DNSSEC migration sanity check
John W. Blue
john.blue at rrcic.com
Fri Sep 4 20:34:46 UTC 2020
Howdy bind-users list.
TLDR: we were able to move zones between DNS servers with different KSK/ZSK while keeping the zones secure.
First I want to say a BIG thank you for the replies received since it helped in documenting our workflow for these migrations.
Off list, Paul E. mentioned that a test domain might be handy and that obvious suggestion made a big difference. No pressure if we mess it up. Thanks Paul.
Additionally, Paul also included a link to a draft of multi-signer DNSSEC:
https://tools.ietf.org/html/draft-ietf-dnsop-multi-provider-dnssec
Of note is the section titled: 2.1.2. Model 2: Unique KSK set and ZSK set per provider
Therein it mentions how "Each provider has their own KSK and ZSK sets" and that is exactly the situation we found ourselves. Our testing showed that we could "double-sign" our test zone (is that the correct phrase in this context?) and it remained secured as indicated by the "ad" flag:
# dig fqdnhere.com +dnssec +multi
; <<>> DiG 9.14.2 <<>> fqdnhere.com +dnssec +multi
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 44429
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 1
Although dnsviz.net indicated that the zone was secure it produced many, many complaints about errors it was finding. Which, honestly, is to be expected. For example:
"The DS RRset for the zone included algorithm 10 (RSASHA512), but no DS RR matched a DNSKEY with algorithm 10 that signs the zone's DNSKEY RRset"
At first glance the task looked overwhelming but it could not have been easier.
John
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20200904/470469b6/attachment.htm>
More information about the bind-users
mailing list