Hi all.
On 18 May 2020, at 03:14, Alexander Bokovoy
<abokovoy@redhat.com<mailto:abokovoy@redhat.com>> wrote:
On ma, 18 touko 2020, Vinícius Ferrão via FreeIPA-users wrote:
On 18 May 2020, at 01:57, Alexander Bokovoy
<abokovoy@redhat.com<mailto:abokovoy@redhat.com><mailto:abokovoy@redhat.com>>
wrote:
On ma, 18 touko 2020, Vinícius Ferrão via FreeIPA-users wrote:
Hello,
This may sound like a noobish question, but how can I make DNSSEC play nicely when the
external domain have DNSSEC enabled and this makes internal zones failing when creating an
AD trust, since we are using subdomains for our LAN?
Our case:
example.com<http://example.com><http://example.com> (External DNS name with
DNSSEC enabled)
win.example.com<http://win.example.com><http://win.example.com> (Active
Directory Zone)
nix.example.com<http://nix.example.com><http://nix.example.com> (FreeIPA
Zone)
Even with the correct conditional forwarders set up in Windows DNS and FreeIPA DNS, DNSSEC
kicks in and fail resolutions.
I _MUST_ disable DNSSEC? There’s another way?
There are 'dnssec-validation' and 'dnssec-enable' options in
/etc/named.conf. If you don't have DNSSEC configured and don't want to
validate DNSSEC, turn them to 'no'.
Thanks Alexander, but that’s the question haha.
I don’t want to disable DNSSEC, but I can’t find a way to make it work. The problem in my
domain is that the external DNS name is on CloudFlare Free Tier, so I don’t have the
private keys.
Is it okay to just sign the internal zones with a new key? This makes no sense for me, and
should not work if I do get DNSSEC correctly.
The only way to keep the external DNSSEC working, in my case, is disabling DNSSEC on IPA
and AD, am I correct?
How does it work for win.example.com<http://win.example.com> already?
That question made me think.
I did some homework to figure out what was happening.
In fact, win.example.com<http://win.example.com> was working but Windows seems to
don’t care about DNSSEC errors. So what I’ve done:
1. Signed the win.example.com<http://win.example.com> zone and the
_msdcs.win.example.com<http://msdcs.win.example.com> zone; both zones available on
the AD server. So the base AD zones are now signed.
2. Generated the DS entries from DNSKEY for
win.example.com<http://win.example.com>
3. Added the DS entry to win.example.com<http://win.example.com> on CloudFlare
4. Generated the DS entries from the _msdcs subzone
5. Added the DS entry for _msdcs on the AD zone
win.example.com<http://win.example.com>
-> So here I followed the chain of trust adding to the parent DNS zones.
After I followed a guide to sign the FreeIPA zones, here:
https://www.freeipa.org/page/Howto/DNSSEC#Signing_zones_in_FreeIPA
1. Signed the nix.example.com<http://nix.example.com>
2. Generated the DS entries following the same guide
3. Add those DS keys to CloudFlare
So with this I’ve signed all the zones and FreeIPA was able to work without disabling
DNSSEC on FreeIPA.
I’m not sure if everything was necessary. I’ve ended up signing everything on AD and IPA
sides. Except for the reverse zone, that I’ve another question but I’ll open another
threads.
In CloudFlare you can add DS keys for child zones, so delegation is
possible.
Wasn’t aware and that’s the missing part.
It does not make much sense if the DNS on CloudFlare should talk with the internal ones,
but it makes sense if DS entries are query based, it makes sense. The child zone queries
the parent, so the parent don't really need to talk with the child.
So thanks Alexander for turning the lights on.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland