Agenda: dnssec-bind-manual-ksk-rollover.txt

File dnssec-bind-manual-ksk-rollover.txt, 3.4 KB (added by admin, 5 years ago)
Line 
1Manual Key Rollover Exercise
2
3OBJECTIVE
4
5We are going to roll the KSK for the zones we have just signed.
6
7REMINDERS
8
9 - we are keeping our keys in /etc/namedb/keys/
10
11 - we currently have two or more keys in that directory, one KSK
12   and one or more ZSKs.
13   Each key is represented by two files, one ending in ".key" (the
14   public key) and one ending in ".private" (the private key)
15
16 - there is a DS RRSet in the "root" zone corresponding to our KSK
17
18
19KSK ROLLOVER
20
21The process is rather similar to the ZSK rollover:
22
231. Go to the key dir:
24
25    $ cd /etc/namedb/keys/
26    $ ls K*
27
282. Just like in step 2 of the ZSK rollover, generate a new KSK
29   You will need to use the "-f KSK" parameter to dnssec-keygen:
30
31   $ dnssec-keygen -f KSK -a RSASHA256 -b 2048 -n ZONE mytld
32
33   This will output something like:
34
35   Kmytld.+008+54511
36
373. Calculate a DS RRSet for the new KSK.
38
39  $ cd /etc/namedb/keys/
40  $ sudo dnssec-dsfromkey Kmytld.+005+54511.key > dsset-mytld-54511.
41
42  (here 54511 is just the ID of the new KSK so we know which DS is
43  which).
44
454. Upload the dsset for your zone, using the web interface or using
46   SCP as shown by the root instructor
47
48   Tell an instructor that you have submitted a new DS RRSet, and that
49   you would like it to be added to the "root" zone. If you used the
50   web interface, this should have happened automatically.
51
52   If using web interface, login as before.
53
54   Under the "Edit Trust Anchor Details" section enter the Key Tag,
55   Digest, Algorithm, and Digest type from the output of
56   step 3 above. E.g.,
57
58   mytld. IN DS 54511    8          2      983F33D43D1EBB069BF60...
59                TAG  Algorithm Digest-Type Digest
60                     RSASHA256
61
62   Make sure to eliminate any spaces from the Digest and note that you
63   only need one trust anchor.
64
65   Click "Update" when done. Wait a minute for update to propagate.
66
675. Double check that the new DS is published in the parent (root) zone
68    alongside the existing one (you should wait at least 2 x TTL
69    until all the caches are updated):
70
71   $ dig @10.10.0.230 DS mytld
72   ...
73   ;; ANSWER SECTION:
74   mytld    900 IN  DS 52159 8 2 31F1...
75   mytld    900 IN  DS 54511 8 2 983F...  // <-- the new KSK
76   ...
77
78   Since both DS are now present in the cache, we can roll our KSK.
79
80   Then we add the new KSK to the zone (edit the file), and we comment
81   out (remove) the old KSK:
82
83   From this:
84
85$include "/etc/namedb/keys/Kmytld.+008+52159.key"; // KSK
86
87   To this:
88
89;$include "/etc/namedb/keys/Kmytld.+008+52159.key"; // KSK old
90$include "/etc/namedb/keys/Kmytld.+008+54511.key"; // KSK new
91
92    Remember to increment the serial number too.
93
94    ... notice how we simply get rid of the old KSK - we don't need
95    it - both DS records are there, so it's enough to have only one
96    KSK, since we already "know" about its DS "on the internet".
97
986. Let's sign the zone with the new KSK
99
100  $ cd /etc/namedb/keys
101  $ sudo dnssec-signzone -o mytld -k Kmytld.+005+54511 ../master/mytld Kmytld.+005+45000
102
103  $ sudo rndc reload mytld
104
1057. Check with dig - both before and after the TTL expire (or cache flush)
106
107  $ dig dnskey mytld +multi
108  $ dig dnskey mytld +dnssec +multi
109 
1108. Tell an instructor that you would like the original DS resource
111   records to be removed from the "root" zone (or remove it yourself
112   using the web interface)
113
1149. Sit back and reflect on what an involved and annoying process
115this was, and how much better things would be if all your key
116rollovers were managed automatically.
117