dns-sec and Maintaining Human Sanity

Phil Mayers p.mayers at imperial.ac.uk
Fri Aug 6 13:24:04 UTC 2010 

On 06/08/10 12:24, Martin McCormick wrote:
>
> 	The one thing that impresses me about dns-sec is that it
> appears to be one of those things that will probably work fine
> after installation but getting there may be an adventure to put
> it mildly.

My advice is to investigate upgrading to Bind 9.7 and using the 
"auto-dnssec maintain" option on your zones.

We do something similar to this:

zone "example.com" {
   type master;

   # file in a per-zone directory
   file "data/zones/example.com/zone";

   # keys in the same direction
   key-directory "data/zones/example.com";

   # tell bind to do DNSSEC maintenance
   auto-dnssec maintain;

   # must allow updates for online (re)signing
   allow-update { key ...; };
};

...at this point, signing a zone is very simple:

NAME="example.com"
ZDIR="/var/named/data/zones/$NAME"

# make key-signing key
dnssec-keygen -K $ZDIR -a RSASHA1 -b 2048 -n ZONE -f KSK $NAME
# make zone-signing key
dnssec-keygen -K $ZDIR -s RSASHA1 -b 1024 -n ZONE $NAME

# fixup perms
chgrp named $ZDIR/K*
chmod 640   $ZDIR/K*

# sign it
rndc sign $NAME

Bind will automatically maintain the signatures and re-sign every $SOME 
days. When you want to do a key rollover, you can use the timestamp 
options to generate a new key which is valid but not used:

# make new zone-signing key
dnssec-keygen -K $ZDIR -P now -A none -s RSASHA1 -b 1024 -n ZONE $NAME
# insert key
rndc sign $NAME
# wait for cache expiry times - see RFCs for details

# roll over keys & fixup perms
dnssec-settime -K $ZDIR -A now K<theNEWkeyid> && chmod 640   $ZDIR/K*
dnssec-settime -K $ZDIR -I now K<theOLDkeyid> && chmod 640   $ZDIR/K*

# wait $SOME time for the zone to be incrementally
# resigned using the new key, and the old key is redundant,
# and any old RRs have expires from caches

# remove the old key
dnssec-settime -K $ZDIR -D now K<theOLDkeyid>
rndc sign $NAME


Obviously there is some care and attention needed, but the above 
procedures are very quick to test. Play around with it a bit - I think 
you'll be pleasantly surprised how easy the stuff in bind 9.7 is.

More information about the bind-users mailing list