samba - Dec 2023 - Samba Bind DLZ and Zone signing

On 10/12/2023 22.32, Andrew Bartlett wrote:
> On Sun, 2023-12-10 at 17:23 +0200, Sami Hulkko via samba wrote:
>> Hi,
>>
>> Is there any way of signing the zones with  zone-signing key? How
>> would
>> one add  add zone-signing key and key signing key to DLZ database?
>> The
>> Windows 11 Pro RSAT tool for nameserver do not accept key addition
>> and
>> states unauthorized.
> This is an interesting question.  The only way this would work is if
> it was being transparently and dynamically added by the BIND9 side of
> things.
To my best knowledge in bind DLZ there is possibility to use DNSEC and 
absolutely certain that standard BIND supports it.

The inclusion of ..../samba/bind-dns/named.conf has pre marking of:

dlz "[domain name]" {

# that after the inclusion of db is done

database "dlopen
/usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_18.so";

}

Both DLZ plugin and and? database where DNS information is stored are 
samba products.

1. DNSSEC key saving could be supported with [samba-tool dns add....] 
command and excluded from RSAT tool? until it's reverse engineering is done.

2.? One could have plugin for DNSSEC like the dlz_bind9_18.so is included.

3. On bind a insertion like in standard zone into above config could be 
done.

SH
>
> Samba doesn't know how to generate the signing records and has
> unfortunate
> fixed limtiations in the records it knows how to store.
Fixed code?
>
> DNSSEC is a good thing, and it is sad that Samba doesn't know how to
> support it (or check it in the recursive resolver).
>
> Sorry!
>
> Andrew Bartlett
>
>
-- 
Me worry? That's why my first CD was Peter Gabriel SO....

Sami Hulkko
sahulkko at gmail.com
sahulkko at icloud.com
samihulkko at quantum-black-hole.com
+358 45 85693 919

On Sun, 2023-12-10 at 22:45 +0200, Sami Hulkko wrote:
> On 10/12/2023 22.32, Andrew Bartlett wrote:
> > On Sun, 2023-12-10 at 17:23 +0200, Sami Hulkko via samba wrote:
> > > Hi,
> > > 
> > > Is there any way of signing the zones with  zone-signing key? How
> > > would
> > > one add  add zone-signing key and key signing key to DLZ
> > > database?
> > > The
> > > Windows 11 Pro RSAT tool for nameserver do not accept key
> > > addition
> > > and
> > > states unauthorized.
> > 
> > This is an interesting question.  The only way this would work is
> > if
> > it was being transparently and dynamically added by the BIND9 side
> > of
> > things.
> 
> To my best knowledge in bind DLZ there is possibility to use DNSEC
> and 
> absolutely certain that standard BIND supports it.
> 
> The inclusion of ..../samba/bind-dns/named.conf has pre marking of:
> 
> dlz "[domain name]" {
> 
> # that after the inclusion of db is done
> 
> database "dlopen /usr/lib/x86_64-linux-
> gnu/samba/bind9/dlz_bind9_18.so";
> 
> }
> 
> Both DLZ plugin and and  database where DNS information is stored
> are 
> samba products.
> 
> 1. DNSSEC key saving could be supported with [samba-tool dns
> add....] 
> command and excluded from RSAT tool  until it's reverse engineering
> is done.
> 
> 2.  One could have plugin for DNSSEC like the dlz_bind9_18.so is
> included.
> 
> 3. On bind a insertion like in standard zone into above config could
> be 
> done.
> 
> SH
> 
> > Samba doesn't know how to generate the signing records and has
> > unfortunate
> > fixed limtiations in the records it knows how to store.
> 
> Fixed code?
Yes, the mapping of record types to database formatted records is via a
fixed set of known mappings. 

Anyway, this isn't possible with unmodified code as far as I understand
the requirements, but you are welcome to attempt to develop such an
extension. 

It would not be a small task, but it certainly would be a valuable one.

Finding out about any DNSSEC support in the Windows DNS server would be
a first thing to start with.

Andrew Bartlett

-- 
Andrew Bartlett (he/him)       https://samba.org/~abartlet/
Samba Team Member (since 2001) https://samba.org
Samba Team Lead                https://catalyst.net.nz/services/samba
Catalyst.Net Ltd

Proudly developing Samba for Catalyst.Net Ltd - a Catalyst IT group
company

Samba Development and Support: https://catalyst.net.nz/services/samba

Catalyst IT - Expert Open Source Solutions