Track3Sec: 2.5_dnssec-bind-manual-zsk-rollover.txt

File 2.5_dnssec-bind-manual-zsk-rollover.txt, 6.1 KB (added by Fakrul Alam, 6 years ago)
Line 
1Manual Key Rollover Exercise
2----------------------------
3
4OBJECTIVE
5
6We are going to roll the ZSK for the zones we have just signed.
7
8PLEASE make note of the KSK/ZSK IDs and write them down on a piece
9of paper as you work to remember which is which.
10
11REMINDERS
12
13 - we are keeping our keys in /etc/namedb/keys/
14
15 - we currently have two pairs of keys in that directory, one ZSK
16   and one KSK.
17   Each pair is represented by two files, one ending in ".key" (the
18   public key) and one ending in ".private" (the private key)
19
20 - there is a DS RRSet in the "root" zone corresponding to our KSK
21
22
23ZSK ROLLOVER
24
251. Take a look at what keys we have already generated. Make a note
26of the names of the files containing the current ZSK and KSK.
27
28  # cd /etc/namedb/keys/
29  # ls -lt K*
30
312. Generate a new ZSK, which we will use to replace the old one.
32
33  # dnssec-keygen -a RSASHA256 -b 1024 -n ZONE mytld 
34                (replacing mytld with the name of your zone)
35  Which might output:
36  Kmytld.+008+45000
37
38Make sure all the keyfiles are readable by the named process:
39
40  # chown bind K*
41  # chmod u+r K*
42  # ls -lt
43
44You should now have a third key pair in the directory. If you check the
45DNSKEY RDATA (e.g., "cat Kmytld.+008+45000.key"), you should see the
46flags field is 256 (i.e. this is a ZSK, not a KSK).
47Make a note of the name of the file containing the new ZSK.
48
493. Take a look at your current DNSKEY RRSet.
50
51  # dig mytld dnskey +multi
52
53Your zone should contain one KSK and one ZSK (check the flags - 257/256
54- to distinguish between them).
55
56We need to add the new key to the zone, so it gets included in the next
57signing. At the end of the file /etc/namedb/master/mytld, ADD the new key:
58
59    $include "/etc/namedb/keys/Kmytld.+008+45000.key";
60
61    Increment the serial number.
62
63    Save the file and exit
64
654. Re-sign your zone to get the new ZSK signed, but we will NOT sign using
66   the new ZSK - we only want the new ZSK to show up in the DNSKEY RRset
67   and be signed by the current KSK.
68   This is called a "pre publish".
69
70  # cd /etc/namedb/keys
71  # dnssec-signzone -x -o mytld -k Kmytld.+008+52159 ../master/mytld Kmytld.+008+51333
72
73   (key tag numbers from the manual signing example)
74
75  Notice in the above example that we are only using the current (old) ZSK
76  and old KSK to sign, not the new one - this is to make sure that dnssec-signzone
77  doesn't try to sign with both ZSKs. It wouldn't be "bad", but it would
78  mean twice the data in the zone!
79
80  So we tell dnssec-signzone exactly which keys to use when doing a
81  rollover, PRECISELY because you want to control the timing of when
82  a key is introduced, used to sign, and finally retired.
83
84  The output of the above command should be:
85
86Zone signing complete:
87Algorithm: RSASHA256: KSKs: 1 active, 0 stand-by, 0 revoked
88                      ZSKs: 1 active, 1 present, 0 revoked
89../master/mytld.signed
90
91  Notice the ZSKs: 1 active, 1 present
92
935. See what difference this has made to the zone.
94
95  # rndc reload mytld
96
97  # dig @10.10.X.1 mytld dnskey +multi
98  # dig @10.10.X.1 mytld dnskey +dnssec
99  # dig @10.10.X.1 mytld soa +dnssec
100
101  (you could also check if your slaves have updated their serial)
102
103Your zone should now contain one KSK and two ZSKs; both ZSKs should be
104present in the DNSKEY RRSet, which should be signed by the KSK.
105
106BUT the SOA record (and other RRSets in the zone) should ONLY be signed
107once, using the old ZSK. And the DNSKEY RRset should show all 3 keys
108(1 KSK, 2 ZSKs).
109
110This is called "pre-publish".
111
112At this time, we should in principle wait 2 x TTL for both ZSKs to
113show up in everyone's cache (by default it is 120 seconds, or 2 minutes,
114in our lab, but this will be different "in real life"). Anyways, let's
115wait for at least 2 minutes before we sign with the new ZSK instead of the
116old ZSK.
117
118After 2 minutes, ask one of your neighbors if they can lookup the DNSKEY
119for your domain. They can check the in-class cache (10.10.0.230) and,
120if they have configured it, their own caching resolver.
121
122Again, the command to lookup the keys is:
123
124  # dig mytld dnskey +multi
125
126Once we are certain that "all the internet" (everyone in the class)
127can see both keys, we can sign with the new ZSK.
128
1296. Sign with the new ZSK.
130
131   Remember, we have 3 keys - in our zone, we have:
132
133   $include "/etc/namedb/keys/Kmytld.+008+52159.key"; // KSK
134   $include "/etc/namedb/keys/Kmytld.+008+51333.key"; // ZSK we retire
135   $include "/etc/namedb/keys/Kmytld.+008+45000.key"; // new ZSK
136
137   Increment the serial number. Then:
138
139   # cd /etc/namedb/keys
140   # dnssec-signzone -x -o mytld -k Kmytld.+008+52159 ../master/mytld Kmytld.+008+45000
141
142... Notice how we now use 45000 (second ZSK) to sign, not 51333 anymore
143
144Now, reload the zone to propagage the changes
145
146   # rndc reload mytld
147
148Check with dig like in step 5 that you are seeing only ONE signature
149for your RRsets - which means we are only signing using ONE ZSK -
150you still have to wait for the TTL to expire before you can retire
151the old ZSK.
152
153
1547. Now you should notice, using dig like in step 5, that we are only
155   signing with one key
156
157   # dig @10.10.X.1 www.mytld +dnssec
158
159But also verify that the OLD ZSK is still published in the DNSKEY RRset:
160
161   # dig @10.10.X.1 mytld dnskey +multi
162
163You should still see three keys.
164
1658. Retire the old ZSK.
166
167After waiting at least 2 minutes (120s) for caches to clear, retire
168the old ZSK:
169
170  # cd /etc/namedb/master/
171
172  Edit the zone file and add a comment sign (';') in front of the old ZSK
173  (double check which key!)
174
175$include "/etc/namedb/keys/Kmytld.+008+52159.key";  // KSK
176; $include "/etc/namedb/keys/Kmytld.+008+51333.key"; // ZSK (commented out)
177$include "/etc/namedb/keys/Kmytld.+008+45000.key";  // new ZSK
178
179  Increment the serial number.
180
181  Now resign the zone, but you will notice that we explicitly
182  DON'T specify the ZSK we just commented:
183
184  # cd /etc/namedb/keys
185  # dnssec-signzone -x -o mytld -k Kmytld.+008+52159 ../master/mytld
186  # rndc reload mytld
187  # tail /etc/namedb/log/general
188
1899. Like in the step 5, check that signatures still work, and that
190   the OLD KZK is no longer in the RRset
191
192   Also, check the RRSIGs (dig +dnssec soa mytld) in your zone show the
193   key ID of the new ZSK.
194
195   Does your domain still work ? :)
196