[Freeipa-devel] DNSSEC support design considerations

Petr Spacek pspacek at redhat.com
Wed May 22 15:01:14 UTC 2013

On 21.5.2013 20:30, Simo Sorce wrote:
> On Tue, 2013-05-21 at 18:32 +0200, Petr Spacek wrote:
>> Hello,
>> I found that we (probably) misunderstood each other. The sky-high level
>> overview of the proposal follow:
>> 1) LDAP stores all *unsigned* data.
>> 2)
>> a) bind-dyndb-ldap *on each server* fetches all unsigned data from LDAP and
>> store them in *in memory* database (we do it now)
>> b) All data will be stored in BIND's native RBT-database (RBTDB) instead of
>> our own in-memory database.
>> 3)
>> Mechanisms implemented in BIND's RBTDB will do DNSSEC signing etc. for us. The
>> BIND's feature is called 'in-line signing' and it can do all key/signature
>> maintenance for us, including periodical zone re-signing etc.
>> The whole point of this proposal is about code-reusage. I'm trying to avoid
>> re-inventing of the wheel.
>> Note that DNSSEC implementation in BIND has ~ 150 kiB of C code, stand-alone
>> signing utilities add another ~ 200 kiB of code (~ 7000 lines) . I really
>> don't want to re-write it again when it's not reasonable.
>> Further comments are in-line.
> Ok putting some numbers on this topic really helps, thanks!
> More inline.
> [..]
>>> I haven't seen any reasoning from you why letting Bind do this work is
>>> a better idea.
>> Simply said - because all the code is already in BIND (the feature is called
>> 'in-line signing', as I mentioned above).
>>> I actually see some security reasons why putting this into a DS plugin
>>> can have quite some advantages instead. Have you considered doing this
>> It could improve the security a bit, I agree. But I don't think that it is so
>> big advantage. BIND already has all the facilities for key material handling,
>> so the only thing we have to solve is how to distribute keys from LDAP to
>> running BIND.
> Well it would mean sticking the key in ldap and letting Bind pull them
> from there based on ACIs ...
> The main issue would be changes in keys, but with the persistent search
> I guess that's also not a huge deal.

Zone can be signed with multiple keys at same time, so key rotation is not a 
problem. Each signature contains key-id.

>>> work in a DS plugin at all ? If you haven and have discarded the idea,
>>> can you say why ?
>> 1) It would require pulling ~ 200 kiB (~ 7000 lines) of DNSSEC signing code
>> into 389.
>> 2) It would require pulling 'text->DNS wire format' parser into 389 (because
>> our LDAP stores plain text data but the signing process works with DNS wire
>> format).
>> 3) It simplifies bind-dyndb-ldap, but we still need to re-implement DNS search
>> algorithm which takes DNSSEC oddities into account. (Note that the DNS search
>> algorithm is part of the database implementation. Bugs/limitations in our
>> implementation are the reason why wildard records are not supported...)
>> 4) I'm not sure how it will work with replication. How to ensure that new
>> record will not appear in the zone until the associated RRset is (re)computed
>> by DS? (BIND has transaction mechanism built-in to the internal RBTDB.)
> 389ds has internal transactions, which is why I was thinking to do the
> signatures on any change coming into LDAP (direct or via replication,
> within the transaction.
>>>> The point is that you *can* do changes run-time, but you need to know about
>>>> the changes as soon as possible because each change requires significant
>>>> amount of work (and magic/mana :-).
>>>> It opens a lot of opportunities for race condition problems.
>>> Yes, I am really concerned about the race conditions of course, however
>>> I really wonder whether doing signing in bind is really a good idea.
>>> We need to synchronize these signatures to all masters right ?
>> No, because signatures are computed and stored only in memory - and forgotten
>> after BIND shutdown. Yes, it requires re-computing on each load, this is
>> definitely disadvantage.
> Ok I definitely need numbers here.
> Can you do a test with a normal, text based, Bind zone with 10k entries
> and see how much time it takes to re-sign everything ?
> I suspect that will be way too much, so we will have the added problem
> of having to maintain a local cache in order to be able to restart Bind
> and have it actually server results in a reasonable time w/o killing the
> machine completely.

Right, it is good idea. I never tried really big zone (for some reason?).

Command: /usr/bin/time dnssec-signzone -n 1 -o example.net example.net
Signing was limited to single core (parameter -n 1).

Unsigned zone: 327 285 bytes, ~ 10 000 A records and several other records
Signed zone: 10 847 688 bytes
38.28user 0.09system 0:38.80elapsed 98%CPU (0avgtext+0avgdata 18032maxresident)k
0inputs+21200outputs (0major+4646minor)pagefaults 0swaps

Wow, it is pretty slow.

CPU: Intel(R) Core(TM) i7-2620M CPU @ 2.70GHz
Operating memory: 4 GB of DDR3 @ 1333 MHz

The simplest way how to mitigate problem with slow start-up is:
1) Store signed version of the zone on the server's file system.
2) Load signed version from disk during start up.
3) In the background, do full zone reload+resign.
4) Switch old and new zones when it is done.

It will consume some computing power during start up, but the implementation 
should be really simple. (BIND naturally can save and load zones :-))

>>> Doesn't that mean we need to store this data back in LDAP ?
>> No, only 'normal' DNS updates containing unsigned data will be written back to
>> LDAP. RRSIG and NSEC records will never reach LDAP.
>>> That means more round-trips before the data ends up being usable, and we
>>> do not have transactions in LDAP, so I am worried that doing the signing
>>> in Bind may not be the best way to go.
>> I'm proposing to re-use BIND's transaction mechanism built in internal
>> database implementation.
>>>>>> => It should be possible to save old database to disk (during BIND shutdown
>>>>>> or
>>>>>> periodically) and re-use this old database during server startup. I.e. server
>>>>>> will start replying immediately from 'old' database and then the server will
>>>>>> switch to the new database when dump from LDAP is finished.
>>>>> This look like an advantage ? Why is it a disadvantage ?
>>>> It was mentioned as 'proposed remedy' for the disadvantage above.
>>> I think having dual authoritative data sources may not be a good thing.
>> Consistency is a reason why I want to make persistent search mandatory.
> A persistent search does not guarantee consistency only that updates are
> sent to you as soon as they come in, you still may end up with bugs in
> the implementation where you do not catch something and get out of date,
> with the actual data in LDAP.
>> IMHO persistent storage could save the day if LDAP is down for some reason.
>> Old data in DNS are much better than no data in DNS.
> Depends how OLD :-)
> But maybe we can bake some timeouts in there and simply dump any cached
> data if it really is too old.
Yes, it can be configurable. "Stop responding if synchronization with LDAP is 
failing for at least xxxx seconds".

>>>>>> => As a side effect, BIND can start even if connection to LDAP server is down
>>>>>> - this can improve infrastructure resiliency a lot!
>>>>> Same as above ?
>>>> The same here, it was mentioned as 'proposed remedy' for the disadvantage above.
>>> When it comes to DNSSEC starting w/o LDAP may just mean that you have
>>> different signatures for the same records on different masters. Is that
>>> 'legale' according to DNSSEC ?
>> 1) You will have same signatures as long as records in LDAP and saved copy of
>> the database (on the disk) are equal.
> Well given an IPA infrastructure uses Dynamic Updates I expect data to
> change frequently enough that if you have an outage that lasts more than
> a handful of minutes the data in the saved copy will not match the data
> in LDAP.
I agree, that is definitely true, but I think that the most important pieces 
are NS, SRV and A records for servers. They are not changed that often.

IMHO admins would be happier if they have 100 records from 10 000 out of date 
but the infrastructure works than without any records at all (and broken 

Again, there can be some LDAP-synchonization-timeout and DNS server can stop 
responding to queries when synchronization is lost for longer time.

>> 2) I didn't find any new limitation imposed by DNSSEC. AFAIK some
>> inconsistency between servers is normal state in DNS, because zone transfers
>> take some time and the tree structure have many levels.
> But in the bind case they assume a single master model, so they never
> have inconsistencies, right ?
> But in our case we have multiple masters, so I wonder if a client is
> going to have issues ...
> Are we guaranteed that if 2 servers have the exact same view they
> generate the exact same signatures ? If that is the case then maybe we
> are ok.
>> The problems arise when data *in single database* (i.e. on one server) are
>> inconsistent (e.g. signature != data in unsigned records). BIND solves this
>> with it's built-in transaction mechanisms.
> Understood.
>>>>>> == Uncertain effects ==
>>>>>> - Memory consumption will change, but I'm not sure in which direction.
>>>>>> - SOA serial number maintenance is a open question.
>>>>> Why SOA serial is a problem ?
>>>> It simply needs more investigation. BIND's RBTDB maintains SOA serial
>>>> internally (it is intertwined to transactions in the DB), so the write-back to
>>>> LDAP could be very delicate operation.
>>> It means all masters will often be out of sync, this is not very good.
>> I don't think so. BIND can use timestamp-based serials in exactly same way as
>> we do. The only problem is how to implement 'read from internal DB'->'write to
>> LDAP' operation. It still needs more investigation.
> Well if we use timestamp based serials ... why do we need to write
> anything back ? :-) We can just let a DS plugin fill the serial in the
> SOA with a timestamp just for schema compatibility purposes and just
> assume bind has the same or a close enough serial internally.

You are right. The value in LDAP is mostly 'historical'. It is used only as 
'starting value', i.e. the serial value used during BIND (re)start.

>>>>>> Decision if persistent search is a 'requirement' or not will have significant
>>>>>> impact on the design, so I will write the design document when this decision
>>>>>> is made.
>>>>> I would like to know more details about the reasons before I can usefully comment.
>>>> I forgot to one another 'Uncertain effect':
>>>> - Support for dynamically generated '_location' records will be a big
>>>> adventure. It probably means no change from the state without persistent
>>>> search :-) After basic exploration it seems doable, but still a bit uncertain.
>>> I need more info here, does it mean you have to store _location records
>>> when they are generated ?
>> I tend to do _location record generation during zone-load, so everything will
>> be prepared when the query comes in. As a benefit it will allow zone transfers
>> even for signed zones. This still needs more investigation.
> The idea is that _location is dynamic though, isn't it ?
The value seems to be 'dynamic', but only from client's point of view. AFAIK 
there are three options:
1) _location is configured for particular client statically in LDAP
2) Each individual server has own default value for _location (for clients 
without explicit configuration).
3) Each individual server can be configured to override all values in 
_location with one fixed value, i.e. all clients (e.g. in bandwith-constrained 
location) will use only the local server.

This is how I understood the design. Is it correct? If it is, then the value 
is static from server's point of view. The 'dynamics' is a result of moving 
client, because client is asking different servers for an answer.

> Anyway what if we do not sign _location records ?
> Will DNSSEC compliant clients fail in that case ?
I'm not 100 % sure, but I see two problems:

1) It seems that opt-out is allowed only for delegation points (NS records 
belonging to sub-domains).

2) Opt-out allows an attacked to insert unsigned data in the replies.
http://www.stanford.edu/~jcm/papers/dnssec_ndss10.pdf section 3.4

Anyway, I don't think that it is necessary.

>>   > Maybe we can use the internal bind database
>>> just for _location "zone" ?
>> I don't think that it is possible.
>> If _location.client-a and _location.client-b reside in the single database
>> then client-a and client-b have to reside in the same database. (The reason is
>> that _location.client-a and _location.client-b do not have immediate common
>> ancestor.)
> Uhmm right, nvm.
>>>> My personal conclusion is that re-using of BIND's backend will save a huge
>>>> amount of work/code to maintain/bugs.
>>> I can see that, unfortunately I fear it will make multi-master a lot
>>> more difficult at the same time. And given we do want to have
>>> multi-master properties we need to analyze that problem more carefully.
>> I agree. It is a delicate change and we should not hurry.
>>> Also by welding ourselves to internal Bind infrastructure too much, it
>>> will make it a lot more difficult for us to change the DNS
>>> infrastructure. Bind10 will be completely different internally, and we
>>> may simply decide to even not use bind10 at all and use a completely
>>> different engine going forward. So I am quite wary of welding ourselves
>>> even more to bind 9 internals.
>> Ehm ... how to say that ... 'to late'. I wasn't around when DNS design was
>> made, so I don't know all the reasons behind the decision, but IMHO we use
>> completely non-standard/obscure hacks all the time.
>> The proposal above doesn't extend our dependency on BIND, because we already
>> depend on BIND9 *completely*.
> Not really, all the data is currently in LDAP, all we need is to write a
> plugin for a different server and start serving data that way.
> However if DNSSEC is handled with bind, then rewriting the plugin will
> not be sufficient as we do not have the data in LDAP anymore, we also
> need to find out that part.
Ah okay, now I got what you meant. I didn't imagine that the 'write a plugin 
for a different server' part is the simple piece :-)

> I am not against your proposal because of this, just pointing out.
>>   It is about dropping our own internal database
>> implementation (buggy, incomplete, standard non-compliant) with the code from
>> the original BIND (which is at least standard compliant).
> Understood.
> What changes are going to be required in bind-dyndb-ldap to use RBTDB
> from Bind ? Do we have interfaces already ? Or will it require
> additional changes to the glue code we currently use to load our plugin
> into bind ?

I have some proof-of-concept code. AFAIK no change to public interfaces are 

There are 40 functions each database driver have to implement. Currently, we 
have own implementation for most of them and some of them are NULL because are 
required only for DNSSEC.

The typical change from our implementation to the native one looks like this:

static isc_result_t
find(dns_db_t *db, dns_name_t *name, dns_dbversion_t *version,
      dns_rdatatype_t type, unsigned int options, isc_stdtime_t now,
      dns_dbnode_t **nodep, dns_name_t *foundname, dns_rdataset_t *rdataset,
      dns_rdataset_t *sigrdataset)
- [next 200 lines of our code]
+       return dns_db_find(ldapdb->rbtdb, name, version, type, options, now,
+                          nodep, foundname, rdataset, sigrdataset);

Most of the work is about understanding how the native database work.

At the moment I'm able to load data from LDAP and push them to the native 
database except the zone serial. It definitely needs more investigation, but 
it seems doable.

>> <sarcasm>
>> Do you want to go back to 'light side of the force'? So we should start with
>> designing some LDAP->nsupdate gateway and use that for zone maintenance. It
>> doesn't solve adding/reconfiguring of zones on run-time, but it could be
>> handled by some stand-alone daemon with an abstraction layer at proper place.
>> </sacrasm>
> Well the problem is loading of zones, that is why nsupdate can't be
> used, we'd have to dump zones on the fly at restart and pile up
> nsupdates if bind is not available, and then handle the case where for
> some reason nsupdate fails and bind and LDAP get out of sync.

Yes, it is definitely not a simple task, but IMHO it could work. Some glue 
logic specific for particular DNS server will be required in any case (for 
zone addition/removal/reconfiguration - in BIND's case some tooling around 
'rndc' tool), but most of the 'synchronization logic' can be done in generic way.

I can imagine that 'synchronization daemon' could be simpler than current code 
(323 780 bytes ; 11 909 lines of C).

> Also would mean nsupdates made by clients would not be reported back to
I don't agree. DNS has incremental zone transfers (RFC 1995) and change 
notification mechanism (RFC 1996). A standard compliant DNS server can send 
notification about changes in the zone and the (hypothetical) 'synchronization 
daemon' can read the changes via IXFR.

The way from LDAP to DNS is not simple, that is definitely true ...

> Using nsupdate was considered, it just is not feasible.

We should reconsider it during migration from BIND9 to something else :-)

Have a nice day.

Petr^2 Spacek

More information about the Freeipa-devel mailing list