Dynamic Update and key rollover with BIND 9.6

Shumon Huque shuque at isc.upenn.edu
Sat Dec 27 03:56:36 UTC 2008 

I'm testing BIND 9.6 with dynamically updated zones.

I'm trying to figure out if I can maintain the zone entirely via 
dynamic update, even including key rollover tasks. 

Or is key rollover better performed outside the nameserver process, 
eg. by freezing the zone, moving in new key files into the zone's 
key-directory, resigning using dnssec-signzone, and telling BIND to 
reload the zone.

(For KSK rollover, I plan to use double signature policy, and for 
ZSK rollover, pre-publish but single signature policy.)

It seems that it's possible to use dynamic update to introduce
new DNSKEY records into the zone. So, for ZSK rollover, I could
create a new ZSK pair, add the DNSKEY record via dynamic update.
And when I'm ready to start signing with the new key, move it's
key files into the key-directory for the zone, and remove the old
key files from that directory. That will allow new updates to be
signed with the new key. But how about all the existing records?
I don't see an option to tell BIND to immediately start re-signing
all records, but maybe I've missed it. I assume, I could wait for
BIND's automatic resigning, but then I'll have a mix of records
signed with the old and new ZSK for an extended period of time, 
which doesn't seem terribly clean.

KSK rollover via double signature seems to be easier. Just add
the new DNSKEY via update, and store the key files in the zone's
key-directory, at which point the DNSKEY RRset should be signed
by both old and new KSKs. But I haven't actually tried this yet.

Another question: when I add a ZSK DNSKEY via update, BIND seems 
to insert an additional record (TYPE65535) into the zone whose 
rdata content includes the keyid. What is the purpose of this 
record? I assume it might have something to do with tracking the
status of new keys. I see only a brief mention of it in the manual 
describing the sig-signing-type option:

    "sig-signing-type: Specify a private RDATA type to be used when 
     generating key signing records. The default is 65535. 
     It is expected that this parameter may be removed in a future 
     version once there is a standard type"

Any more detailed explanation, or a specification?

Are there any general recommendations for doing key rollover on 
dynamic zones?

--Shumon.

More information about the bind-users mailing list