I have the print layout basically finished. The print cover is in process, and the index is underway. Hopefully ordering print proofs later this week.
Basic DNSSEC with BIND 9.9
Everybody knows that DNS is insecure, and DNS Security Extensions (DNSSEC) is supposed to fix that. I know that several of my readers consider DNSSEC suboptimal, but it’s the standard, so we get to live with it. I recently got DNSSEC working on BIND 9.9. As I write this 9.9 is in Release Candidate state, but the functionality should be basically unchanged. My goals for DNSSEC on BIND were to manually edit my zone files, but have the DNS server maintain the keys. BIND 9.9 makes this possible.
This is a limited example of how to get basic DNSSEC working. To use it, your registrar must support DNSSEC. There’s ways around this, such as DLV, but they’re out of scope for this document. Also note that I’m not covering key rotation. That’ll be a future post.
You also must have a domain whose parent is signed. The root zone, .com, .net, and .org are all signed, but not all top-level domains are signed. Verify your particular TLD before proceeding. Again, you can use DLV for these orphaned domains, but that’s out of scope for this document.
I’d also suggest that you read the BIND 9.9 ARM first. But if you were going to bother to do that, you wouldn’t have done the Google search to find this article.
You will almost certainly have service interruptions as you learn DNSSEC. I strongly recommend that you set up a test server for your DNSSEC testing. Move a test domain to it. You cannot test DNSSEC on a private domain; it must be a real, Internet-facing domain. Configure dnssec validation on this test server.
You also need a server that provides DNSSEC resolution, but will not be authoritative for your test domain. I’m assuming that you configure DNSSEC resolution on your production server. If you only have one DNS server, you can use an offsite public resolver such as unbound.odvr.dns-oarc.net. (Note that Google DNS, like most public DNS servers, does not validate DNSSEC.)
Verify that DNSSEC resolution works on both servers with dig(1).
$ dig www.isc.org +dnssec
; <<>> DiG 9.8.1-P1 <<>> www.isc.org +dnssec
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 28734
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 5, ADDITIONAL: 13
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;www.isc.org. IN A
;; ANSWER SECTION:
www.isc.org. 600 IN A 149.20.64.42
www.isc.org. 600 IN RRSIG A 5 3 600 20120305233238 20120204233238 21693 isc.org. IKekIJVV99bkTYw4L2KG/xZpQ+BYlCK0IDSsWXKZRD8ceR/VNcfNFxV2 5VK51Fqmy...
...
Two interesting things here. First, the ad flag indicates that this is “authenticated data,” also known as DNSSEC-validated. Second, the RRSIG (Resource Record Signature) is the actual DNSSEC signature. isc.org is DNSSEC-validated.
DNSSEC generates a lot of key files. You don’t edit these key files by hand, and you rarely look at their contents, so use a separate directory. If you have a lot of zones, you’ll want a separate directory for each zone.
You’ll need a directory for keys.
$ mkdir /etc/namedb/keys
To start you need a “master” key to sign other keys with (the Key Signing Key, or KSK), and then a key for each zone (the Zone Signing Key, or ZSK). Your nameserver must be able to read these keys.
# dnssec-keygen -f KSK -a RSASHA1 -b 2048 -n ZONE example.net
Generating key pair…………………………………………………………………………………………………………………………………………….+++ ……………………..+++
Kexample.net.+005+38287
# dnssec-keygen -a RSASHA1 -b 2048 -n ZONE example.net
Generating key pair………….+++ ..+++
Kexample.net.+005+55896
# chown bind:bind *
We’ve generated two key files: Kexample.net.+005+38287 (the KSK) and Kexample.net.+005+55896 (the ZSK).
Now that you have keys, let’s look at configuring named and the zone itself.
I recommend you enable DNSSEC logging in named.conf. If you have trouble, the DNSSEC log will identify the problem. (Actually Understanding the log is left as an exercise for the reader, the ARM, and their favorite search engine.) Make a separate directory for the log.
# mkdir /etc/namedb/log
# chown bind:bind /etc/namedb/log
Then add a logging stanza in named.conf. With this configuration, the log file will never grow larger than 20Mb.
logging {
channel dnssec_log {
file "log/dnssec" size 20m;
print-time yes;
print-category yes;
print-severity yes;
severity debug 3;
};
category dnssec {
dnssec_log;
};
};
Now set up a zone. Here I add DNSSEC data to my test domain.
zone example.net {
type master;
file "master/example.net";
key-directory "keys/";
inline-signing yes;
auto-dnssec maintain;
};
Reload your nameserver. You’ll now see the following files in the zone file directory:
example.net
example.net.jbk
example.net.signed
example.net.jnl
Inline signing works by taking the zone file you manually maintain, transforming it into a dynamic zone, and signing the dynamic zone. DNSSEC changes are made to the journal file. As a result of this, the serial number shown to the world can differ from the serial number in your file. That’s a minor change that I’m perfectly happy to live with.
You should now see RRSIG records in your test zone. You will not see the AD flag, however. You never see an AD flag for a zone on its authoritative nameserver.
So, how do you test DNSSEC on your domain? You might try your second nameserver. It won’t show the AD flag either, but it should also show the RRSIG records.
DNSSEC works via a chain of digital signatures. The root zone is signed, and your server knows about that signature. Most delegations beneath root are also signed. Your parent zone doesn’t know to trust your KSK until you tell it. This is where your registrar comes in. Create a delegation signature key (DSKEY) from your KSK.
# dnssec-dsfromkey Kexample.net.+005+38287
example.net. IN DS 38287 5 1 E8C01C990ACC8CEDF48379EDF9EDAB5389A9CB4E
example.net. IN DS 38287 5 2 57EC9364CEAE50B17C0C251950B4E5B8870F6A479A94C3A92359A623 39703D53
Copy these two lines and paste them into your registrar’s DSKEY interface. Your registrar might take one or both types of DSKEY records. I found that GoDaddy took both, but I had to remove the space from the SHA-256 (second) record.
When your registrar updates the TLD’s zone, DNS servers that are not your authoritative zone will return the DS flag. You’ll have functioning DNSSEC.
(Thanks to Jeffry A. Spain for his invaluable hints in debugging my first DNSSEC setup.)
“SSH Mastery” now #1 on Smashwords
I even beat out the “Fat Loss Bible.” Happy Birthday to me!
And thanks to everyone who has bought and enjoyed the book. I can now say I’m a “#1 bestseller” with a straight face.
New review of SSH Mastery, and print pre-order status
There’s a new review of SSH Mastery over at DragonFlyBSD Digest. I’m delighted that Justin liked the book. (Mind you, I’m appalled that he’s actually reading and paying attention to the minutia I occasionally post here. But I’m delighted he liked the book.)
On the pre-order front: Austin Hook just ordered 200 copies of SSH Mastery for the OpenBSD Project. He will be listing the book for pre-order “soon.” I’ve given them the greatest discount possible, and they’ll be selling the book for list price. Proceeds will go to support OpenBSD/OpenSSH development. I will fill Austin’s order at the first opportunity.
When is that? When the book exists in finished form. I reviewed the print layout today, made some corrections, and sent them back to the layout person. If she doesn’t kill me outright, I’ll be able to order proofs in a few days. If the proofs show an error, I do another cycle. (Print pages look nothing like on-screen pages.) Once I approve the proofs, I can order books.
A normal publisher (whatever that means) would have a scheduled print time. They’d push out the release date, and delay the book if necessary to fit that window. That gives them a known release date. Me, I’m not going to set a sufficiently-padded arbitrary date when I can get them sooner.
And for those of you who wonder when I’m going to quit pushing my wares and post techie stuff again, I’ll have a post on DNSSEC deployment next week.
first long-form review of “Vicious Redemption”
At Electric Well.
SSH Mastery now #2 best-seller on Smashwords
Smashwords is an ebook retailer that sells books in ten different electronic formats in one purchase. If you want a book in .pdb for your Palm Pilot, in PDF for your laptop, and epub for your Nook, that’s where you go.
I just saw this in their best-seller list.
I’m at #2 site-wide, right behind the Fat Loss Bible.
The implications are obvious: I must write a book for fat techies. I’ll make a fortune!
SSH Mastery Review from Peter Hansteen
Peter has already read and reviewed SSH Mastery. While a few of my readers have been kind enough to post reviews on Amazon and Smashwords (which I very deeply appreciate), Peter’s is the first long review.
And here I should confess something: The very existence of SSH Mastery is Peter’s fault.
Peter will be doing the tech review of Absolute OpenBSD 2nd Edition. He looked over the outline and said “You need more SSH in here. You need SSH here, and here. More SSH love!” So, I listened to him. The SSH content overflowed the OpenBSD book from a planned 350K words to closer to 400K. I can’t comfortably read a 400K-word book. So, something had to give. And it was SSH.
And to again answer what people keep emailing me and asking: yes, a print version is coming. Yes, I am writing AO2e. When I have dates, I will announce them.
SSH Mastery Round-Up
I went to bed last night, satisfied that I had gotten SSH Mastery uploaded to the various ebook sites. I figured that I’d contact some people about doing reviews this weekend, maybe generate one or two sales. Awoke to discover ten copies sold while I slept. And I received a whole bunch of messages via Twitter, Facebook, and email. Rather than try to answer them all individually, I decided to answer here.
If you’ve bought the book: thank you! Please consider leaving a review on your ebook site and/or Amazon, it would seriously help me out.
SSH Mastery is currently available via Smashwords and Kindle, and Nook. The Nook version seems to be missing it’s cover, I’ll take that up with B&N once I post this.
Want it in your preferred format? Permit me to direct you to Smashwords. Buy the book once, get it in any or all of ten different formats, from epub to PDF to old formats like PalmDoc and LRF. It doesn’t sync to your device, but you can read it anywhere, and it’s stored “In The Cloud (ooooh!)”. There is no DRM, on any version where I control DRM. SSH Mastery is only $9.99. If someone goes to the trouble to illicitly download a tightly-focused, task-specific tech book that’s less expensive than lunch, well, they suck. Please tell them that.
Once Smashwords finishes digesting the book, they will feed it to iBooks, Kobo, and all the other online retailers. I have no insight into how long this will take. If you sight SSH Mastery on iBooks or Kobo, please let me know! Actually, I’m shocked that Smashwords was able to process the highly-formatted original document. Their Meatgrinder only takes Microsoft Word files, and my file was full of headers and in-document hyperlinks and text styles and images. It’s obviously much improved over the early days. Following their instructions works. Amazing, that.
There will be a print version. The print layout person works from the same files I feed to the ebookstores. The print will take time. She will lay out a chapter for me, so that I can approve a rough design. She will then lay out the entire book. That will give us a page count and let me do the index. We’ll proof that a few times, to catch any errors, and then kick it out to the printer. But I didn’t want to delay the ebook until the print was ready.
The page count is critical. Page count dictates the price. I’m 90% confident of the price, but I can’t announce it until I know. Once I have the price, we can start taking pre-orders. Now, I don’t have the infrastructure to take pre-orders. Any number of third-party companies would hold your money in escrow until I delivered the books to them. That would take a whole bunch of legal agreements, and frankly, I’m too dang lazy to be bothered.
Especially when the OpenSSH/OpenBSD folks already have that infrastructure, and they have an existing trust relationship with the community. I plan to let them have the books at my cost plus expenses (shipping and CreateSpace fulfillment costs, not sunk costs), to funnel some money into OpenSSH. CreateSpace is doing the printing, so I don’t think I can offer an exclusivity window — once I order a crate of books, Amazon will list and ship to their direct customers. But I will ship those books at the earliest opportunity.
I’m also looking for a solution to let me sell print/ebook combinations. That’s how I like my books, after all. I can work out a cost-effective solution that doesn’t involve me hand-mailing books, I’ll do it.
But you want the book now. You really do. Mind you, I know all of my readers are good people. You don’t use passwords with SSH. You tightly secured all of your SSH servers. You know when and how to forward ports, and X11, and when to use a SSH VPN. But you know people who need this book. You know people who think that SSH-ing in as root with a password is a good idea. Make them buy the book. For their own good.
SSH Mastery available at Smashwords
To my surprise, SSH Mastery is available at Smashwords.
I don’t know if this version will make it through to Kobo and iBooks, but you can buy it now. If I have to update it to get the book through the Smashwords Meatgrinder and into third-party stores, you’d get access to those later versions as well.
SSH Mastery ebook uploaded to Amazon and B&N
I just finished uploading the ebook versions of SSH Mastery to Amazon and Barnes & Noble. The manuscript is en route to the print layout person.
Amazon should have the book available in 24 hours or so, Barnes & Noble in 24-72 hours. Once they’re available, I’ll be able to inspect the ebooks to check for really egregious errors. The files were clean when I uploaded them, but both companies perform their own manipulation on what I feed them. There’s no way to be sure the books come out okay until I can see the final product.
What about, say, iBooks? Kobo? The short answer is: they’re coming. The long answer is: those sites are fed via Smashwords. Smashwords only accepts Microsoft Word files, and they have very strict controls on how books can be formatted. Their ebook processor, Meatgrinder, isn’t exactly friendly to highly-formatted books. I must spend some quality quantity time getting the book into Smashwords.
I’ll post again when the books are available on each site. In the meantime, I’m going to go put my feet up.