| 1 | Rollover with OpenDNSSEC |
|---|
| 2 | ------------------------ |
|---|
| 3 | |
|---|
| 4 | 1. Make sure that your zone is validating correctly. |
|---|
| 5 | |
|---|
| 6 | Things to verify (also if your zone works!) |
|---|
| 7 | |
|---|
| 8 | - look at the key id of your KSK (ods-ksmutil key list -v --zone mytld) |
|---|
| 9 | |
|---|
| 10 | - is BIND loading the right zone ? (compare SOA serial value in |
|---|
| 11 | /usr/local/var/opendnssec/signed with that returned by |
|---|
| 12 | dig @auth1.grpX.dns.nsrc.org SOA mytld) |
|---|
| 13 | |
|---|
| 14 | - verify that the right DS is loaded in the root zone |
|---|
| 15 | |
|---|
| 16 | dig @a.root-servers.net DS mytld +dnssec |
|---|
| 17 | |
|---|
| 18 | - compare the key ID of the DS in the root (output from above) with that of |
|---|
| 19 | the key used to sign your DNSKEY RR |
|---|
| 20 | |
|---|
| 21 | dig @auth1.grpX.dns.nsrc.org DNSKEY mytld +dnssec +multi |
|---|
| 22 | |
|---|
| 23 | (look for the key id on the RRSIG) |
|---|
| 24 | |
|---|
| 25 | If there are any problems problems, correct them. |
|---|
| 26 | |
|---|
| 27 | Remember to check that the serial on the master is NOT less than the |
|---|
| 28 | serial on your slave server(s) ! |
|---|
| 29 | |
|---|
| 30 | 2. Check the key states |
|---|
| 31 | |
|---|
| 32 | # ods-ksmutil key list -v --zone mytld |
|---|
| 33 | |
|---|
| 34 | You should have at least one KSK in `active` or `publish` state, and one or |
|---|
| 35 | more ZSKs (one `active` and possibly others in `retire` or `publish` state). |
|---|
| 36 | |
|---|
| 37 | 3. Trigger a ZSK rollover |
|---|
| 38 | |
|---|
| 39 | Since we have very short timers for this lab, rollovers have already |
|---|
| 40 | been happening on the ZSK! What happens if we decide to do a rollover |
|---|
| 41 | manually ? |
|---|
| 42 | |
|---|
| 43 | # ods-ksmutil key rollover --zone mytld --keytype ZSK |
|---|
| 44 | |
|---|
| 45 | Manual key rollover for key type zsk on zone mytld initiated |
|---|
| 46 | Notifying enforcer of new database... |
|---|
| 47 | |
|---|
| 48 | # tail /var/log/messages |
|---|
| 49 | |
|---|
| 50 | You may see a message similar to this: |
|---|
| 51 | |
|---|
| 52 | Mar 21 09:38:57 auth1 ods-enforcerd: WARNING: ZSK rollover for zone 'mytld' |
|---|
| 53 | not completed as there are no keys in the 'ready' state; ods-enforcerd will |
|---|
| 54 | try again when it runs next |
|---|
| 55 | |
|---|
| 56 | From the OpenDNSSEC documentation: |
|---|
| 57 | |
|---|
| 58 | OpenDNSSEC makes sure that the zone is secure during the rollover |
|---|
| 59 | process. This message comes when there is no key that has been published |
|---|
| 60 | long enough. You probably have no standby keys in your policy. When you |
|---|
| 61 | initiate the rollover, then OpenDNSSEC first needs to publish the key |
|---|
| 62 | and after a moment make it active. So do not worry, the rollover process |
|---|
| 63 | will be finished in a moment. |
|---|
| 64 | |
|---|
| 65 | The reason you are seeing this is because we are using very short |
|---|
| 66 | timers in this lab, and keys are not published very long, before |
|---|
| 67 | they have to be rolled already. |
|---|
| 68 | |
|---|
| 69 | Wait a few seconds, then show the keys again |
|---|
| 70 | |
|---|
| 71 | # ods-ksmutil key list -v --zone mytld |
|---|
| 72 | |
|---|
| 73 | You should see 3 keys: |
|---|
| 74 | |
|---|
| 75 | - 1 KSK in state 'ready', with a next transition of 'waiting for ds-seen' |
|---|
| 76 | - 1 ZSK in state 'active' (the previous ZSK) |
|---|
| 77 | - 1 new ZSK in state 'publish' |
|---|
| 78 | |
|---|
| 79 | Effectively, OpenDNSSEC is now rolling ZSKs automatically. It will do this |
|---|
| 80 | without your help, but you can always trigger a rollover for emergency |
|---|
| 81 | reasons. |
|---|
| 82 | |
|---|
| 83 | 5. Testing a KSK rollover |
|---|
| 84 | |
|---|
| 85 | Take a look at the existing keys: |
|---|
| 86 | |
|---|
| 87 | # ods-ksmutil key list -v |
|---|
| 88 | |
|---|
| 89 | Keys: |
|---|
| 90 | Zone: Keytype: State: Date of next transition (to): Size: Algorithm: CKA_ID: Repository: Keytag: |
|---|
| 91 | mytld KSK active 2014-03-22 09:06:56 (retire) 2048 8 0c4f577032e04e2eb34163382a4524d7 SoftHSM 44096 |
|---|
| 92 | mytld ZSK active 2014-03-21 11:53:07 (retire) 1024 8 b33d11faf20c649793a0d502fdf15f79 SoftHSM 48718 |
|---|
| 93 | mytld ZSK publish 2014-03-21 12:01:07 (ready) 1024 8 816e4714df87ffdaddb014481dfcd168 SoftHSM 64656 |
|---|
| 94 | |
|---|
| 95 | |
|---|
| 96 | Now, let's issue a rollover. Remember, KSK rollovers can't happen |
|---|
| 97 | automatically in most cases, so you will need to help OpenDNSSEC by: |
|---|
| 98 | |
|---|
| 99 | - exporting the DS of the new key once you initiate the rollover |
|---|
| 100 | (ods-ksmutil key export --zone mytld --keystate ...) |
|---|
| 101 | |
|---|
| 102 | - telling OpenDNSSEC when you can see that the root/parent has included |
|---|
| 103 | your DS in their zone |
|---|
| 104 | (ods-ksmutil key ds-seen --zone mytld --keytag XXXXX) |
|---|
| 105 | |
|---|
| 106 | Ok let's rollover: |
|---|
| 107 | |
|---|
| 108 | # ods-ksmutil key rollover --keytype KSK --zone mytld |
|---|
| 109 | |
|---|
| 110 | Look at the key states: |
|---|
| 111 | |
|---|
| 112 | # ods-ksmutil key list |
|---|
| 113 | |
|---|
| 114 | Keys: |
|---|
| 115 | Zone: Keytype: State: Date of next transition: |
|---|
| 116 | phil KSK active 2014-03-21 11:57:18 |
|---|
| 117 | phil KSK publish 2014-03-21 12:05:19 |
|---|
| 118 | phil ZSK active 2014-03-21 11:53:07 |
|---|
| 119 | phil ZSK publish 2014-03-21 12:01:07 |
|---|
| 120 | |
|---|
| 121 | You should now see that there is an extra KSK |
|---|
| 122 | We leave the rest of this exercise up to you :) |
|---|
| 123 | |
|---|
| 124 | 6. See what rollovers are automatically planned, and when |
|---|
| 125 | |
|---|
| 126 | # ods-ksmutil rollover list |
|---|
| 127 | |
|---|
