Hi all.

On 18 May 2020, at 03:14, Alexander Bokovoy <abokovoy@redhat.com> wrote:

On ma, 18 touko 2020, Vinícius Ferrão via FreeIPA-users wrote:


On 18 May 2020, at 01:57, Alexander Bokovoy <abokovoy@redhat.com<mailto:abokovoy@redhat.com>> wrote:

On ma, 18 touko 2020, Vinícius Ferrão via FreeIPA-users wrote:
Hello,

This may sound like a noobish question, but how can I make DNSSEC play nicely when the external domain have DNSSEC enabled and this makes internal zones failing when creating an AD trust, since we are using subdomains for our LAN?

Our case:

example.com<http://example.com> (External DNS name with DNSSEC enabled)
win.example.com<http://win.example.com> (Active Directory Zone)
nix.example.com<http://nix.example.com> (FreeIPA Zone)

Even with the correct conditional forwarders set up in Windows DNS and FreeIPA DNS, DNSSEC kicks in and fail resolutions.

I _MUST_ disable DNSSEC? There’s another way?

There are 'dnssec-validation' and 'dnssec-enable' options in
/etc/named.conf. If you don't have DNSSEC configured and don't want to
validate DNSSEC, turn them to 'no'.

Thanks Alexander, but that’s the question haha.

I don’t want to disable DNSSEC, but I can’t find a way to make it work. The problem in my domain is that the external DNS name is on CloudFlare Free Tier, so I don’t have the private keys.

Is it okay to just sign the internal zones with a new key? This makes no sense for me, and should not work if I do get DNSSEC correctly.

The only way to keep the external DNSSEC working, in my case, is disabling DNSSEC on IPA and AD, am I correct?

How does it work for win.example.com already?

That question made me think.

I did some homework to figure out what was happening.

In fact, win.example.com was working but Windows seems to don’t care about DNSSEC errors. So what I’ve done:

1. Signed the win.example.com zone and the _msdcs.win.example.com zone; both zones available on the AD server. So the base AD zones are now signed.
2. Generated the DS entries from DNSKEY for win.example.com
3. Added the DS entry to win.example.com on CloudFlare
4. Generated the DS entries from the _msdcs subzone
5. Added the DS entry for _msdcs on the AD zone win.example.com

-> So here I followed the chain of trust adding to the parent DNS zones.

After I followed a guide to sign the FreeIPA zones, here: https://www.freeipa.org/page/Howto/DNSSEC#Signing_zones_in_FreeIPA

1. Signed the nix.example.com
2. Generated the DS entries following the same guide
3. Add those DS keys to CloudFlare

So with this I’ve signed all the zones and FreeIPA was able to work without disabling DNSSEC on FreeIPA.

I’m not sure if everything was necessary. I’ve ended up signing everything on AD and IPA sides. Except for the reverse zone, that I’ve another question but I’ll open another threads.


In CloudFlare you can add DS keys for child zones, so delegation is
possible.

Wasn’t aware and that’s the missing part.

It does not make much sense if the DNS on CloudFlare should talk with the internal ones, but it makes sense if DS entries are query based, it makes sense. The child zone queries the parent, so the parent don't really need to talk with the child.

So thanks Alexander for turning the lights on.

--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland