation, or is it due to other reasons,and what does the [Code 192] mean in dtc.log?

Sign domain and subdomains together

Hi,
Is it possible to sign with your tool both the domain and the subdomains (for which DS and NS records are provided, they use their own DNS servers.)

Thank you.

RRSIG is not valid

see:


Signature Calculation

   A signature covers the RRSIG RDATA (excluding the Signature Field)
   and covers the data RRset specified by the RRSIG owner name, RRSIG
   class, and RRSIG Type Covered fields.  The RRset is in canonical form
   (see Section 6), and the set RR(1),...RR(n) is signed as follows:

         signature = sign(RRSIG_RDATA | RR(1) | RR(2)... ) where

            "|" denotes concatenation;

            RRSIG_RDATA is the wire format of the RRSIG RDATA fields
               with the Signer's Name field in canonical form and
               the Signature field excluded;

            RR(i) = owner | type | class | TTL | RDATA length | RDATA

               "owner" is the fully qualified owner name of the RRset in
               canonical form (for RRs with wildcard owner names, the
               wildcard label is included in the owner name);

               Each RR MUST have the same owner name as the RRSIG RR;

               Each RR MUST have the same class as the RRSIG RR;

               Each RR in the RRset MUST have the RR type listed in the
               RRSIG RR's Type Covered field;

               Each RR in the RRset MUST have the TTL listed in the
               RRSIG Original TTL Field;

               Any DNS names in the RDATA field of each RR MUST be in
               canonical form; and

               The RRset MUST be sorted in canonical order.

RSIG RR Example

   The following RRSIG RR stores the signature for the A RRset of
   host.example.com:

   host.example.com. 86400 IN RRSIG A 5 3 86400 20030322173103 (
                                  20030220173103 2642 example.com.
                                  oJB1W6WNGv+ldvQ3WDG0MQkg5IEhjRip8WTr
                                  PYGv07h108dUKGMeDPKijVCHX3DDKdfb+v6o
                                  B9wfuh3DTJXUAfI/M0zmO/zz8bW0Rznl8O3t
                                  GNazPwQKkRN20XPXV6nwwfoXmJQbsLNrLfkG
                                  J5D6fwFm8nN+6pBzeDQfsS3Ap3o= )

   The first four fields specify the owner name, TTL, Class, and RR type
   (RRSIG).  The "A" represents the Type Covered field.  The value 5
   identifies the algorithm used (RSA/SHA1) to create the signature.
   The value 3 is the number of Labels in the original owner name.  The
   value 86400 in the RRSIG RDATA is the Original TTL for the covered A
   RRset.  20030322173103 and 20030220173103 are the expiration and
  inception dates, respectively.  2642 is the Key Tag, and example.com.
   is the Signer's Name.  The remaining text is a Base64 encoding of the
   signature.

   Note that combination of RRSIG RR owner name, class, and Type Covered
   indicates that this RRSIG covers the "host.example.com" A RRset.  The
   Label value of 3 indicates that no wildcard expansion was used.  The
   Algorithm, Signer's Name, and Key Tag indicate that this signature
   can be authenticated using an example.com zone DNSKEY RR whose
   algorithm is 5 and whose key tag is 2642.

Canonical DNS Name Order

   For the purposes of DNS security, owner names are ordered by treating
   individual labels as unsigned left-justified octet strings.  The
   absence of a octet sorts before a zero value octet, and uppercase
   US-ASCII letters are treated as if they were lowercase US-ASCII
   letters.

   To compute the canonical ordering of a set of DNS names, start by
   sorting the names according to their most significant (rightmost)
   labels.  For names in which the most significant label is identical,
   continue sorting according to their next most significant label, and
   so forth.

   For example, the following names are sorted in canonical DNS name
   order.  The most significant label is "example".  At this level,
   "example" sorts first, followed by names ending in "a.example", then
   by names ending "z.example".  The names within each level are sorted
   in the same way.

             example
             a.example
             yljkjljk.a.example
             Z.a.example
             zABC.a.EXAMPLE
             z.example
             \001.z.example
             *.z.example
             \200.z.example

Canonical RR Form

   For the purposes of DNS security, the canonical form of an RR is the
   wire format of the RR where:

   1.  every domain name in the RR is fully expanded (no DNS name
       compression) and fully qualified;

   2.  all uppercase US-ASCII letters in the owner name of the RR are
       replaced by the corresponding lowercase US-ASCII letters;

   3.  if the type of the RR is NS, MD, MF, CNAME, SOA, MB, MG, MR, PTR,
       HINFO, MINFO, MX, HINFO, RP, AFSDB, RT, SIG, PX, NXT, NAPTR, KX,
       SRV, DNAME, A6, RRSIG, or NSEC, all uppercase US-ASCII letters in
       the DNS names contained within the RDATA are replaced by the
       corresponding lowercase US-ASCII letters;

   4.  if the owner name of the RR is a wildcard name, the owner name is
       in its original unexpanded form, including the "*" label (no
       wildcard substitution); and

   5.  the RR's TTL is set to its original value as it appears in the
       originating authoritative zone or the Original TTL field of the
       covering RRSIG RR.

Refactoring

Hay que sacar la creación de las llaves de la sesión de firmado, porque las llaves pueden ser de PKCS11 o de algún archivo.

File sign problem.

I use the dnssec-keygen to generate two keys：
Kkbenet.com.%2B003%2B00851.key.+005+37875**.key**
Kkbenet.com.%2B003%2B00851.key.+005+37875**.private** and sign the zone with it.
The dns-tools have two key files(KSK and ZSK) to sign the zone, but its format is .pem.
The question is : if I want to use the key which is generated by dnssec-keygen to sign the zone file, any methods can be adopted? Or do I have anyway to change the .key and .private to .pem?

RRSIG doesn't validate DNSKEY

New parameters

choice between nsec & nsec3
create new keys, try to reuse
delete all keys (format all)

Create a tutorial for automatic zone signing

Write a tutorial of how sign automatically a zone periodically, using a crontab for example.

expiration time should be a parameter

signed file support the ldns-verify-zone tool to verify ?

After a complete process, the signature file is obtained. When I use the ldns-verify-zone tool to verify the file, the error occured. The error is :
………………
Error: b.nic.zuerich. has an NSEC(3), but is glue
Error: c.nic.zuerich. A has signature(s), but is glue
Error: c.nic.zuerich. AAAA has signature(s), but is glue
Error: c.nic.zuerich. has an NSEC(3), but is glue
Error: d.nic.zuerich. A has signature(s), but is glue
Error: d.nic.zuerich. AAAA has signature(s), but is glue
Error: d.nic.zuerich. has an NSEC(3), but is glue
Error: there is no NSEC(3) for zw.
Error: ns1.telone.co.zw. A has signature(s), but is glue
Error: ns1.telone.co.zw. AAAA has signature(s), but is glue
Error: ns1.telone.co.zw. has an NSEC(3), but is glue
Error: ns1zim.telone.co.zw. A has signature(s), but is glue
Error: ns1zim.telone.co.zw. AAAA has signature(s), but is glue
Error: ns1zim.telone.co.zw. has an NSEC(3), but is glue
Error: ns2.telone.co.zw. A has signature(s), but is glue
Error: ns2.telone.co.zw. AAAA has signature(s), but is glue
Error: ns2.telone.co.zw. has an NSEC(3), but is glue
Error: ns2zim.telone.co.zw. A has signature(s), but is glue
Error: ns2zim.telone.co.zw. AAAA has signature(s), but is glue
Error: ns2zim.telone.co.zw. has an NSEC(3), but is glue
There were errors in the zone

Using separate keys for each zone

Hi. I have the tool running using libdtc as HSM. I can sign zones without problem. But it uses the same key pair ZSK and KSK.
How can I generate a new key pair for each zone? I tried modifying the dns-tools.config by defining a different key-label for each zone, but it ignores it and insists on using the original ones it generated.
Thanks.

SearchValidKeys does not work in SoftHSM

Similar to #4, in SoftHSMv2, when this function executes, it throws the following error:

SecureDataManager.cpp(431): Invalid IV in encrypted data
P11Attributes.cpp(281): Internal error: failed to decrypt private attribute value

Bug with spaces inside RDATA with generic TYPE63 rr

dns-tools verify is giving the error "Zone Digest: error parsing zone: dns: Error hexadecimal wrong size:.." when its input zone has a TYPE63 RR with spaces inside the RDATA. Spaces are allowed in RFC3597 section 5, and named-checkzone returns ok, but dns-tools fails to parse the record.
Here I attach an example zone. If you remove the space, the verify succeeds.

$ cat generic-space.zone 
example.	86400	IN	NS	ns.example.
example.	86400	IN	SOA	ns.example. admin.example. 2018031900 1800 900 604800 86400
example.	86400	IN	TYPE63  \# 54 7848b91c01018ee54f64ce0d57fd70 e1a4811a9ca9e849e2e50cb598edf3ba9c2a58625335c1f966835f0d4338d9f78f557227d63bf6
ns.example.	3600	IN	A	127.0.0.1

$ ./dns-tools verify -S -z example -f generic-space.zone 
[dns-tools] 2022/01/31 10:04:41 Error reading Config File: Config File "dns-tools-config" Not Found in "[/etc/dns-tools /home/hsalgado/nic/labs/firma-distribuida/dns-tools]". Using flags only
[dns-tools] 2022/01/31 10:04:41 Zone Signature: Skipped verification (verify-signatures flag is false)
[dns-tools] 2022/01/31 10:04:41 Verifying ZONEMD digests
[dns-tools] 2022/01/31 10:04:41 Reading and parsing zone example (updateSerial=false)
[dns-tools] 2022/01/31 10:04:41 Zone Digest: error parsing zone: dns: Error hexadecimal wrong size: "7848b91c01018ee54f64ce0d57fd70" at line: 3:63

Is this a Bug？

When I use the branch V1.1.0 of HSM-Tool, after compilation, execute “ ./hsm-tools sign pkcs11 -p ./dtc.so -f ./example.com -3 -z example.com -o example.com.signed -c”，the Error "Error: Input File Path not Specified" occurs.But there is no problem with using other versions.

Renew signatures only if it is needed (there are new RRs or they are about to expire)

Parse and check already signed zone to verify if it needs to be signed again:
- It is going to be signed with a different key than the previous one
- If original zone modification date is greater than signed zone modification date
- If any signature is about to expire

Parametrize RRSIG Expiration Dates independently for ZSK and KSK-signed RRs

Given ZSK signatures are more common than KSK ones, it is desirable to be able to parametrize both values independently.

Define new flags for each parameter
Define a default value for each type of signature (3 months for KSK and 1 month for ZSK?)

MultiZONEMD and Signed Digest Tests Fail

The digest tests are based on the [zone examples of the RFC proposal]. However, two of them (MultiZONEMD, SignedZone) fail (this is, the computed digest is different than the example digest). We need to check deeply why they fail. This could be related to problems with sorting or wire formatting.

I also checked other implementations cited on the RFC draft (one in C by the authors, and one in Python). I could not acheive to obtain the same ZONEMD between all the implementations in some zones. Fruther testing is needed to understand the reasons of the differences.