Track3Sec: 2.6_dnssec-bind-manual-ksk-rollover.txt

File 2.6_dnssec-bind-manual-ksk-rollover.txt, 3.5 KB (added by Fakrul Alam, 6 years ago)
Line 
1Manual Key Rollover Exercise
2
3OBJECTIVE
4
5We are going to roll the KSK for the zones we have just signed.
6
7REMINDERS
8
9 - we are keeping our keys in /etc/namedb/keys/
10
11 - we currently have two or more keys in that directory, one KSK
12   and one or more ZSKs.
13   Each key is represented by two files, one ending in ".key" (the
14   public key) and one ending in ".private" (the private key)
15
16 - there is a DS RRSet in the "root" zone corresponding to our KSK
17
18
19KSK ROLLOVER
20
21The process is rather similar to the ZSK rollover:
22
231. Go to the key dir:
24
25    # cd /etc/namedb/keys/
26    # ls -lt K*
27
282. Just like in step 2 of the ZSK rollover, generate a new KSK
29   You will need to use the "-f KSK" parameter to dnssec-keygen:
30
31    # dnssec-keygen -f KSK -a RSASHA256 -b 2048 -n ZONE mytld
32
33    which might output:
34    Kmytld.+008+54511
35
363. Calculate a DS RRSet for the new KSK.
37
38  # cd /etc/namedb/keys/
39  # dnssec-dsfromkey Kmytld.+008+54511.key | tee dsset-mytld-54511.
40
41  (here 54511 is just the ID of the new KSK so we know which DS is
42  which).
43
444. Upload the dsset for your zone, using the RZM web interface.
45
46   Using web interface, login as before.
47   Under the "Edit Trust Anchor Details" section enter:
48
49   Key Tag,
50
51   Digest
52
53   Algorithm
54
55   Digest type
56
57   from the output of step 3 above. E.g., for
58
59   mytld. IN DS 54511      8          2          983F33D43D1EBB069BF60...
60                 TAG    Algorithm  Digest-Type       Digest
61                        RSASHA256
62
63   Make sure to eliminate any spaces from the Digest and note that
64   you only need one trust anchor. (longer one is preferred)
65
66   Click "Update" when done.  Wait a minute for update to propagate.
67
68
695. Double check that the new DS is published in the parent (root) zone
70    alongside the existing one (you should wait at least 2 x TTL
71    until all the caches are updated):
72
73   # dig @10.10.0.230 DS mytld
74   ...
75   ;; ANSWER SECTION:
76   mytld    900 IN  DS 52159 8 2 31F1...
77   mytld    900 IN  DS 54511 8 2 983F...  // <-- the new KSK
78   ...
79
80   Since both DS are now present in the world's caches and
81   DNSSEC requires only one chain of trust to validate,
82   we can roll our KSK.
83
84
85   Add the new KSK to the zone (edit the file), and we comment
86   out (remove) the old KSK like this:
87
88        ;$include "/etc/namedb/keys/Kmytld.+008+52159.key"; // KSK old
89        $include "/etc/namedb/keys/Kmytld.+008+54511.key"; // KSK new
90
91    Remember to increment the serial number too.
92
93    ... notice how we simply get rid of the old KSK - we don't need
94    it - both DS records are there, so it's enough to have only one
95    KSK, since we already "know" about its DS "on the internet".
96
976. Let's sign the zone with the new KSK
98
99  # cd /etc/namedb/keys
100  # dnssec-signzone -x -o mytld -k Kmytld.+008+54511 ../master/mytld
101
102  # rndc reload mytld
103
1047. Check with dig - both before and after the TTL expire (or cache flush)
105
106  # dig dnskey mytld +multi
107  # dig dnskey mytld +dnssec +multi
108
109  Notice that the tag for the KSK (the longer one) has changed to
110  the new one and that the "ad" Authenticated Data bit is still set.
111 
1128. Remove the original DS resouce record from the "root" using
113   the RZM web interface by logging in; clicking on the icon
114   next to the old DS record until you get "X"; then click
115   "Update".
116
117   After a minute, the old DS record should be gone from the root.
118
119   You can check with:
120
121   # dig DS mytld
122
1239. Sit back and reflect on what an involved and annoying process
124   this was, and how much better things would be if all your key
125   rollovers were managed automatically.
126