Is DLV on dnssec deprecated?

Solution 1:

While the dlv.isc.org server is not running any more, you can still set another DNSSEC Lookaside server in your Bind 9 config through the dnssec-lookaside option. If the key for example.com can not be validated, the lookaside server's name will be appended to it and the validation will start over against the lookaside server's trusted key. I didn't test, but I believe that will not solve your problem: a private domain as lan. can these days be positively validated as non existent, so the lookaside query will not be performed.

So what can be done to secure a lan. zone? It depends on the usage:

  1. The DNS server, which you want to use as both validating recursive resolver and authoritative server for the lan. zone does not require any additional configuration (I assume the dnssec-validation is already on):
    • it will serve the lan. zone from the zone file and return an answer without the AD flag,
    • when a query for other domains comes in, it will perform a recursive query, validate the results and only if they are valid return an answer with the AD flag. If the domain does not validate a SERVFAIL will be issued.
  2. The stub resolvers, which use your DNS server, rely on the validating behaviour of your DNS server, so they will resolve lan. without issues. However, since the communication between stub resolver and server is unencrypted, the results can be modified in transit. You might use TSIG signatures or TLS to protect it.
  3. The validating stub resolvers require you to add trusted anchors to their configuration.

I doubt you want to set up a Bind9 server on every client machine to act as a validating stub resolver (there are better alternatives like systemd-resolved, dnsmasq or unbound), but if that is the case, you need to retrieve first the key for your lan. zone:

piotr@akela:~$ dig lan. DNSKEY +short
257 3 13 nnbo5DS5vyxB0OjUd7GbcrmXY7TgdGstk4xqXpu2wvXyoFa0YRqjLcHM QJGMguTrKJVYklMNRQXrStvawSF5eg==

Then you will need to add the key as trusted, allow recursive queries just from localhost and forward the requests to the "real" DNS server (let's say its on 192.168.0.1):

options {
    directory "/var/cache/bind";
    listen-on { localhost; };
    listen-on-v6 { localhost; };
    recursion yes;
    allow-query { localhost; };
    forwarders { 192.168.0.1; };
};
trusted-keys {
    lan. 257 3 13 "nnbo5DS5vyxB0OjUd7GbcrmXY7TgdGstk4xqXpu2wvXyoFa0YRqjLcHM QJGMguTrKJVYklMNRQXrStvawSF5eg==";
};

At the end you just need to add localhost as the only DNS server in /etc/resolv.conf:

nameserver ::1;

Edit: systemd-resolved configuration is even simpler: just add your DNSKEY to a file named /etc/dnssec-trust-anchors.d/<your_name>.positive:

lan. IN DNSKEY 257 3 13 nnbo5DS5vyxB0OjUd7GbcrmXY7TgdGstk4xqXpu2wvXyoFa0YRqjLcHM QJGMguTrKJVYklMNRQXrStvawSF5eg==

and force DNSSEC in /etc/systemd/resolved.conf:

DNSSEC=yes