Agenda: dnssec-manual-zsk-rollover.txt

File dnssec-manual-zsk-rollover.txt, 5.3 KB (added by admin, 7 years ago)
Line 
1Manual Key Rollover Exercise
2
3OBJECTIVE
4
5We are going to roll the ZSK and the KSK for the zones we have just signed.
6
7PLEASE make note of the KSK/ZSK IDs and write them down on a piece of paper
8as you work to remember which is which.
9
10REMINDERS
11
12 - we are keeping our keys in /etc/namedb/master/
13
14 - we currently have two keys in that directory, one ZSK and one KSK.
15   Each key is represented by two files, one ending in ".key" (the
16   public key) and one ending in ".private" (the private key)
17
18 - there is a DS RRSet in the "root" zone corresponding to our KSK
19
20
21ZSK ROLLOVER
22
231. Take a look at what keys we have already generated. Make a note
24of the names of the files containing the current ZSK and KSK.
25
26  # cd /etc/namedb/master/
27  # ls K*
28
292. Generate a new ZSK, which we will use to replace the old one.
30
31  # dnssec-keygen mytld    <---- replace mytld with the name of your zone
32
33Make sure all the keyfiles are readable by the named process:
34
35  # chgrp bind K*
36  # chmod g+rw K*
37  # ls
38
39You should now have a third key pair in the directory. If you check the
40DNSKEY RDATA, you should see the flags field is 256 (i.e. this is a ZSK,
41not a KSK). Make a note of the name of the file containing the new ZSK.
42
433. Take a look at your current DNSKEY RRSet.
44
45  # dig mytld dnskey
46
47Your zone should contain one KSK and one ZSK (check the flags to
48distinguish between them).
49
50We need to add the new key to the zone, so it gets included in the next
51signing. At the end of the file "mytld", ADD the new key:
52
53        $include "/etc/namedb/master/Kmytld.+005+45000.key";
54
55        Save the file and exit
56
574. Re-sign your zone to get the new ZSK signed, but we will NOT sign using
58   the new ZSK - we only want the new ZSK to be signed by the current ZSK.
59   This is called a "pre publish".
60
61  # dnssec-signzone -N increment -o mytld -k Kmytld.+005+46516 mytld Kmytld.+005+36390
62
63  Notice in the above example that we are only using the current ZSK
64  to sign, not the new one - this is to make sure that dnssec-signzone
65  doesn't try to sign with both ZSKs. It wouldn't be "bad", but it would
66  mean twice the data in the zone!
67
68  So we tell dnssec-signzone exactly which keys to use when doing a
69  rollover, PRECISELY because you want to control the timing of when
70  a key is introduced, used to sign, and finally retired.
71
72  So for the sake of the lab, we will use explicit key statements for all
73  keys we would like to include:
74
75  The output of the above command should be:
76
77Zone signing complete:
78Algorithm: RSASHA1: KSKs: 1 active, 0 stand-by, 0 revoked
79                    ZSKs: 1 active, 1 stand-by, 0 revoked
80mytld.signed
81
82  Notice the ZSKs: 1 active, 1 stand-by
83
845. See what difference this has made to the zone.
85
86  # rndc reload mytld
87  # dig mytld dnskey
88  # dig mytld dnskey +dnssec
89  # dig mytld soa +dnssec
90
91Your zone should now contain one KSK and two ZSKs; both ZSKs should be
92present in the DNSKEY RRSet, which should be signed by the KSK.
93
94BUT the SOA record (and other RRSets in the zone) should ONLY be signed once,
95using the old ZSK. But the DNSKEY RRset should show all 3 keys (1 ZSK, 2 ZSKs).
96This is called "pre-signing".
97
98At this time, we should in principle wait 2 x TTL for both ZSKs to
99show up in everyone's cache (by default it is 600 seconds, or 10 minutes,
100in our lab, but this will be different "in real life"). We must wait this
101long before we can allow ourselves to sign with the new ZSK instead of the
102old ZSK.
103
104Once we are certain that "all the internet" (everyone in the class)
105can see both keys, we can sign with the new ZSK.
106
107Check the cache using dig!
108
1096. Sign with the new ZSK.
110
111   Remember, we have 3 keys - in our zone, we have:
112
113                $include "/etc/namedb/master/Kmytld.+005+46516.key"; // KSK
114                $include "/etc/namedb/master/Kmytld.+005+36390.key"; // ZSK we retire
115                $include "/etc/namedb/master/Kmytld.+005+45000.key"; // new ZSK
116
117   # cd /etc/namedb/master
118   # dnssec-signzone -N increment -o mytld -k Kmytld.+005+46516 mytld Kmytld.+005+45000
119
120... Notice how we now use 45000 (second ZSK) to sign, not 36390 anymore
121
122Now, reload the zone to propagage the changes
123
124   # rndc reload mytld
125
126Check with dig like in step 5 that you are seeing only ONE signature for your
127RRsets - which means we are only signing using ONE ZSK - you still have to
128wait for the TTL to expire before you can retire the old ZSK.
129
130
1317. Now you should notice, using dig like in step 5, that we are only
132   signing with one key
133
134   # dig www.mytld +dnssec
135
136But also verify that the OLD ZSK is still published in the DNSKEY RRset:
137
138   # dig mytld dnskey
139
140You should still see three keys.
141
1428. Retire the old ZSK.
143
144After waiting at least 10 minutes (600), retire the old ZSK:
145
146  # cd /etc/namedb/master/
147
148  Edit the zone file and add a comment sign (';') in front of the old ZSK
149  (double check which key!)
150
151$include "/etc/namedb/master/Kmytld.+005+46516.key";    // KSK
152;$include "/etc/namedb/master/Kmytld.+005+36390.key";   // ZSK (commented out)
153$include "/etc/namedb/master/Kmytld.+005+45000.key";  // new ZSK
154
155  Now resign the zone, but you will notice that we explicitly DON'T specify
156  the ZSK we just commented:
157
158  # dnssec-signzone -N increment -o mytld -k Kmytld.+005+46516 mytld Kmytld.+005+45000
159  # rndc reload mytld
160  # tail /etc/namedb/log/general
161
1629. Like in the step 5, check that signatures still work, and that
163   the OLD KZK is no longer in the RRset
164
165   Does your domain still work ? :)
166