Agenda: dnssec-bind-manual-ksk-rollover-x2.txt

File dnssec-bind-manual-ksk-rollover-x2.txt, 5.4 KB (added by lamb, 5 years ago)

double signing manual KSK rollover additions by Rick

Line 
1Manual Key Rollover Exercise
2
3OBJECTIVE
4
5We are going to roll the KSK for the zones we have just signed.
6
7REMINDERS
8
9 - we are keeping our keys in /etc/namedb/keys/
10
11 - we currently have two or more keys in that directory, one KSK
12   and one or more ZSKs.
13   Each key is represented by two files, one ending in ".key" (the
14   public key) and one ending in ".private" (the private key)
15
16 - there is a DS RRSet in the "root" zone corresponding to our KSK
17
18
19KSK ROLLOVER
20
21The process is rather similar to the ZSK rollover:
22
231. Go to the key dir:
24
25    $ cd /etc/namedb/keys/
26    $ ls K*
27
282. Just like in step 2 of the ZSK rollover, generate a new KSK
29   You will need to use the "-f KSK" parameter to dnssec-keygen:
30
31   $ dnssec-keygen -f KSK -a RSASHA256 -b 2048 -n ZONE mytld
32
33   This will output something like:
34
35   Kmytld.+008+54511
36
373. Calculate a DS RRSet for the new KSK.
38
39  $ cd /etc/namedb/keys/
40  $ sudo dnssec-dsfromkey Kmytld.+008+54511.key > dsset-mytld-54511.
41
42  (here 54511 is just the ID of the new KSK so we know which DS is
43  which).
44
45-----------  Alternative path for double signed KSK rollover ----------------
46
474. Add the new KSK to the zone (edit the file):
48
49   From this:
50
51$include "/etc/namedb/keys/Kmytld.+008+52159.key"; // KSK
52
53   To this:
54
55$include "/etc/namedb/keys/Kmytld.+008+52159.key"; // KSK old
56$include "/etc/namedb/keys/Kmytld.+008+54511.key"; // KSK new
57
58    Remember to increment the serial number too.
59
605. Let's sign the zone with the old and new KSK
61
62  $ cd /etc/namedb/keys
63  $ sudo dnssec-signzone -o mytld -k Kmytld.+008+oldksk -k Kmytld.+008+newksk ../master/mytld Kmytld.+008+zsk
64
65  $ sudo rndc reload mytld
66
676. Check with dig
68
69  $ dig @127.0.0.1 dnskey mytld +multi
70  $ dig @127.0.0.1 dnskey mytld +dnssec +multi
71
72
737. Log into RZM and click "Update". You should notice that RZM has discovered
74   your new KSK.  Verify that the DS record(s) match the contents of the
75   dsset-mytld-newksk file created above.
76   If so, click on SHA256 "eye" to mark as good then mark the old ksk
77   DS record for deletion.  Then click "Update".
78
798. Check with dig - both before and after the TTL expire
80   (e.g., 2 x max TTL of mytld zone and DS record)
81
82  $ dig dnskey mytld +multi
83  $ dig dnskey mytld +dnssec +multi
84
859. Remove the OLD KSK to the zone (edit the file):
86
87   From this:
88
89$include "/etc/namedb/keys/Kmytld.+008+52159.key"; // KSK old
90$include "/etc/namedb/keys/Kmytld.+008+54511.key"; // KSK new
91
92   To this:
93
94$include "/etc/namedb/keys/Kmytld.+008+54511.key"; // KSK new
95
96    Remember to increment the serial number too.
97
9810. Let's sign the zone with only the new KSK
99
100  $ cd /etc/namedb/keys
101  $ sudo dnssec-signzone -o mytld -k Kmytld.+008+newksk ./master/mytld Kmytld.+008+zsk
102
103  $ sudo rndc reload mytld
104
10511. Check with dig - both before and after the TTL expire
106   (e.g., 2 x max TTL of mytld zone and DS record)
107
108  $ dig dnskey mytld +multi
109  $ dig dnskey mytld +dnssec +multi
110
11112.  Note that double signing requires only one interaction with the parent
112     while pre-publishing requires two.
113
114----------- end alternate  ------------------
115
1164. Upload the dsset for your zone, using the web interface or using
117   SCP as shown by the root instructor
118
119   Tell an instructor that you have submitted a new DS RRSet, and that
120   you would like it to be added to the "root" zone. If you used the
121   web interface, this should have happened automatically.
122
123   If using web interface, login as before.
124
125   Under the "Edit Trust Anchor Details" section enter the Key Tag,
126   Digest, Algorithm, and Digest type from the output of
127   step 3 above. E.g.,
128
129   mytld. IN DS 54511    8          2      983F33D43D1EBB069BF60...
130                TAG  Algorithm Digest-Type Digest
131                     RSASHA256
132
133   Make sure to eliminate any spaces from the Digest and note that you
134   only need one trust anchor.
135
136   Click "Update" when done. Wait a minute for update to propagate.
137
1385. Double check that the new DS is published in the parent (root) zone
139    alongside the existing one (you should wait at least 2 x TTL
140    until all the caches are updated):
141
142   $ dig @10.10.0.230 DS mytld
143   ...
144   ;; ANSWER SECTION:
145   mytld    900 IN  DS 52159 8 2 31F1...
146   mytld    900 IN  DS 54511 8 2 983F...  // <-- the new KSK
147   ...
148
149   Since both DS are now present in the cache, we can roll our KSK.
150
151   Then we add the new KSK to the zone (edit the file), and we comment
152   out (remove) the old KSK:
153
154   From this:
155
156$include "/etc/namedb/keys/Kmytld.+008+52159.key"; // KSK
157
158   To this:
159
160;$include "/etc/namedb/keys/Kmytld.+008+52159.key"; // KSK old
161$include "/etc/namedb/keys/Kmytld.+008+54511.key"; // KSK new
162
163    Remember to increment the serial number too.
164
165    ... notice how we simply get rid of the old KSK - we don't need
166    it - both DS records are there, so it's enough to have only one
167    KSK, since we already "know" about its DS "on the internet".
168
1696. Let's sign the zone with the new KSK
170
171  $ cd /etc/namedb/keys
172  $ sudo dnssec-signzone -o mytld -k Kmytld.+008+54511 ../master/mytld Kmytld.+008+45000
173
174  $ sudo rndc reload mytld
175
1767. Check with dig - both before and after the TTL expire (or cache flush)
177
178  $ dig dnskey mytld +multi
179  $ dig dnskey mytld +dnssec +multi
180 
1818. Tell an instructor that you would like the original DS resource
182   records to be removed from the "root" zone (or remove it yourself
183   using the web interface)
184
1859. Sit back and reflect on what an involved and annoying process
186this was, and how much better things would be if all your key
187rollovers were managed automatically.
188