Agenda: dnssec-bind-manual-zsk-rollover.txt

File dnssec-bind-manual-zsk-rollover.txt, 5.7 KB (added by admin, 6 years ago)
Line 
1Manual Key Rollover Exercise
2----------------------------
3
4OBJECTIVE
5
6We are going to roll the ZSK for the zones we have just signed.
7
8PLEASE make note of the KSK/ZSK IDs and write them down on a piece of paper
9as you work to remember which is which.
10
11REMINDERS
12
13 - we are keeping our keys in /etc/namedb/keys/
14
15 - we currently have two pairs of keys in that directory, one ZSK and one KSK.
16   Each pair is represented by two files, one ending in ".key" (the
17   public key) and one ending in ".private" (the private key)
18
19 - there is a DS RRSet in the "root" zone corresponding to our KSK
20
21
22ZSK ROLLOVER
23
241. Take a look at what keys we have already generated. Make a note
25of the names of the files containing the current ZSK and KSK.
26
27  $ cd /etc/namedb/keys/
28  $ ls K*
29
302. Generate a new ZSK, which we will use to replace the old one.
31
32  $ sudo dnssec-keygen mytld    <---- replace mytld with the name of your zone
33
34Make sure all the keyfiles are readable by the named process:
35
36  $ sudo chown bind K*
37  $ sudo chmod u+r K*
38  $ ls
39
40You should now have a third key pair in the directory. If you check the
41DNSKEY RDATA, you should see the flags field is 256 (i.e. this is a ZSK,
42not a KSK). Make a note of the name of the file containing the new ZSK.
43
443. Take a look at your current DNSKEY RRSet.
45
46  $ dig mytld dnskey
47
48Your zone should contain one KSK and one ZSK (check the flags to
49distinguish between them).
50
51We need to add the new key to the zone, so it gets included in the next
52signing. At the end of the file "mytld", ADD the new key:
53
54    $include "/etc/namedb/keys/Kmytld.+005+45000.key";
55
56    Increment the serial number.
57
58    Save the file and exit
59
604. Re-sign your zone to get the new ZSK signed, but we will NOT sign using
61   the new ZSK - we only want the new ZSK to be signed by the current ZSK.
62   This is called a "pre publish".
63
64  $ cd /etc/namedb/keys
65  $ sudo dnssec-signzone -o mytld -k Kmytld.+005+46516 ../master/mytld Kmytld.+005+36390
66
67  Notice in the above example that we are only using the current ZSK
68  to sign, *NOT* the new one - this is to make sure that dnssec-signzone
69  doesn't try to sign with both ZSKs. It wouldn't be "bad", but it would
70  mean twice the data in the zone!
71
72  So we tell dnssec-signzone exactly which keys to use when doing a
73  rollover, PRECISELY because you want to control the timing of when
74  a key is introduced, used to sign, and finally retired.
75
76  The output of the above command should be:
77
78Zone signing complete:
79Algorithm: RSASHA1: KSKs: 1 active, 0 stand-by, 0 revoked
80                    ZSKs: 1 active, 1 stand-by, 0 revoked
81mytld.signed
82
83  Notice the ZSKs: 1 active, 1 stand-by
84
855. See what difference this has made to the zone.
86
87  $ sudo rndc reload mytld
88  $ dig mytld dnskey
89  $ dig mytld dnskey +dnssec
90  $ dig mytld soa +dnssec
91
92Your zone should now contain one KSK and two ZSKs; both ZSKs should be
93present in the DNSKEY RRSet, which should be signed by the KSK.
94
95BUT the SOA record (and other RRSets in the zone) should ONLY be signed once,
96using the old ZSK. And the DNSKEY RRset should show all 3 keys (1 KSK, 2 ZSKs).
97This is called "pre-publish".
98
99At this time, we should in principle wait 2 x TTL for both ZSKs to
100show up in everyone's cache (by default it is 120 seconds, or 2 minutes,
101in our lab, but this will be different "in real life"). Anyways, let's
102wait for at least 2 minutes before we sign with the new ZSK instead of the
103old ZSK.
104
105After a few minutes, ask one of your neighbors if they can lookup the DNSKEY
106for your domain. They can check the in-class cache (10.10.0.230) and,
107if they have configured it, their own cache.
108
109Again, the command to lookup the keys is:
110
111  $ dig mytld dnskey
112
113Once we are certain that "all the internet" (everyone in the class)
114can see both keys, we can sign with the new ZSK.
115
1166. Sign with the new ZSK.
117
118   Remember, we have 3 keys - in our zone, we have:
119
120        $include "/etc/namedb/keys/Kmytld.+005+46516.key"; // KSK
121        $include "/etc/namedb/keys/Kmytld.+005+36390.key"; // ZSK we retire
122        $include "/etc/namedb/keys/Kmytld.+005+45000.key"; // new ZSK
123
124   Increment the serial number. Then:
125
126   $ cd /etc/namedb/keys
127   $ sudo dnssec-signzone -o mytld -k Kmytld.+005+46516 ../master/mytld Kmytld.+005+45000
128
129... Notice how we now use 45000 (second ZSK) to sign, not 36390 anymore
130
131Now, reload the zone to propagage the changes
132
133   $ sudo rndc reload mytld
134
135Check with dig like in step 5 that you are seeing only ONE signature for your
136RRsets - which means we are only signing using ONE ZSK - you still have to
137wait for the TTL to expire before you can retire the old ZSK.
138
139
1407. Now you should notice, using dig like in step 5, that we are only
141   signing with one key
142
143   $ dig www.mytld +dnssec
144
145But also verify that the OLD ZSK is still published in the DNSKEY RRset:
146
147   $ dig mytld dnskey
148
149You should still see three keys.
150
1518. Retire the old ZSK.
152
153After waiting at least 2 minutes (120s), retire the old ZSK:
154
155  $ cd /etc/namedb/master/
156
157  Edit the zone file and add a comment sign (';') in front of the old ZSK
158  (double check which key!)
159
160  $ sudo ee mytld
161
162$include "/etc/namedb/keys/Kmytld.+005+46516.key";  // KSK
163;$include "/etc/namedb/keys/Kmytld.+005+36390.key"; // ZSK (commented out)
164$include "/etc/namedb/keys/Kmytld.+005+45000.key";  // new ZSK
165
166  Increment the serial number.
167
168  Now resign the zone, but you will notice that we explicitly DON'T specify
169  the ZSK we just commented:
170
171  $ cd /etc/namedb/keys
172  $ sudo dnssec-signzone -o mytld -k Kmytld.+005+46516 ../master/mytld Kmytld.+005+45000
173  $ sudo rndc reload mytld
174  $ tail /etc/namedb/log/general
175
1769. Like in the step 5, check that signatures still work, and that
177   the OLD KZK is no longer in the RRset
178
179   Also, check the RRSIGs (dig +dnssec soa mytld) in your zone show the
180   key ID of the new ZSK.
181
182   Does your domain still work ? :)
183