Bind and ZSK-Rollovers: Changing salt automatically?
Carsten Strotmann
cas at strotmann.de
Thu Jul 24 17:53:25 UTC 2014
Hello Johannes,
Johannes Kastl <mail at ojkastl.de> writes:
> Hi everyone,
>
> I read quite a bit on DNSSEC in the last couple of weeks, and found
> that BIND can automatically rollover the ZSK without manual intervention.
>
> I also found the recommendation, to change the NSEC3 salt each time
> the key is rolled over.
>
> What I did not find is, if BIND can also automatically change the salt
> each time it does a ZSK rollover. Cos that would be quite handy...
>
I'm not aware that BIND 9 can do a ZSK rollover all on its own, it is
however possible to set the timing values on the ZSK key files in a away
that BIND 9 will execute the rollover at the set times. It is also possible
to create a direct successor ZSK from an existing ZSK.
But the creation of the new ZSK, as well as setting the timing values,
need to be done outside BIND 9. It is relaive strightforward to script
this in a cron job, and there are ready-made tools that can help.
In the same cron job, it is then possible to create a new NSEC3 salt and
inject that into the zone. Doing so at the exact moment of the ZSK key
rollover (to prevent unecessary re-generation of all RRSIGs) is
tricky.
If the zone is no too big (e.g. re-generating all RRSIGs is not a
problem), I would recommend to roll the salt in the same intervals, but
independent from the ZSK rollover.
--
Carsten Strotmann
Email: cas at strotmann.de
Blog: dnsworkshop.org
More information about the bind-users
mailing list