Agenda: dnssec-bind-manual-ksk-rollover-x2.txt

File dnssec-bind-manual-ksk-rollover-x2.txt, 5.4 KB (added by lamb, 5 years ago)
double signing manual KSK rollover additions by Rick

Line
1	Manual Key Rollover Exercise
2
3	OBJECTIVE
4
5	We are going to roll the KSK for the zones we have just signed.
6
7	REMINDERS
8
9	- we are keeping our keys in /etc/namedb/keys/
10
11	- we currently have two or more keys in that directory, one KSK
12	and one or more ZSKs.
13	Each key is represented by two files, one ending in ".key" (the
14	public key) and one ending in ".private" (the private key)
15
16	- there is a DS RRSet in the "root" zone corresponding to our KSK
17
18
19	KSK ROLLOVER
20
21	The process is rather similar to the ZSK rollover:
22
23	1. Go to the key dir:
24
25	$ cd /etc/namedb/keys/
26	$ ls K*
27
28	2. Just like in step 2 of the ZSK rollover, generate a new KSK
29	You will need to use the "-f KSK" parameter to dnssec-keygen:
30
31	$ dnssec-keygen -f KSK -a RSASHA256 -b 2048 -n ZONE mytld
32
33	This will output something like:
34
35	Kmytld.+008+54511
36
37	3. Calculate a DS RRSet for the new KSK.
38
39	$ cd /etc/namedb/keys/
40	$ sudo dnssec-dsfromkey Kmytld.+008+54511.key > dsset-mytld-54511.
41
42	(here 54511 is just the ID of the new KSK so we know which DS is
43	which).
44
45	----------- Alternative path for double signed KSK rollover ----------------
46
47	4. Add the new KSK to the zone (edit the file):
48
49	From this:
50
51	$include "/etc/namedb/keys/Kmytld.+008+52159.key"; // KSK
52
53	To this:
54
55	$include "/etc/namedb/keys/Kmytld.+008+52159.key"; // KSK old
56	$include "/etc/namedb/keys/Kmytld.+008+54511.key"; // KSK new
57
58	Remember to increment the serial number too.
59
60	5. Let's sign the zone with the old and new KSK
61
62	$ cd /etc/namedb/keys
63	$ sudo dnssec-signzone -o mytld -k Kmytld.+008+oldksk -k Kmytld.+008+newksk ../master/mytld Kmytld.+008+zsk
64
65	$ sudo rndc reload mytld
66
67	6. Check with dig
68
69	$ dig @127.0.0.1 dnskey mytld +multi
70	$ dig @127.0.0.1 dnskey mytld +dnssec +multi
71
72
73	7. Log into RZM and click "Update". You should notice that RZM has discovered
74	your new KSK. Verify that the DS record(s) match the contents of the
75	dsset-mytld-newksk file created above.
76	If so, click on SHA256 "eye" to mark as good then mark the old ksk
77	DS record for deletion. Then click "Update".
78
79	8. Check with dig - both before and after the TTL expire
80	(e.g., 2 x max TTL of mytld zone and DS record)
81
82	$ dig dnskey mytld +multi
83	$ dig dnskey mytld +dnssec +multi
84
85	9. Remove the OLD KSK to the zone (edit the file):
86
87	From this:
88
89	$include "/etc/namedb/keys/Kmytld.+008+52159.key"; // KSK old
90	$include "/etc/namedb/keys/Kmytld.+008+54511.key"; // KSK new
91
92	To this:
93
94	$include "/etc/namedb/keys/Kmytld.+008+54511.key"; // KSK new
95
96	Remember to increment the serial number too.
97
98	10. Let's sign the zone with only the new KSK
99
100	$ cd /etc/namedb/keys
101	$ sudo dnssec-signzone -o mytld -k Kmytld.+008+newksk ./master/mytld Kmytld.+008+zsk
102
103	$ sudo rndc reload mytld
104
105	11. Check with dig - both before and after the TTL expire
106	(e.g., 2 x max TTL of mytld zone and DS record)
107
108	$ dig dnskey mytld +multi
109	$ dig dnskey mytld +dnssec +multi
110
111	12. Note that double signing requires only one interaction with the parent
112	while pre-publishing requires two.
113
114	----------- end alternate ------------------
115
116	4. Upload the dsset for your zone, using the web interface or using
117	SCP as shown by the root instructor
118
119	Tell an instructor that you have submitted a new DS RRSet, and that
120	you would like it to be added to the "root" zone. If you used the
121	web interface, this should have happened automatically.
122
123	If using web interface, login as before.
124
125	Under the "Edit Trust Anchor Details" section enter the Key Tag,
126	Digest, Algorithm, and Digest type from the output of
127	step 3 above. E.g.,
128
129	mytld. IN DS 54511 8 2 983F33D43D1EBB069BF60...
130	TAG Algorithm Digest-Type Digest
131	RSASHA256
132
133	Make sure to eliminate any spaces from the Digest and note that you
134	only need one trust anchor.
135
136	Click "Update" when done. Wait a minute for update to propagate.
137
138	5. Double check that the new DS is published in the parent (root) zone
139	alongside the existing one (you should wait at least 2 x TTL
140	until all the caches are updated):
141
142	$ dig @10.10.0.230 DS mytld
143	...
144	;; ANSWER SECTION:
145	mytld 900 IN DS 52159 8 2 31F1...
146	mytld 900 IN DS 54511 8 2 983F... // <-- the new KSK
147	...
148
149	Since both DS are now present in the cache, we can roll our KSK.
150
151	Then we add the new KSK to the zone (edit the file), and we comment
152	out (remove) the old KSK:
153
154	From this:
155
156	$include "/etc/namedb/keys/Kmytld.+008+52159.key"; // KSK
157
158	To this:
159
160	;$include "/etc/namedb/keys/Kmytld.+008+52159.key"; // KSK old
161	$include "/etc/namedb/keys/Kmytld.+008+54511.key"; // KSK new
162
163	Remember to increment the serial number too.
164
165	... notice how we simply get rid of the old KSK - we don't need
166	it - both DS records are there, so it's enough to have only one
167	KSK, since we already "know" about its DS "on the internet".
168
169	6. Let's sign the zone with the new KSK
170
171	$ cd /etc/namedb/keys
172	$ sudo dnssec-signzone -o mytld -k Kmytld.+008+54511 ../master/mytld Kmytld.+008+45000
173
174	$ sudo rndc reload mytld
175
176	7. Check with dig - both before and after the TTL expire (or cache flush)
177
178	$ dig dnskey mytld +multi
179	$ dig dnskey mytld +dnssec +multi
180
181	8. Tell an instructor that you would like the original DS resource
182	records to be removed from the "root" zone (or remove it yourself
183	using the web interface)
184
185	9. Sit back and reflect on what an involved and annoying process
186	this was, and how much better things would be if all your key
187	rollovers were managed automatically.
188