-
Notifications
You must be signed in to change notification settings - Fork 973
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
DNSSEC setup for dnsseed #85
base: master
Are you sure you want to change the base?
Conversation
@ysangkok thank you for the review. Very appreciated. |
@Emzy just noticed this PR :-) Can you rebase the PR on top of master, and also squash the commits with duplicate names? |
Just did that. Looks like it was already rebased to master. |
@Emzy after a rebase there shouldn't be a commit |
0436cae
to
8dc1a6a
Compare
Sorry, I'm still try to master git. |
That worked. But to further improve your mastery, try |
Did exactly that. As a console user I prefer the git command line. |
Ok, might as well also squash 2bf3b63 in it, because:
b7b80ac makes (slightly) more sense as it's own commit, because the commit message explains the purpose of that line (which shows up in I would squash 2d6a09c into the first commit, because the end result is more readable than the initial thing. So if I review a PR one commit at a time, I have to study the grep stuff, only to see it disappear a few commits later. (I'd probably just squash this entire PR into one commit, but the above illustrates my thinking on commits) |
I agree, it makes sense to have it as just one commit. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
So compared to the regular setup, we no longer forward (private) port 5353 to (public) port 53, and instead rely on the bind9 software? If so, you should mention that the PREROUTING
step in the README should be skipped / undone.
If I understand the dnsupdate
script correctly it only makes one call to the seeder. And the cronjob only runs that script hourly. So we'd end up with a very limited set of results (the seeder gives a differente result every time you call it). Could we instead run it every (couple of) seconds? Or bypass using dig
and get the full (sorted) list directly?
When running the script manually I get update failed: SERVFAIL
.
This is what it's trying to give to nsupdate -v
:
server localhost
zone seed.bitcoin.sprovoost.nl
update delete seed.bitcoin.sprovoost.nl a
update delete seed.bitcoin.sprovoost.nl aaaa
update add seed.bitcoin.sprovoost.nl. 3600 A 80.121.88.109
...
update add seed.bitcoin.sprovoost.nl. 3600 AAAA 2a01:e0a:9:d30:2d6e:4e7f:455c:4b5
send
echo update delete ${ZONE} a | ||
echo update delete ${ZONE} aaaa | ||
for proto in A AAAA ; do | ||
dig +noall +answer -t ${proto} -p 15353 @52.37.101.214 ${ZONE} | \ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The IP here is replaced with where the seeder is running at?
Same below.
Can you the port, IP and domain a variable that's passed in an argument? That's more consistent the seeder command and easier when you have multiple seeds running on the same machine (mainnet, testnet, etc).
## Software needed | ||
|
||
* Debian GNU/Linux 10 | ||
* tor |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think you can drop Tor, because seeds were only able to announce Tor v2 addresses.
``` | ||
querylog no; | ||
allow-transfer { none; }; | ||
dnssec-enable yes; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
option 'dnssec-enable' no longer exists
Looks like this line can dropped.
|
||
* Check config | ||
``` | ||
named-checkconf |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This complains /etc/bind/named.conf.local:14: option 'auto-dnssec' is deprecated
* Check config | ||
``` | ||
named-checkconf | ||
named-checkzone dnsseed.example.com /var/lib/bind/db.dnsseed.example.com |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What's the expected result of this?
$ named-checkzone seed.bitcoin.sprovoost.nl /var/lib/bind/db.seed.bitcoin.sprovoost.nl
/var/lib/bind/db.seed.bitcoin.sprovoost.nl:3: ignoring out-of-zone data (dnsseed.example.com)
/var/lib/bind/db.seed.bitcoin.sprovoost.nl:11: ignoring out-of-zone data (dummy)
zone seed.bitcoin.sprovoost.nl/IN: has 0 SOA records
zone seed.bitcoin.sprovoost.nl/IN: has no NS records
zone seed.bitcoin.sprovoost.nl/IN: not loaded due to errors.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
^ I got rid of the remaining dnsseed.example.com
But that leaves:
/var/lib/bind/db.seed.bitcoin.sprovoost.nl:11: ignoring out-of-zone data (dummy)
zone seed.bitcoin.sprovoost.nl/IN: NS 'seed.bitcoin.sprovoost.nl' has no address records (A or AAAA)
zone seed.bitcoin.sprovoost.nl/IN: not loaded due to errors.
``` | ||
|
||
* Restart Bind9 | ||
`service bind9 restart` |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This seems to succeed, though startup will have the same errors/warnings as above.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I may have accidentally deleted this service, but this still works: sudo systemctl restart named
* Generate DNSSEC keys | ||
``` | ||
cd /var/lib/bind | ||
dnssec-keygen -r /dev/urandom -a ECDSAP256SHA256 dnsseed.example.com` |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
` at the end?
Also:
dnssec-keygen: fatal: The -r option has been deprecated.
System random data is always used.
}; | ||
``` | ||
|
||
* /var/lib/bind/db.example.com |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Did you mean /var/lib/bind/db.dnsseed-host.example.com
or does this have to one level up?
I also noticed that compared to the tutorial you're not adding a Zone Signing Key(ZSK). (nvm, you are, but not using the terminology) Update: I think it works now, I had to use the hostname in one place - see above. |
|
||
* Sign zone | ||
``` | ||
dnssec-signzone -A -3 $(head -c 1000 /dev/random | sha1sum | cut -b 1-16) -N INCREMENT -o example.com -t db.example.com |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Did you mean -o dnsseed.example.com -t db.dnsseed.example.com
or really the root domain?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Also my bind9 seems to insist that the signed output is in raw format, so adding -O raw
``` | ||
$ORIGIN . | ||
$TTL 3600 ; 1 hour | ||
dnsseed.example.com. IN SOA dnsseed-host.example.com. contact-email.example.com. ( |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think I overlooked the -host
bit here.
Documentation to run a bind9 with DNSSEC in front of the bitcoin-seeder