A few weeks ago, the weather on Ibiza was 22C, partly cloudy; you may recall that I showed you how to do dynamic DNS updates. If I query the weather now, look what I get:

    dig +dnssec +multiline -p 5053 ibiza.temp.aa txt
    ibiza.temp.aa. 120 IN TXT "Fair 24 C"
    ibiza.temp.aa. 120 IN RRSIG TXT 7 3 120 20101211152628 (
                     20101113152628 16487 temp.aa. 
                     ljbS+LH8eVyv+pZbmPcpwG6bwDcpD76OzIQlX/0= )

The weather has changed of course. :-) But the important bit here, is that the record is signed! The DNSSEC signed resource record set is compliments of Phreebird, a tool just released by Dan Kaminsky. It sits as a kind of proxy between a client and your non-DNSSEC-capable DNS server (e.g. PowerDNS) and signs RRsets on the fly before returning them to the client. What I did, without touching the temp.aa zone what so ever, is to add Phreebird (I changed its port numbers) and query that. To get started, build and install the prerequisites (from the deps/ directory). Then create a key (or have Phreebird create a key for you with -g):

    ldns-keygen -a RSASHA1 temp.aa

Launch Phreebird:

    bin/phreebird -k Ktemp.aa.+005+14607.private

Send it a query. Use any domain name served by your local DNS server. I repeat: any domain name. (See above.) You have a key generated by Phreebird in the file dns.key and need the DS record to publish at your parent? Here it is:

    dig  -p 5053 temp.aa ds
    temp.aa. 3600  IN  DS  14607 5 1 9DE5D716CFDFC6FBF09AC3DEEABCCC1A710F8C9B

Time over DNS

    dig -p 5053 _dns._time txt
    _dns._time.             1       IN      TXT     "v=dtm1 t=20101114144106"

This is wow! Phreebird supports

  • automatic key generation (but I can provide my own key)
  • zero configuration; apart from an initial key (that can be generated automatically)
  • real-time signing with caching of signed answers

Read more on what goes on behind the scenes in Dan’s slides. The utility is not ready for production yet, but it may soon be. If and when it is ready, I expect this to revolutionize and greatly speed up DNSSEC deployment.

DNS, CLI, and dnssec :: 13 Nov 2010 :: e-mail