| 1 | Manual Key Rollover Exercise |
|---|
| 2 | ---------------------------- |
|---|
| 3 | |
|---|
| 4 | OBJECTIVE |
|---|
| 5 | |
|---|
| 6 | We are going to roll the ZSK for the zones we have just signed. |
|---|
| 7 | |
|---|
| 8 | PLEASE make note of the KSK/ZSK IDs and write them down on a piece |
|---|
| 9 | of paper as you work to remember which is which. |
|---|
| 10 | |
|---|
| 11 | REMINDERS |
|---|
| 12 | |
|---|
| 13 | - we are keeping our keys in /etc/namedb/keys/ |
|---|
| 14 | |
|---|
| 15 | - we currently have two pairs of keys in that directory, one ZSK |
|---|
| 16 | and one KSK. |
|---|
| 17 | Each pair is represented by two files, one ending in ".key" (the |
|---|
| 18 | public key) and one ending in ".private" (the private key) |
|---|
| 19 | |
|---|
| 20 | - there is a DS RRSet in the "root" zone corresponding to our KSK |
|---|
| 21 | |
|---|
| 22 | |
|---|
| 23 | ZSK ROLLOVER |
|---|
| 24 | |
|---|
| 25 | 1. Take a look at what keys we have already generated. Make a note |
|---|
| 26 | of the names of the files containing the current ZSK and KSK. |
|---|
| 27 | |
|---|
| 28 | # cd /etc/namedb/keys/ |
|---|
| 29 | # ls -lt K* |
|---|
| 30 | |
|---|
| 31 | 2. Generate a new ZSK, which we will use to replace the old one. |
|---|
| 32 | |
|---|
| 33 | # dnssec-keygen -a RSASHA256 -b 1024 -n ZONE mytld |
|---|
| 34 | (replacing mytld with the name of your zone) |
|---|
| 35 | Which might output: |
|---|
| 36 | Kmytld.+008+45000 |
|---|
| 37 | |
|---|
| 38 | Make sure all the keyfiles are readable by the named process: |
|---|
| 39 | |
|---|
| 40 | # chown bind K* |
|---|
| 41 | # chmod u+r K* |
|---|
| 42 | # ls -lt |
|---|
| 43 | |
|---|
| 44 | You should now have a third key pair in the directory. If you check the |
|---|
| 45 | DNSKEY RDATA (e.g., "cat Kmytld.+008+45000.key"), you should see the |
|---|
| 46 | flags field is 256 (i.e. this is a ZSK, not a KSK). |
|---|
| 47 | Make a note of the name of the file containing the new ZSK. |
|---|
| 48 | |
|---|
| 49 | 3. Take a look at your current DNSKEY RRSet. |
|---|
| 50 | |
|---|
| 51 | # dig mytld dnskey +multi |
|---|
| 52 | |
|---|
| 53 | Your zone should contain one KSK and one ZSK (check the flags - 257/256 |
|---|
| 54 | - to distinguish between them). |
|---|
| 55 | |
|---|
| 56 | We need to add the new key to the zone, so it gets included in the next |
|---|
| 57 | signing. At the end of the file /etc/namedb/master/mytld, ADD the new key: |
|---|
| 58 | |
|---|
| 59 | $include "/etc/namedb/keys/Kmytld.+008+45000.key"; |
|---|
| 60 | |
|---|
| 61 | Increment the serial number. |
|---|
| 62 | |
|---|
| 63 | Save the file and exit |
|---|
| 64 | |
|---|
| 65 | 4. Re-sign your zone to get the new ZSK signed, but we will NOT sign using |
|---|
| 66 | the new ZSK - we only want the new ZSK to show up in the DNSKEY RRset |
|---|
| 67 | and be signed by the current KSK. |
|---|
| 68 | This is called a "pre publish". |
|---|
| 69 | |
|---|
| 70 | # cd /etc/namedb/keys |
|---|
| 71 | # dnssec-signzone -x -o mytld -k Kmytld.+008+52159 ../master/mytld Kmytld.+008+51333 |
|---|
| 72 | |
|---|
| 73 | (key tag numbers from the manual signing example) |
|---|
| 74 | |
|---|
| 75 | Notice in the above example that we are only using the current (old) ZSK |
|---|
| 76 | and old KSK to sign, not the new one - this is to make sure that dnssec-signzone |
|---|
| 77 | doesn't try to sign with both ZSKs. It wouldn't be "bad", but it would |
|---|
| 78 | mean twice the data in the zone! |
|---|
| 79 | |
|---|
| 80 | So we tell dnssec-signzone exactly which keys to use when doing a |
|---|
| 81 | rollover, PRECISELY because you want to control the timing of when |
|---|
| 82 | a key is introduced, used to sign, and finally retired. |
|---|
| 83 | |
|---|
| 84 | The output of the above command should be: |
|---|
| 85 | |
|---|
| 86 | Zone signing complete: |
|---|
| 87 | Algorithm: RSASHA256: KSKs: 1 active, 0 stand-by, 0 revoked |
|---|
| 88 | ZSKs: 1 active, 1 present, 0 revoked |
|---|
| 89 | ../master/mytld.signed |
|---|
| 90 | |
|---|
| 91 | Notice the ZSKs: 1 active, 1 present |
|---|
| 92 | |
|---|
| 93 | 5. See what difference this has made to the zone. |
|---|
| 94 | |
|---|
| 95 | # rndc reload mytld |
|---|
| 96 | |
|---|
| 97 | # dig @10.10.X.1 mytld dnskey +multi |
|---|
| 98 | # dig @10.10.X.1 mytld dnskey +dnssec |
|---|
| 99 | # dig @10.10.X.1 mytld soa +dnssec |
|---|
| 100 | |
|---|
| 101 | (you could also check if your slaves have updated their serial) |
|---|
| 102 | |
|---|
| 103 | Your zone should now contain one KSK and two ZSKs; both ZSKs should be |
|---|
| 104 | present in the DNSKEY RRSet, which should be signed by the KSK. |
|---|
| 105 | |
|---|
| 106 | BUT the SOA record (and other RRSets in the zone) should ONLY be signed |
|---|
| 107 | once, using the old ZSK. And the DNSKEY RRset should show all 3 keys |
|---|
| 108 | (1 KSK, 2 ZSKs). |
|---|
| 109 | |
|---|
| 110 | This is called "pre-publish". |
|---|
| 111 | |
|---|
| 112 | At this time, we should in principle wait 2 x TTL for both ZSKs to |
|---|
| 113 | show up in everyone's cache (by default it is 120 seconds, or 2 minutes, |
|---|
| 114 | in our lab, but this will be different "in real life"). Anyways, let's |
|---|
| 115 | wait for at least 2 minutes before we sign with the new ZSK instead of the |
|---|
| 116 | old ZSK. |
|---|
| 117 | |
|---|
| 118 | After 2 minutes, ask one of your neighbors if they can lookup the DNSKEY |
|---|
| 119 | for your domain. They can check the in-class cache (10.10.0.230) and, |
|---|
| 120 | if they have configured it, their own caching resolver. |
|---|
| 121 | |
|---|
| 122 | Again, the command to lookup the keys is: |
|---|
| 123 | |
|---|
| 124 | # dig mytld dnskey +multi |
|---|
| 125 | |
|---|
| 126 | Once we are certain that "all the internet" (everyone in the class) |
|---|
| 127 | can see both keys, we can sign with the new ZSK. |
|---|
| 128 | |
|---|
| 129 | 6. Sign with the new ZSK. |
|---|
| 130 | |
|---|
| 131 | Remember, we have 3 keys - in our zone, we have: |
|---|
| 132 | |
|---|
| 133 | $include "/etc/namedb/keys/Kmytld.+008+52159.key"; // KSK |
|---|
| 134 | $include "/etc/namedb/keys/Kmytld.+008+51333.key"; // ZSK we retire |
|---|
| 135 | $include "/etc/namedb/keys/Kmytld.+008+45000.key"; // new ZSK |
|---|
| 136 | |
|---|
| 137 | Increment the serial number. Then: |
|---|
| 138 | |
|---|
| 139 | # cd /etc/namedb/keys |
|---|
| 140 | # dnssec-signzone -x -o mytld -k Kmytld.+008+52159 ../master/mytld Kmytld.+008+45000 |
|---|
| 141 | |
|---|
| 142 | ... Notice how we now use 45000 (second ZSK) to sign, not 51333 anymore |
|---|
| 143 | |
|---|
| 144 | Now, reload the zone to propagage the changes |
|---|
| 145 | |
|---|
| 146 | # rndc reload mytld |
|---|
| 147 | |
|---|
| 148 | Check with dig like in step 5 that you are seeing only ONE signature |
|---|
| 149 | for your RRsets - which means we are only signing using ONE ZSK - |
|---|
| 150 | you still have to wait for the TTL to expire before you can retire |
|---|
| 151 | the old ZSK. |
|---|
| 152 | |
|---|
| 153 | |
|---|
| 154 | 7. Now you should notice, using dig like in step 5, that we are only |
|---|
| 155 | signing with one key |
|---|
| 156 | |
|---|
| 157 | # dig @10.10.X.1 www.mytld +dnssec |
|---|
| 158 | |
|---|
| 159 | But also verify that the OLD ZSK is still published in the DNSKEY RRset: |
|---|
| 160 | |
|---|
| 161 | # dig @10.10.X.1 mytld dnskey +multi |
|---|
| 162 | |
|---|
| 163 | You should still see three keys. |
|---|
| 164 | |
|---|
| 165 | 8. Retire the old ZSK. |
|---|
| 166 | |
|---|
| 167 | After waiting at least 2 minutes (120s) for caches to clear, retire |
|---|
| 168 | the old ZSK: |
|---|
| 169 | |
|---|
| 170 | # cd /etc/namedb/master/ |
|---|
| 171 | |
|---|
| 172 | Edit the zone file and add a comment sign (';') in front of the old ZSK |
|---|
| 173 | (double check which key!) |
|---|
| 174 | |
|---|
| 175 | $include "/etc/namedb/keys/Kmytld.+008+52159.key"; // KSK |
|---|
| 176 | ; $include "/etc/namedb/keys/Kmytld.+008+51333.key"; // ZSK (commented out) |
|---|
| 177 | $include "/etc/namedb/keys/Kmytld.+008+45000.key"; // new ZSK |
|---|
| 178 | |
|---|
| 179 | Increment the serial number. |
|---|
| 180 | |
|---|
| 181 | Now resign the zone, but you will notice that we explicitly |
|---|
| 182 | DON'T specify the ZSK we just commented: |
|---|
| 183 | |
|---|
| 184 | # cd /etc/namedb/keys |
|---|
| 185 | # dnssec-signzone -x -o mytld -k Kmytld.+008+52159 ../master/mytld |
|---|
| 186 | # rndc reload mytld |
|---|
| 187 | # tail /etc/namedb/log/general |
|---|
| 188 | |
|---|
| 189 | 9. Like in the step 5, check that signatures still work, and that |
|---|
| 190 | the OLD KZK is no longer in the RRset |
|---|
| 191 | |
|---|
| 192 | Also, check the RRSIGs (dig +dnssec soa mytld) in your zone show the |
|---|
| 193 | key ID of the new ZSK. |
|---|
| 194 | |
|---|
| 195 | Does your domain still work ? :) |
|---|
| 196 | |
|---|