DNSSEC setup for dnsseed #85
Conversation
|
@ysangkok thank you for the review. Very appreciated. |
|
@Emzy just noticed this PR :-) Can you rebase the PR on top of master, and also squash the commits with duplicate names? |
|
Just did that. Looks like it was already rebased to master. |
|
@Emzy after a rebase there shouldn't be a commit |
Emzy
force-pushed
the
master
branch
2 times, most recently
from
0436cae
to
8dc1a6a
Compare
|
Sorry, I'm still try to master git. |
|
That worked. But to further improve your mastery, try |
|
Did exactly that. As a console user I prefer the git command line. |
|
Ok, might as well also squash 2bf3b63 in it, because:
b7b80ac makes (slightly) more sense as it's own commit, because the commit message explains the purpose of that line (which shows up in I would squash 2d6a09c into the first commit, because the end result is more readable than the initial thing. So if I review a PR one commit at a time, I have to study the grep stuff, only to see it disappear a few commits later. (I'd probably just squash this entire PR into one commit, but the above illustrates my thinking on commits) |
|
I agree, it makes sense to have it as just one commit. |
There was a problem hiding this comment.
So compared to the regular setup, we no longer forward (private) port 5353 to (public) port 53, and instead rely on the bind9 software? If so, you should mention that the PREROUTING step in the README should be skipped / undone.
If I understand the dnsupdate script correctly it only makes one call to the seeder. And the cronjob only runs that script hourly. So we'd end up with a very limited set of results (the seeder gives a differente result every time you call it). Could we instead run it every (couple of) seconds? Or bypass using dig and get the full (sorted) list directly?
When running the script manually I get update failed: SERVFAIL.
This is what it's trying to give to nsupdate -v:
server localhost
zone seed.bitcoin.sprovoost.nl
update delete seed.bitcoin.sprovoost.nl a
update delete seed.bitcoin.sprovoost.nl aaaa
update add seed.bitcoin.sprovoost.nl. 3600 A 80.121.88.109
...
update add seed.bitcoin.sprovoost.nl. 3600 AAAA 2a01:e0a:9:d30:2d6e:4e7f:455c:4b5
send
| echo update delete ${ZONE} a | ||
| echo update delete ${ZONE} aaaa | ||
| for proto in A AAAA ; do | ||
| dig +noall +answer -t ${proto} -p 15353 @52.37.101.214 ${ZONE} | \ |
There was a problem hiding this comment.
The IP here is replaced with where the seeder is running at?
Same below.
Can you the port, IP and domain a variable that's passed in an argument? That's more consistent the seeder command and easier when you have multiple seeds running on the same machine (mainnet, testnet, etc).
| ## Software needed | ||
|
|
||
| * Debian GNU/Linux 10 | ||
| * tor |
There was a problem hiding this comment.
I think you can drop Tor, because seeds were only able to announce Tor v2 addresses.
| ``` | ||
| querylog no; | ||
| allow-transfer { none; }; | ||
| dnssec-enable yes; |
There was a problem hiding this comment.
option 'dnssec-enable' no longer exists
Looks like this line can dropped.
|
|
||
| * Check config | ||
| ``` | ||
| named-checkconf |
There was a problem hiding this comment.
This complains /etc/bind/named.conf.local:14: option 'auto-dnssec' is deprecated
| * Check config | ||
| ``` | ||
| named-checkconf | ||
| named-checkzone dnsseed.example.com /var/lib/bind/db.dnsseed.example.com |
There was a problem hiding this comment.
What's the expected result of this?
$ named-checkzone seed.bitcoin.sprovoost.nl /var/lib/bind/db.seed.bitcoin.sprovoost.nl
/var/lib/bind/db.seed.bitcoin.sprovoost.nl:3: ignoring out-of-zone data (dnsseed.example.com)
/var/lib/bind/db.seed.bitcoin.sprovoost.nl:11: ignoring out-of-zone data (dummy)
zone seed.bitcoin.sprovoost.nl/IN: has 0 SOA records
zone seed.bitcoin.sprovoost.nl/IN: has no NS records
zone seed.bitcoin.sprovoost.nl/IN: not loaded due to errors.There was a problem hiding this comment.
^ I got rid of the remaining dnsseed.example.com
But that leaves:
/var/lib/bind/db.seed.bitcoin.sprovoost.nl:11: ignoring out-of-zone data (dummy)
zone seed.bitcoin.sprovoost.nl/IN: NS 'seed.bitcoin.sprovoost.nl' has no address records (A or AAAA)
zone seed.bitcoin.sprovoost.nl/IN: not loaded due to errors.
| ``` | ||
|
|
||
| * Restart Bind9 | ||
| `service bind9 restart` |
There was a problem hiding this comment.
This seems to succeed, though startup will have the same errors/warnings as above.
There was a problem hiding this comment.
I may have accidentally deleted this service, but this still works: sudo systemctl restart named
| * Generate DNSSEC keys | ||
| ``` | ||
| cd /var/lib/bind | ||
| dnssec-keygen -r /dev/urandom -a ECDSAP256SHA256 dnsseed.example.com` |
There was a problem hiding this comment.
` at the end?
Also:
dnssec-keygen: fatal: The -r option has been deprecated.
System random data is always used.
| }; | ||
| ``` | ||
|
|
||
| * /var/lib/bind/db.example.com |
There was a problem hiding this comment.
Did you mean /var/lib/bind/db.dnsseed-host.example.com or does this have to one level up?
|
I also noticed that compared to the tutorial you're not adding a Zone Signing Key(ZSK). (nvm, you are, but not using the terminology) Update: I think it works now, I had to use the hostname in one place - see above. |
|
|
||
| * Sign zone | ||
| ``` | ||
| dnssec-signzone -A -3 $(head -c 1000 /dev/random | sha1sum | cut -b 1-16) -N INCREMENT -o example.com -t db.example.com |
There was a problem hiding this comment.
Did you mean -o dnsseed.example.com -t db.dnsseed.example.com or really the root domain?
There was a problem hiding this comment.
Also my bind9 seems to insist that the signed output is in raw format, so adding -O raw
| ``` | ||
| $ORIGIN . | ||
| $TTL 3600 ; 1 hour | ||
| dnsseed.example.com. IN SOA dnsseed-host.example.com. contact-email.example.com. ( |
There was a problem hiding this comment.
I think I overlooked the -host bit here.
|
It was a bit of a struggle to get all the key files in the right place. Not sure if I did it correctly, but at least this looks good: I ended up putting all the keys in I used some cron-hack to make it update every 15 seconds, which is hopefully good enough for now. |
Documentation to run a bind9 with DNSSEC in front of the bitcoin-seeder