The purpose of this article demonstrate how to get GSS-TSIG... working using ISC Bind DNS on a *NIX server. After...

How to implement GSS-TSIG on ISC BIND
Written by Patrick H. Piper - Last Updated Thursday, 09 December 2010 07:48
The purpose of this article demonstrate how to get GSS-TSIG or secure dynamic updates
working using ISC Bind DNS on a *NIX server. After several hours of trying to get this to work,
perhaps this article would have been better named "GSS-TSIG on ISC Bind -- The Missing
Manual". I know in working with others, we experienced many trials and tribulations in getting it
all to work. GSS-TSIG DNS Updates or secure dynamic updates is an extension to TSIG based
updates which implements secure key exchange. GSS API calls for the use of Kerberos for
authentication, integrity and confidentiality by establishing a limited lifetime security context.
Once the security context is established, special TKEY resource records are used to securely
exchange key material between the DNS Server and DNS Client. GSS-TSIG support has been
present in the ISC Bind code since version 9.5.0, circa mid-summer of 2008. In this HOW-TO,
we compiled ISC Bind 9.7.1-P2 on Fedora 13 (32-bit) and used a single Microsoft Windows
2008 Server running as an Active Directory Domain Controller for example.com.
Before we demonstrate secure dynamic updates, we must first address a "chicken-and-egg"
issue. We need our Active Directory Domain Controller up and running prior so we can
configure our AD user and Kerberos Service Principal. Prior to running dcpromo to promote our
first AD Domain Controller or DC, we must have DNS up and running with dynamic DNS
support. So, It is recommended that ISC Bind is built and configured to be authoritative for the
AD Domain and support dynamic DNS updates using the
allow-update
directive by supplying the IP address of the AD DC. Building ISC Bind on Fedora, CentOS, or Red Hat Linux
In this exercise, a minimal install of the Fedora 13 and/or CentOS 5.5 (32-bit) operating system
was installed. Ensure that the following RPM dependencies openssl-devel, gcc, make, perl,
krb5-workstation, and krb5-devel. This can be done using the yum pkg manager as follows:
yum install openssl-devel
yum install gcc make perl
yum install krb5-workstation krb5-devel You will note that we did not specify libgssapi* modules. The reason for this is that the
1/6
How to implement GSS-TSIG on ISC BIND
Written by Patrick H. Piper - Last Updated Thursday, 09 December 2010 07:48
GSS-API code is present and embedded in the krb5-workstation and krb5-devel library and
development package. In our test, we used the latest version of ISC Bind (9.7.1-P2 was the
current version at the time of this article). Unpack this version of bind and build as follows:
./configure --with-openssl --with-gssapi
make && make install Some key assumptions:
- Configure our DNS server, dns1.example.com to be authoritative for the zone
example.com
- Configure our DNS server, dns1.example.com to be authoritative for the reverse zone
168.192.in-addr.arpa
- Configure the zone(s) example.com and 168.192.in-addr.arpa to be dynamically
updatable via the
allow-update directive using the IP address of the AD DC(s) so they can
inject any/all AD-related DNS records. Once that is complete, our ISC Bind name server should accept insecure dynamic DNS updates
from the Domain Controllers for the forward zone example.com and the reverse zone
168.192.in-addr.arpa. At this point it is time to bring up the AD Domain Controller. Active Directory Domain Controller Promotion
With our Unix DNS server configured to support dynamic updates, we change our focus to the
configuration of the AD Domain and DC itself. At this point, we can now run dcpromo.exe on
our Windows Server 2008 to promote it to a Domain Controller or DC for example.com. Follow
the wizard and at the conclusion of
dcpromo.exe,
make sure that all the AD related records were properly "injected" into our ISC Bind Server.
Our DC will populate the BIND DNS server with the records that are contained in the
%systemroot%system32confignetlogon.dns file. You can verify and validate that this occurred
by either querying the name server for specific SRV, A, and CNAME records or by displaying
the contents of the db.example.com.jnl file using the Bind-provided named-journalprint
command.
Create AD user & Service Principal
Using the Microsoft Active Directory Users and Computers Microsoft Management Console or
MMC, create an AD user called "dns1" in a zone such as example.com as shown in
Fig. 1 - New User
2/6
How to implement GSS-TSIG on ISC BIND
Written by Patrick H. Piper - Last Updated Thursday, 09 December 2010 07:48
below.
NOTE: we chose the name "dns1" because it will represent the "instance" or hostname of the
DNS server we plan to run ISC Bind on, i.e. dns1.example.com. You should plan to add an AD
User for each DNS server that will perform GSS-TSIG secure dynamic updates.
Click Next, and set & confirm a strong password. In this example, we chose to set a one-time
fixed password so that we would not have to rebuild Kerberos keytab files with the new
credentials. If you permit the password to change or require it to be rotated for security reasons,
you will need to update the Kerberos keytab files that get configured on the remote DNS
Servers. When done, click next to view the final user creation screen shown in Fig. 3. Click Finish to
complete the task of creating our user. Next, we must create a Kerberos Service Principal Name or SPN, that is mapped to our Active
Directory User dns1. This is accomplished using the ktpass.exe utility that is installed on
modern Microsoft Windows 2008 Server Installations. If you are operating on Microsoft
Windows 2003, you will need to install the Microsoft "Support Tools". You MUST make sure to
install the same release of the Support Tools as the version of Windows Server you are
operating. Run the
ktpass.exe
utility with the following flags and/or options:
Parameter/Value
Description
-princ DNS/dns1.example.com@EXAMPLE.COM
This represents the Kerberos Service Principal Account for the <instance
-mapuser dns1@EXAMPLE.COM
The Kerberos SPN is mapped to this AD User Account that was created
-mapOp set
Specifies how the mapping attribute is set
+DesOnly
Sets the encryption type to Des only
-ptype KRB5_NT_PRINCIPAL
This is the type of Kerberos Principal
-pass Pa$$w0rd
The password of the AD user dns1@EXAMPLE.COM must be correctly pas
-out dns1.keytab This option names the output file for ktpass.exe. The file that is outputted is
3/6
How to implement GSS-TSIG on ISC BIND
Written by Patrick H. Piper - Last Updated Thursday, 09 December 2010 07:48
Fig. plan
1ktpass.exe command
- New
User
file
Fig.
2a -temporary
Password
generated
Fig.
3 -on
Finish
as
SPN
many
Fig. instances
4Bind
- ktpass.exe
usage
The
dns1.keytab
you
Linux
Copy
each
hosts
to keytab
operate.
that
should
were
be
In
running
tocopied
our
above
testing,
ISC
to /tmp
should
Bind
wedirectory
on
9.7.2-P2,
be
dns1.example.com. executed
dns1.example.com
the
two corresponding
for
such
instance
and
DNS
dns2.example.com.
forserver
or
two
Linux
(2)
instances
different
host, e.g.
Configuring The Kerberos Client on Linux
The first step is to ensure that the krb5-workstation utilities are properly installed, and that the
location of the utilities are in your current PATH environment variable. In our case, we added
/usr/kerberos/bin to our default path. Set up Kerberos with a config similar to that shown below:
[logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server
= FILE:/var/log/kadmind.log [libdefaults] default_realm = EXAMPLE.COM
default_tkt_enctypes = des-cbc-md5 default_tgs_enctypes = des-cbc-md5 dns_lookup_realm
= true dns_lookup_kdc = true ticket_lifetime = 30d forwardable = yes default_keytab_name
= FILE:/etc/krb5.keytab [realms] EXAMPLE.COM = { kdc = dc1.example.com:88
admin_server = dc1.example.com:749 default_domain = example.com } [domain_realm]
.example.com = EXAMPLE.COM example.com = EXAMPLE.COM [appdefaults] pam = {
debug = false ticket_lifetime = 36000 renew_lifetime = 36000 forwardable = true
krb4_convert = false }
Run the ktutil command to read in the freshly copied keytab file, and write out the full contents
to our target keytab file as follows:
[root@dns1 ~]# ktutil ktutil: rkt /tmp/dns1.keytab ktutil: list slot KVNO Principal ---- ------------------------------------------------------------------------ 1 3
DNS/dns1.example.com@EXAMPLE.COM ktutil: wkt /etc/krb5.keytab ktutil: quit [root@dns1
4/6
How to implement GSS-TSIG on ISC BIND
Written by Patrick H. Piper - Last Updated Thursday, 09 December 2010 07:48
~]#
NOTE: If you are running ISC Bind as a lesser privileged user than the root user, you MUST set
new ownership on the /etc/krb5.keytab file to the user that is running Bind. In our testing, we
set the owner to 'named'.Now, that our keytab file is in place, and our krb5.conf file is set up,
you can initiate Kerberos authentication in obtaining Kerberos Tickets from the AD Server. This
is done via the following command:
/usr/kerberos/bin/kinit -k -t /etc/krb5.keytab DNS/dns1.example.com
If there is no output and/or the return value $? is 0, then the command completed without any
errors. You can now view the Kerberos tickets that have been granted by:
[root@dns1 ~]# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal:
DNS/dns1.example.com@EXAMPLE.COM Valid starting Expires
Service principal
10/02/10 11:12:58 10/02/10 21:12:54 krbtgt/EXAMPLE.COM@EXAMPLE.COM
renew until
10/09/10 11:12:58
Kerberos 4 ticket cache: /tmp/tkt0 klist: You have no tickets cached
At this point, you should now have a working Kerberos Workstation or client that can
authenticate and obtain Kerberos Tickets via the AD Domain Controller. If you run kdestroy, this
command will remove any cached tickets from the Kerberos Client. Remove these cached
tickets so that you don't have any cached tickets that will expire. Once that is done, the named
process should renew tickets as needed to remain authenticated and capable of performing
secure dynamic updates.
Configuring ISC Bind to Perform GSS-TSIG Secure Dynamic
Updates
Previously, we had configured our DNS server to support dynamic DNS updates in the clear
(insecure) by using the allow-update directive. Now that our server has been "Kerberized", you
can change the configuration of the name server to accept only secure dynamic updates by
tweaking the server's global and zone configuration(s). In the global options block of the
named.conf file, you will need to add the
tkey-gssapi-cred
ential
and tkey-d
omain
directives. The following was used for the example.com domain name server
dns1.example.com:
tkey-gssapi-credential "DNS/dns1.example.com@EXAMPLE.COM";
tkey-domain "EXAMPLE.COM"; It was during the next part of the configuration, that we experienced difficulty in getting our
configuration to work. Since we are configuring secure dynamic updates on two zone(s),
example.com, and 168.192.in-addr.arpa, we first needed to remove the allow-update {
5/6
How to implement GSS-TSIG on ISC BIND
Written by Patrick H. Piper - Last Updated Thursday, 09 December 2010 07:48
update_acl; };
because
that directive is based upon IP access lists and is associated with insecure updates. The newer
update-policy
directive is what should be used to configure zones to support secure dynamic updates. We
struggled with the documentation and exact syntax of this policy while trying to get GSS-TSIG
working. The following syntax was used to get things working for our two (2) zones:
zone "example.com" {
type master;
file "db.example.com";
check-names ignore;
allow-transfer { localhost; 192.168.0.0/16; };
update-policy {
grant * subdomain
example.com. ANY;
}; }; zone "168.192.in-addr.arpa" {
type master;
file
"db.168.192.in-addr.arpa";
check-names ignore;
allow-transfer { localhost;
192.168.0.0/16; };
update-policy {
grant * subdomain 168.192.in-addr.arpa. PTR TXT;
}; };
While the above configuration allowed our ISC Bind Server to handle GSS-TSIG secure
dynamic updates, it is far less than optimal from a security perspective. With all that said, how
do we really know it's working? During testing, it's best to start named at a low debugging level
so that log output shows details and evidence of the GSS-TSIG signed updates. Running ISC
Bind in Debug level 6 will output logged messages as shown in gss-tsig.log . This is the first
part of a two (2) article series on GSS-TSIG Updates using ISC Bind. Part 2 - will cover some
of the "gotchas", exceptions, and provide some additional recipes for a more secure
update-policy
usage. 6/6