DNSSEC Keys - and trying to not leaving them around

Mark Elkins mje at posix.co.za
Wed Jan 12 15:07:29 UTC 2011 

There are some parts of Key management with DNSSEC that I don't quite
get - so I'm hoping for some feedback. I'm using BIND 9.7.2-P3 and
running "dnssec-signzone  -3 "abcd" -o example.com -p -t -A example.com"

I believe that:-
1 - The KSK is used to sign the ZSK.
2 - The ZSK is used to sign the rest of the data in the zone.

(I'm a little unclear which parts of the KSK are needed to sign the ZSK
and which parts of the ZSK need to be around to sign the rest of the
zone)

On a virgin zone - you'd need the private parts of the ZSK and KSK's
available (either in the local directory or as the arg to a "-d").
Technically - the public parts (*.key) could be in the zone to be signed
- so don't need to be available any more. (ie - there was a "cat K*.key
>> zone")

Doesn't seem to work like that - as I'm getting the error (for each key)
dnssec-signzone: warning: dns_dnssec_keylistfromrdataset: error reading
private key file co.za/NSEC3RSASHA1/64250: file not found

(64250 is the ZSK)
If I also have the *.key parts in the same directory - all works OK.

So the error message is lying to me!!! ??? - Bug?

                   ---------------------------

So now I want to resign the zone. Its already signed. How can I do that
without having to have the Private KSK still around. I'd have thought
that I'd just perhaps need the Private ZSK around to re-sign new zone
data.

(here I removed the KSK Private file - 9983)
I think this works - but I get the message:
dnssec-signzone: warning: dns_dnssec_keylistfromrdataset: error reading
private key file example.com/NSEC3RSASHA1/9983: file not found

So why is dnssec-signzone worried about the private part of a KSK that
it (I believe) should not need? Bug?

                   ------------------------

My zone changes quite a bit - so what I was thinking to do is Sign a
very basic copy of the zone (SOA, NS records - not much else) - then
move the Private KSK's off the disk completely - then add in my
"dynamic" data and re-sign as often as I need (whenever my "dynamic"
data changes) with just my Private ZSK available.

After about 6 month (whatever) - I can then create a new KSK - bring
back my original 'off-disk' Private KSK - sign a new basic copy of my
zone - take the two Private KSK's offline and go through the whole KSK
roll-over process. ie - I only have the private part of the KSK on the
disk for a very short time - usually its off-site. I should be able to
generate my very basic zone on a completely different server - perhaps
not connected to the Internet at all - and just (via USB stick) copy
over the basic signed zone every six months?

I'm just worried about the earlier error messages

Can someone please explain? (What is needed when)
-- 
  .  .     ___. .__      Posix Systems - (South) Africa
 /| /|       / /__       mje at posix.co.za  -  Mark J Elkins, Cisco CCIE
/ |/ |ARK \_/ /__ LKINS  Tel: +27 12 807 0590  Cell: +27 82 601 0496
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 6696 bytes
Desc: not available
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20110112/7ff2eaee/attachment.bin>

More information about the bind-users mailing list