Agenda: dnssec-manual-ksk-rollover.txt

File dnssec-manual-ksk-rollover.txt, 3.0 KB (added by admin, 7 years ago)
Line 
1Manual Key Rollover Exercise
2
3OBJECTIVE
4
5We are going to roll the KSK for the zones we have just signed.
6
7REMINDERS
8
9 - we are keeping our keys in /etc/namedb/keys/
10
11 - we currently have two or more keys in that directory, one KSK and one or
12   more ZSKs.
13   Each key is represented by two files, one ending in ".key" (the
14   public key) and one ending in ".private" (the private key)
15
16 - there is a DS RRSet in the "root" zone corresponding to our KSK
17
18
19KSK ROLLOVER
20
21The process is rather similar to the ZSK rollover:
22
231. Go to the zone + key dir:
24
25    # cd /etc/namedb/master/
26    # ls K*
27
282. Just like in step 2 of the ZSK rollover, generate a new KSK
29   You will need to use the "-f KSK" parameter to dnssec-keygen:
30
31    # dnssec-keygen -f KSK mytld
32
33   (Note we don't explicitly set the bitsize - dnssec-keygen defaults
34    to 1024 for ZSKs and 2048 bits for KSKs). Changing the size of the
35    keys is not a problem.
36
373. Calculate a DS RRSet for the new KSK.
38
39  # cd /etc/namedb/master/
40  # dnssec-dsfromkey <filename> >dsset-mytld-54511.
41
42  (here 54511 is just the ID of the new KSK so we know which DS is
43  which).
44
454. Upload the dsset for your zone, using the web interface or using
46   SCP as shown by the root instructor
47
48   Tell an instructor that you have submitted a new DS RRSet, and that
49   you would like it to be added to the "root" zone. If you used the
50   web interface, this should have happened automatically.
51
525. Double check that the new DS is published in the parent (root) zone
53    alongside the existing one:
54
55   # dig DS mytld
56   ...
57   ;; ANSWER SECTION:
58   mytld    900 IN  DS 12345 5 2 31F1...
59   mytld    900 IN  DS 54511 5 2 983F...  // <-- the new KSK
60   ...
61
62   Since both DS are now present in the cache, we can roll our KSK.
63
646. We wait for the 2 x TTLs to pass (or flush your cache - but remember
65   others on the internet will still have your key!).
66   
67   Then we add the new KSK to the zone (edit the file), and we comment
68   out (remove) the old KSK:
69
70   From this:
71
72$include "/etc/namedb/master/Kmytld.+005+46516.key"; // KSK old
73
74   To this:
75
76;$include "/etc/namedb/master/Kmytld.+005+46516.key"; // KSK old
77$include "/etc/namedb/master/Kmytld.+005+54511.key"; // KSK new
78
79    ... notice how we simply get rid of the old KSK - we don't need
80    it - both DS records are there, so it's enough to have only one
81    KSK, since we already "know" about its DS "on the internet".
82
837. Let's sign the zone with the new KSK
84
85  # dnssec-signzone -N increment -o mytld -k Kmytld.+005+54511 mytld Kmytld.+005+45000
86
87  # rndc reload mytld
88
898. Check with dig - both before and after the TTL expire (or cache flush)
90
91  # dig dnskey mytld
92  # dig dnskey mytld +dnssec
93 
949. Tell an instructor that you would like the original DS resource
95   records to be removed from the "root" zone (or remove it yourself
96   using the web interface)
97
9810. Sit back and reflect on what an involved and annoying process
99this was, and how much better things would be if all your key
100rollovers were managed automatically.
101