Updating a DNSSEC config to use a different algorithm
Matthijs Mekking
matthijs at isc.org
Tue Feb 2 14:36:16 UTC 2021
On 02-02-2021 14:40, @lbutlr wrote:
> On 02 Feb 2021, at 02:23, Matthijs Mekking <matthijs at isc.org> wrote:
>> 1. Create a dnssec-policy that matches your current keys (so in your case algorithm 7, also make sure you use the same length).
>>
>> So I guess something like:
>>
>> dnssec-policy alg13-ksk-unlimited-zsk-60day {
>> keys {
>> ksk key-directory lifetime unlimited algorithm 7 2048;
>> zsk key-directory lifetime P60D algorithm 7 1024 ;
>> };
>> };
>>
>> This is an assumption. Check the key length with your existing keys.
>
> Yes, the current keys are alg 7 2048 bit. Is there a document on the various options here? I am plowing through the "BIND 9 Administrator Reference Manual, Release BIND 9.16.5 (Stable Release)" but it is slow going right now and "dnssec-policy" does not appear in the pdf in a searchable form, which makes things even more fun).
No, I could add them to the ARM. But it is the same as dnssec-signzone:
-a <algorithm>:
RSASHA1 | NSEC3RSASHA1 |
RSASHA256 | RSASHA512 |
ECDSAP256SHA256 | ECDSAP384SHA384 |
ED25519 | ED448 | DH
If the PDF is not working for you, perhaps https://bind9.readthedocs.io/
suits you better?
> (This domain has a RRSIG range of 20210122220953 - 20210221230953)
>
> I am guessing as soon as I add that DNSSEC-policy I also need to change each domain record from "auto-dnssec maintain;" to "dnssec-policy default;" or do I do that after the .state files have been created? (That doesn't sound right, but best to check).
I guess with "each domain record" you mean "each zone".
If you are migrating, don't change it to "dnssec-policy default;". This
is a built-in policy that does not match your existing keys.
Instead, change it to "dnssec-policy alg13-ksk-unlimited-zsk-60day;"
Once you have .state files, you should be able to change to a different
policy, including "default". Note that the default policy uses a single
key (as both KSK and ZSK).
>> Now that you have migrated your existing key files (they will now have a .state file), you can reconfigure your dnssec-policy with a new algorithm,. The alg-7 keys will be gracefully removed from the zone, while new keys with a new algorithm will be introduced.
>
> So once all the domains have a .state file associated with them in the key directory I can change the dnssec-policy to the sample I had before and it will just migrate from the alg 7 keys above to alg ECDSAP256SHA256 (or I can just say alg 13 instead).
>
> #v+
> dnssec-policy alg13-ksk-unlimited-zsk-60day {
> keys {
> ksk key-directory lifetime unlimited algorithm 13;
> zsk key-directory lifetime P60D algorithm 13;
> };
> };
Yes, once all keys for the zones in question have a .state file
associated with them, you should be able to change the dnssec-policy and
start using ECDSA (you can use the string ECDSAP256SHA256 or the number 13).
I would recommend to first check if the .state files look correct before
changing your dnssec-policy (do the keys in your zone match the .state
file? Are the states set to OMNIPRESENT? Is the goal set to OMNIPRESENT?
- Matthijs
> #v-
>
> That seems very straightforward, there must be a catch somewhere.
>
More information about the bind-users
mailing list