Friday, November 30, 2018

Trouble with DNSSEC, Windows Server 2016

I'm trying to teach myself to properly implement DNSSEC across a local AD domain, and I keep getting broken trust chain errors. I'd like to fix the trust chain if possible,

I have activated DNSSEC at my registrar and It checks out as secure.

https://dnssec-analyzer.verisignlabs.com/sglrit.com

I then followed this tutorial to activate DNSSEC on my local AD domain.

https://newhelptech.wordpress.com/2017/07/02/step-by-step-implementing-dns-security-in-windows-server-2016/

I then used powershell to export DS records from my local nameserver and entered the records at my public nameserver

Export-DnsServerDnsSecPublicKey -DigestType Sha256 -ZoneName hq.sglrit.com -Path C:\Tech -force 

Then I ran the following commands in CMD to test that everything was working. Output below.

C:\Windows\system32>dnscmd /clearcache && ipconfig /flushdns . completed successfully. Command completed successfully. Windows IP Configuration Successfully flushed the DNS Resolver Cache. C:\Windows\system32>dig @10.42.60.7 blackbox.hq.sglrit.com. A +dnssec ; <<>> DiG 9.12.3 <<>> @10.42.60.7 blackbox.hq.sglrit.com. A +dnssec ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 43034 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4000 ; COOKIE: 0c8d703a5ad0a80e (echoed) ;; QUESTION SECTION: ;blackbox.hq.sglrit.com. IN A ;; ANSWER SECTION: blackbox.hq.sglrit.com. 3600 IN A 10.42.60.10 blackbox.hq.sglrit.com. 3600 IN RRSIG A 8 4 3600 20181210105226 20181130095226 7390 hq.sglrit.com. rRmORxdnVNhuSosWZ+k9RI7Kc2PqvSAIq9YH27N3Fv3+t5MJZpSQO8zC DTVlVKOtHcU96WdVFJY0V0/zDE00Yv8VjqLJa7i82HxvwofpUCEilet0 xc5xPIle385lC72LXYTFyR7wT7vN+zGERr8Rtl73WbEIQ9CfaQE7HetM KlSY5MKZld+5C/qmoq+uCvS9szusuQ9zmCXIgvDZIOE6GRXDPhitcARG T/ZKHzwPuFAsegjdz5EsjWkMsx2TZzpSHWKKt9mYPvWoGMCUSgr1eV4m GYH5AZohk28yoJGG1vhWTLF2+SA1OhcbAcLGO3X++4U3JWdow0thz/7k RscZdw== ;; Query time: 0 msec ;; SERVER: 10.42.60.7#53(10.42.60.7) ;; WHEN: Fri Nov 30 06:46:35 Eastern Standard Time 2018 ;; MSG SIZE rcvd: 380 C:\Windows\system32>delv @10.42.60.7 blackbox.hq.sglrit.com. A +rtrace ;; fetch: blackbox.hq.sglrit.com/A ;; fetch: hq.sglrit.com/DNSKEY ;; fetch: hq.sglrit.com/DS ;; chase DS servers resolving 'hq.sglrit.com/DS/IN': 10.42.60.7#53 ;; fetch: sglrit.com/NS ;; fetch: sglrit.com/DNSKEY ;; fetch: sglrit.com/DS ;; fetch: com/DNSKEY ;; fetch: com/DS ;; no valid RRSIG resolving 'com/DS/IN': 10.42.60.7#53 ;; validating com/DNSKEY: bad cache hit (com/DS) ;; broken trust chain resolving 'com/DNSKEY/IN': 10.42.60.7#53 ;; broken trust chain resolving 'sglrit.com/DS/IN': 10.42.60.7#53 ;; broken trust chain resolving 'sglrit.com/DNSKEY/IN': 10.42.60.7#53 ;; broken trust chain resolving 'sglrit.com/NS/IN': 10.42.60.7#53 ;; fetch: com/NS ;; validating com/DNSKEY: bad cache hit (com/DS) ;; broken trust chain resolving 'com/NS/IN': 10.42.60.7#53 ;; fetch: ./NS ;; fetch: ./DNSKEY ;; validating hq.sglrit.com/DNSKEY: bad cache hit (com/DS) ;; broken trust chain resolving 'hq.sglrit.com/DNSKEY/IN': 10.42.60.7#53 ;; broken trust chain resolving 'blackbox.hq.sglrit.com/A/IN': 10.42.60.7#53 ;; resolution failed: broken trust chain C:\Windows\system32> 

The DIG command shows an RRSIG, so I see that the server is signing something, but the DELV command shows a break in the trust chain that I have no idea how to resolve.

Is this as good as it gets? or is there something I can do to get proper validation from local AD up to root domain?



No comments:

Post a Comment