DNSSEC Tech Reviewers Wanted

Last night, I finished the first draft of DNSSEC Mastery. If you’re one of my fans who wants to see the existing work, a pre-pub version is now available on LeanPub.

Now I’m looking for people familiar with DNSSEC on BIND to read the book and tell me where I’ve screwed up.

This book is for an established DNS administrator who wants to deploy DNSSEC. I assume you know what named.conf is, why you don’t put PTR records in a forward zone, and so on. The goal is not to get 100% of the people 100% there, but to get 90% of the people 100% there and ground the other 10% so that they can identify their own rough edges. (The idea is roughly similar to my SSH Mastery or Cisco Routers for the Desperate.)

The contents are:

    1. Introducing DNSSEC
    2. Cryptography and DNSSEC
    3. How DNSSEC changes DNS
    4. DNSSEC Resolver
    5. dig and DNSSEC
    6. Securing Zone Transfers
    7. KSKs and ZSKs
    8. Signing Zones
    9. Debugging
    10. Key Rotation
    11. Delegations and Islands of Trust
    12. DNSSEC for Data Distribution (needs better title, it’s SSHFP and TLSA)

Many of these chapters are short. Chapter 10 is not. The writing is rough, especially near the end.

So, if you know DNSSEC, and you’re interested in spreading the DNSSEC gospel, and you have enough time to read something about half the length of a short paperback novel, contact me via email at mwlucas at my domain.

I’d need any comments by 15 March. I plan to revise that week and get the book into copyedit, so it can be out for BSDCan. Barring any really appalling revelations from the reviewers, that is. I’d rather the book be late than wrong.

my OpenSSH AuthorizedKeysCommand script

The bleeding-edge OpenSSH supports using an AuthorizedKeysCommand statement in sshd_config to get the authorized_keys file for a user. This lets you store your authorized_keys files in LDAP, but avoids linking OpenSSH against OpenLDAP. (You could actually use any data store for your back end, but LDAP is both the most popular and what I have.)

Your AuthorizedKeysCommands script should take one argument, and return a series of authorized keys, one per line. CentOS has a script, which I previously mentioned, and one of my readers was kind enough to put together an OpenBSD port for it.

But there’s some problems with the CentOS approach, from a cross-platform perspective. While it’s fine on CentOS, porting and installing it on other platforms is more difficult than it needs to be. I’d really like something that has very few dependencies, is easy to install, and is easily portable across platforms.

When setting up a couple of Ubuntu boxes I came across an Ubuntu AuthorizedKeysCommand script. His approach is much simpler than the CentOS approach, but his script didn’t work for me out of the box, and it wouldn’t work on other operating systems without modification. But it inspired me to write my own script, one that works across all of my operating systems, using only the tools I already have on all of my servers. My results follow. But before I offer my script, I feel obliged to warn you.

The bad news is, I am not a programmer. I have been told by multiple independent parties that my code makes the Baby Jesus cry.

The really bad with this is that you need an ldapsearch command that returns your public keys, and this command is hard-coded with this script. The ideal script would read the system ldap config, but you’d probably have to hard-code a path to ldap.conf anyway.

The appalling news is, I wrote it in Perl. Why? Well, the evidence indicates that I am insane. But every server in my environment runs Perl, and it’s been ten years since I used enough sed/awk to make this work. A proper authentication credentials script would not use Perl.

I’m not suggesting that you take my code. I’m hoping to motivate one of my programmer readers, whose code only makes the Baby Jesus grimace a little, to do better. I mean, I’ve set a pretty low bar here.


#!/usr/bin/perl
#takes one argument, the username to get the keys for
die unless $ARGV[0];

open (LDAP, "/usr/bin/ldapsearch -L -xZb\"dc=michaelwlucas,dc=com\" '(&(objectClass=posixAccount)(uid=$ARGV[0]))' sshPublicKey |") || die "ldapsearch failed $!\n";

while (<LDAP>) {
next if /^#|^version|^dn\:|^\s*$/;
s/\n//;
s/\://g;
s/sshPublicKey/\n/;

s/^ //;
print;
}
print "\n";

One catch with this is that you’re processing the raw output of ldapsearch. An acceptable ldapsearch will return keys that look something like this:


...
sshPublicKey: ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEAw9zmtbk8bT+7OVpVvzuYYQqRhF8j
...blah, blah, blah...
ilXzBw== rsa-key-20110114

Initially, my LDAP searches returned some keys that looked like this:
...
sshPublicKey:: c3NoLWRzcyANCkFBQUFCM056YUMxa2MzTUFBQUNCQVBhZmNhemdmUHI1T29DdFp
...blah, blah, blah...
y5sb2NhbA==

This key doesn’t start with ssh-rsa or ssh-dss, and it doesn’t even look like a SSH key. But if you look at the key in a graphical tool like phpLDAPAdmin, it has the leading ssh-rsa. In my case, the key had an extra carriage return at the end of the key, which meant that ldapsearch had to base64 encode it. Get rid of extra whitespace. The LPK patch doesn’t notice that space, but a simple external script does.

Of course, if someone wanted to write an AuthorizedKeysCommand that was portable, handled that encoding, and didn’t suck as bad as mine, it wouldn’t hurt my feelings at all. Really.

Book status, 9 Feb 2013, and the Missing Contest Winner

Fast and furious progress these days:

Absolute OpenBSD: Peter has finished the tech edit on the entire manuscript. Chapters 1-18 are copyedited and returned to NSP. Chapters 1-17 are laid out and look somewhat like an actual book. (Seeing a book in laid out forces me to view it with new eyes. It makes me want to tear up the whole thing and start over. I know I can write better than that. But I think that both the publisher and you lot would lynch me if I delayed the book until 2016 for a proper rewrite.) I’m sending prepub PDFs out to various OpenBSD celebrities in the hope of getting blurbs for the front of the book. Best quote so far, from someone who will remain anonymous: ” It’s unfortunate that the strength of BSD man pages undercut his sales so much.”

DNSSec Mastery: I’ve made the second version available on LeanPub. It now contains everything you need to deploy DNSSec, provided nothing goes wrong and you don’t have to rotate keys. Plus, the introduction now gives you a reason to read the book, which is a bonus. (That last sentence originally read “The introduction no longer blows chunks.” And people say I can’t be tactful.)

To Ludovic ‘Ludy’ Simpson: You won the haiku contest. But you didn’t leave me contact info. Please get me your shipping address. Thank you.

“DNSSec Mastery” in-progress version available

By popular demand (mainly on Twitter) I’ve made the work-in-progress version of DNSSec Mastery available on LeanPub.

This is an experiment. If it works well, I’ll do it again. If not… I won’t.

Why would you be interested?

    It’s cheap. I intend to sell the finished ebook for $9.99. The work-in-progress version is $7.99. I will continue to update the manuscript on LeanPub until it’s finished.
    Once the manuscript is complete, I’ll raise the LeanPub price to $9.99 to match other vendors.
    If you want to provide feedback on an incomplete book, this is your chance.

Why would I do this?

    I can usually get subject matter experts to review a book. I have a real problem with getting non-experts to review a book before publication, however. Non-expert feedback is important — those are the people most likely to catch when I explain something poorly, as opposed to the experts who already understand what I’m writing about. I can only handle so much feedback, so I wind up picking a select group of volunteers based on their apparent enthusiasm for the book. Measuring by the results, either I am a poor judge of enthusiasm or enthusiasm is the wrong measurement. This method might work better.
    I get paid earlier. That’s always nice.
    I want feedback from people trying to use it.

    Do I care what you do? No.

    In the long run, sales made via Amazon, B&N, Smashwords, or other ebookstores are better for my career. I’m expecting that only my most hardcore fans will buy the book early. If you’re a hardcore fan, but want to wait for the release of an actual book to buy it, I don’t blame you. I wouldn’t buy an incomplete book.

    But it’s here if you want it.

Any interest in early drafts?

I have the DNSSec book about a third done, which isn’t bad for spending a week in the hospital this month, and am looking at various publication options. Once the book is finished it’ll be available in print, on Amazon, Barnes & Noble, Kobo, and hopefully iTunes. But I have an option for before the book is complete. LeanPub allows authors to upload works in progress, and update them as the work proceeds.

I’m pondering something like this:

  • Offer the incomplete book on LeanPub at, say, a 20% discount. Those of you who want to see it can, and those of you who want to send feedback can.
  • Update the book on LeanPub as I write.
  • When the book is finished, upload the final manuscript to all ebook platforms. Raise the LeanPub price to match. If you bought it earlier, you still get access, of course.
  • If you follow my blog, you’re probably a fan. I have no problem giving a discount to people interested enough in my work to follow my blog. And I might even get useful feedback.

    One of my goals is to reduce the amount of non-paying non-writing work I do. (Basically, I want to reduce my monthly recurring expenses, especially time expenses.) Updating a book as I write it isn’t a huge amount of work, but if nobody’s interested, I don’t want to bother.

    So: would anyone be interested? Or should I keep writing in my bubble?

    Configuration Automation with RANCID

    One of the most tedious tasks any network admin faces is replicating changes across multiple devices. I recently stood up new RADIUS servers, and needed to tell all of my routers and switches about it. Rather than logging into each router by hand and pasting in the new configuration, I decided to try RANCID‘s ability to run arbitrary commands on your routers.

    Using this method requires that the commands you run don’t generate interactive output. A reload command won’t work, because it prompts you for confirmation. But adding configurations to a Cisco router doesn’t.

    I assume you have a working RANCID install.

    Start by creating a text file containing your commands. RANCID expects to log on and log off of the router. All you need to provide is what happens between those two points.

    conf t
    radius-server host 192.0.2.2 auth-port 1812 acct-port 1813 key BuyBooksFromLucas
    radius-server host 192.0.2.14 auth-port 1812 acct-port 1813 key BuyBooksFromLucas
    exit
    wr

    Now use the device-specific login command, specify the file containing your commands with -x, and list every router you want to run the commands on.

    # clogin -x newradius.conf router-1 router-2 router-3

    RANCID logs into each device and add the new configuration. You can watch the process in action, and catch any problems.

    I found that the Mikrotik login script had problems when the script changed the prompt. I’ve reported this to the RANCID mailing list, and expect it will be patched shortly. But fortunately, that’s pretty easy to work around in a Mikrotik, by giving the entire command in one line, as shown below.

    /radius add accounting-backup=no accounting-port=1813 address=192.0.2.2 authentication-port=1812 called-id="" disabled=no domain="" realm="" secret=BuyBooksFromLucas service=login timeout=300ms
    /radius add accounting-backup=no accounting-port=1813 address=192.0.2.14 authentication-port=1812 called-id="" disabled=no domain="" realm="" secret=BuyBooksFromLucas service=login timeout=300ms

    Having RANCID run commands for you is much more accurate and less tedious than doing it yourself. And this way, if you make a mistake in your commands, at least it’ll be consistent across all your devices.

    Absolute OpenBSD 2/e Haiku Contest Winners & status

    I offered a haiku contest for the new Absolute OpenBSD. Winners got their haiku in the book, credited to them, plus an ebook copy of the book, plus a physical copy if I get enough physical copies and few enough winners.

    More people entered than I expected, a pleasant surprise. I appreciate everyone’s efforts.

    The winners are:

    Chapter 1:
    Josh Grosse: “Mailing lists are rough / Homework is mandatory / Love it or leave it”

    Chapter 3:
    Josh again, with “Straightforward questions. / Will you take the default prompts? / Think before you choose”

    Chapter 7:
    Ludovic Simpson, with “the root of all evil/ is never far from your touch / sudo saves your life”

    Chapter 12:
    Justin Sherrill, with: “My tunnel is now up/ I can do IPv6 / Me and three others” (needed slight edit for syllable count)

    Chapter 16:
    Josh Grosse again, with “Working behind scenes / taking care of vital things / the daemon is here”

    So, that’s three winners. I can swing three paper books.

    I had a lot of competition for certain chapters, others less so. Sending a network chapter haiku meant you went up against everyone, where submitting a haiku on the system maintenance chapter means you only went up against me.

    How did Josh get so many? Two ways. One, he submitted a haiku for every chapter. Two, I believe he was already familiar with haiku, and has read some of the classics. (Twitter doesn’t let me search old tweets easily, so I can’t be certain of that, but I’m pretty sure he’s the one I’m thinking of.) Josh actually inspired me to hold the contest with his Chapter 1 haiku.

    So, now that the haiku are ready, where is the book?

    Chapters 0-22 have gone through content editing. Two chapters remain.
    Chapters 0-17 have gone through tech edit.
    Chapters 0-14 have gone through copy edit.
    Chapters 1-6 have come back to me from layout. I have initial galleys to correct. They look really really nice — NSP always does a fabulous job producing books.

    The layout folks haven’t gotten the haiku yet, but needed to have something in that space. When I opened the draft I found:

    Here, a placeholder
    For a haiku still to come
    Replace at pages.

    The No Starch folks get it.

    DNSSec and DLV on current BIND

    One of the problems with the Internet is that old stuff hangs around forever. Configuring DNSSec validation on BIND 9.8 and newer is a lot easier than many of the popular tutorials would lead you to suspect. It’s so simple that I wonder why it isn’t the default.

    options {
    ...
    dnssec-enable yes;
    dnssec-validation auto;
    dnssec-lookaside auto;
    };

    This automatically loads the root zone and dlv.isc.org trust anchors distributed with the BIND source code, verifies them, and uses them to validate all signed responses.

    One trick is that named needs to write journal files for these keys. If you used the directory option to set a directory writable by named, you’re all set. If, like me, you have a whole bunch of directories that you don’t want named to write to, and you don’t want named to write to /etc/namedb, you can set a directory for these named-managed keys.

    /var/log/messages will have errors like this:

    Jan 7 11:59:02 ns11 named[78246]: the working directory is not writable

    These errors are harmless. named cannot write /etc/namedb, but it will log an error when it tries to write a file. The errors you need to worry about look like this:

    Jan 5 13:07:05 ns11 named[68130]: dumping master file: tmp-XI0K5awL6p: open: permission denied

    These indicate that named is trying to record important data, and can’t. Giving named a directory where it can write these managed key files will solve this problem.

    options {
    ...
    managed-keys-directory "managed-keys";
    }

    Make that directory owned by the user running named. Restart (not reload) named, and you’re all set.

    One of the rules of public key encryption is that your private key must be private. Most of us have had private keys stolen at some time. (If you haven’t, either you’re not using public key crypto, or you didn’t notice.) What happens if someone steals the private key for a DNSSec trust anchor?

    There’s a protocol for automatically updating the trust anchor private keys, documented in RFC 5011. It’s not perfect — you’ll still want to keep half an eye out for announcements of a trust anchor compromise.

    On a related note, I’d be interested in hearing from anyone who knows how the root zone private key is protected, just so I can put a sentence or two in the DNSSec book.

    Conference Submissions & BSDCan 2013

    The BSDCan 2013 call for proposals is open. As a BSDCon committee member, it’s my responsibility to get you lot to submit interesting papers. So: submit!

    More than once, I’ve been asked something like “How can I get a paper accepted at BSDCan?” or “Why was my BSDCan paper rejected?” Here’s my answer to that general question. Lots of this applies to any conference, but as I’m not on the committees for those other conferences, I can’t claim any authority there. Other conferences have their own ideas, and other BSDCan committee members might have independent thoughts as well.

    The purpose of a BSDCan paper is not to advertise the presenter’s work, but to put butts in seats. Sometimes these overlap. I want someone looking at the BSDCan schedule to say “Wow, I HAVE to go to this!” But “be interesting” isn’t exactly useful advice. Some of this might be.

    1) Present an topic that hasn’t been covered before. The previous proceedings are all available online. Some topics come up every year. Don’t submit those unless you have a fresh new take on them.

    2) Tell us why YOU should be the one to present your topic. We frequently get multiple similar proposals, and have to choose between them based on who we think might do the best job. Don’t assume that everyone on the committee knows who you are. One of us probably knows that you run weaselBSD on twelve thousand workstations, but they probably won’t share than information with everyone else. (Paper selection is done via web form, which isn’t as conducive to back-and-forth discussion as in-person or mailing list discussions.) More than once I’ve had someone come up to me at a conference and say “Why did you have so-and-so report on X? I have forty times as much X as the speaker you chose!” My answer is, “You didn’t TELL US that you had so much.” I am not telepathic.

    3) We get many FreeBSD proposals. I want more Net/Open/Dfly proposals, as well as for projects and devices based on them. Non-F/N/O/D BSD papers have much smaller audiences, so a paper on them has to be very interesting. Again, butts in seats.

    4) Include “lessons learned.” Anybody can read a man page. If you were involved in recovering from the recent FreeBSD security incident, you should submit a paper about it. If you deployed OpenBSD in a nuclear submarine and learned about the importance of the little radiation-detection badge, you should submit a paper. “Lessons learned” implies that you made mistakes, and can upgrade your talk from the merely technical to a bit of a story. Don’t be afraid to embarrass yourself, we’ve all been there. Sharing mistakes helps connect your presentation to the audience.

    5) Tell us what the audience will get out of the talk — e.g., if it’s a sysadmin talk: “Attendees will be able to configure weaselBSD’s anti-ferret features and understand how they integrate with email and Web.”

    6) Spelling and grammar are not pimple cream, to be dabbed on where needed. If you’re going to indulge in floccinaucinihilipilification, you’d better be able to spell it.

    7) Speaking of floccinaucinihilipilification, you’re better off saying why your stuff is awesome as opposed to running down someone else’s work. I know many reasons why computers suck. Learning something to make my job suck less is good.

    That’s what I look for, at least. Others have their own opinions. And if you think a little bit, you can make your proposal answer all of these. Unless you’re running weaselBSD, that is…

    Now: submit!