Agenda: dnssec-manual-rollover.txt

File dnssec-manual-rollover.txt, 3.6 KB (added by admin, 7 years ago)
Line 
1Manual Key Rollover Exercise
2
3OBJECTIVE
4
5We are going to roll the ZSK and the KSK for the zones we have just signed.
6
7
8REMINDERS
9
10 - we are keeping our keys in /etc/namedb/keys/
11
12 - we currently have two keys in that directory, one ZSK and one KSK.
13   Each key is represented by two files, one ending in ".key" (the
14   public key) and one ending in ".private" (the private key)
15
16 - there is a DS RRSet in the "root" zone corresponding to our KSK
17
18
19ZSK ROLLOVER
20
211. Take a look at what keys we have already generated. Make a note
22of the names of the files containing the current ZSK and KSK.
23
24  # cd /etc/namedb/keys/
25  # ls
26
272. Generate a new ZSK, which we will use to replace the old one.
28
29  # dnssec-keygen mytld    <---- replace mytld with the name of your zone
30
31Make sure all the keyfiles are readable by the named process:
32
33  # chgrp bind K*
34  # chmod g+rw K*
35  # ls
36
37You should now have a third key pair in the directory. If you check the
38DNSKEY RDATA, you should see the flags field is 256 (i.e. this is a ZSK,
39not a KSK). Make a note of the name of the file contianing the new ZSK.
40
413. Take a look at your current DNSKEY RRSet.
42
43  # dig mytld dnskey
44
45Your zone should contain one KSK and one ZSK (check the flags to
46distinguish between them).
47
484. Re-sign your zone to include signatures by the new ZSK.
49
50  # rndc sign mytld
51  # tail /etc/namedb/log/general
52
535. See what difference this has made to the zone.
54
55  # dig mytld dnskey
56  # dig mytld dnskey +dnssec
57  # dig mytld soa +dnssec
58
59Your zone should now contain one KSK and two ZSKs; both ZSKs should be
60present in the DNSKEY RRSet, which should be signed by the KSK. The
61SOA record (and other RRSets in the zone) should now be signed twice,
62once by each ZSK, and you should see corresponding pairs of RRSIGs.
63
646. Retire the old ZSK.
65
66  # cd /etc/namedb/keys/
67  # dnssec-settime -D +1 <old ZSK name>
68  # chgrp bind K*
69  # chmod g+rw K*
70  # rndc sign mytld
71  # tail /etc/namedb/log/general
72
73The old keys will remain in the directory, but contain a Delete field
74near the top of the file indicating when they should no longer be
75used. Note that BIND will not remove keys immediately if signature
76expiration timers and TTLs suggest this might be unsafe.
77
78We specified a destroy time of now plus one second, which is definitely
79unsafe. This means in effect that the old ZSK will be retired by BIND
80just as soon as it is safe to do so.
81
82
83KSK ROLLOVER
84
857. Repeat steps 1 to 5, except this time replace the KSK. You will need
86to use the "-f KSK" parameter to dnssec-keygen when you repeat step 2.
87
888. Calculate a DS RRSet for the new KSK.
89
90  # cd /etc/namedb/keys/
91  # dnssec-dsfromkey <filename> >dsset-mytld.
92
939. Upload the dsset for your zone.
94
95  # scp dsset-mytld. adm@rootserv.ws.nsrc.org:
96
97The password is still "nsrcws".
98
9910. Tell an instructor that you have submitted a new DS RRSet, and that
100you would like it to be added to the "root" zone.
101
10211. Once you have received confirmation (and you have checked yourself!)
103that the new DS resource records have been added to the "root" zone,
104retire the old KSK just as we did with the ZSK in step 6.
105
106  # cd /etc/namedb/keys/
107  # dnssec-settime -D +1 <old KSK name>
108  # chgrp bind K*
109  # chmod g+rw K*
110  # rndc sign mytld
111  # tail /etc/namedb/log/general
112
11312. Check back later in the day and verify that the old ZSK and KSKs
114no longer appear in your zone.
115
11613. Tell an instructor that you would like the original DS resource
117records to be removed from the "root" zone.
118
11914. Sit back and reflect on what an involved and annoying process
120this was, and how much better things would be if all your key
121rollovers were managed automatically.
122