Changing the DNSSEC algorithm

Danilo Godec danilo.godec at agenda.si
Wed Apr 6 19:35:52 UTC 2022 

On 6.4.2022 8:52, Daniel Stirnimann wrote:
> Hello Danilo,
>
> A simple schema to change DNSSEC algorithms is as follows:
>
> 1. Add new KSK/ZSK and double sign DNSKEY and all zone RRs
>     with both the new and old algorithm
> 2. Replace DS at parent
> 3. Remove old DNSKEY and all RRSIGs from the old algorithm
>
> Before step 2 wait the max zone TTL to expire.
> Before step 3 wait the DS TTL to expire.
>
>> Here I'd like to verify that I understand the steps required to change
>> DNSEC key / algorithm without disruption:
>>
>>
>> 1. create new keys for my zone
>>
>>    * dnssec-keygen -a ECDSAP256SHA256 -n ZONE mydomain
>>    * dnssec-keygen -f KSK -a ECDSAP256SHA256 -n ZONE mydomain
>>
>>
>> 2. include new keys in my zone while keeping old keys too:
>>
>>      $INCLUDE Kmydomain.+008+14884.key         <- old key
>>      $INCLUDE Kmydomain.+008+27618.key         <- old key
>>      $INCLUDE Kmydomain.+013+10503.key         <- new key
>>      $INCLUDE Kmydomain.+013+39532.key         <- new key
>
> Looks good to me.
>
>
>> 3. sign the zone file
>>
>>      /usr/sbin/dnssec-signzone -A -3 $(head -c 1000 /dev/random | sha1sum
>> | cut -b 1-16) -e +3024000 -o mydomain -t mydomain.hosts
>
> Not related to the algorithm rollover but you may want to reconsider the
> use of NSEC3 using opt-out, the use of NSEC3 salt or the use of NSEC3
> all together. Please have a look at:
>
> https://datatracker.ietf.org/doc/html/draft-ietf-dnsop-nsec3-guidance
>
> This is currently an IETF dnsop working group document.
>
>
>> 4. ask the registrar to add new DS record to TLD (I have to do this by
>> mail, there is no 'self-service' UI)
>
> As you use a Double-Signature [1] KSK roll, you can replace the DS
> record in a single step. While your procedure does not break anything it
> does not need to be more complicated then necessary. You description is
> a mix of the Double-Singature / Double-DS KSK rollover.
>
> I would suggest you go directly to step 5 instead and in step 6 you
> *replace* the DS record.
>
>
>> 5. wait at least one TTL (making sure to use the longest TTL in my zone)
>>
>> 6. ask the registrar to remove old DS record(s) (I don't quite remember
>> why, but I had two)
>
> As mentioned above, in step 6 you can *replace* the DS record.
>
>
>> 7. wait another TTL period
>
> You need to wait at least for the DS TTL to expire.
>
>
>> 8. remove old keys from zone
>>
>> 9. re-sign the zone
>
> Looks good to me.
>
>
> Daniel
>
>
> [1] https://datatracker.ietf.org/doc/html/rfc6781#section-4.1.1.2


Thank you, it seems I was close enough (it would've worked).


I read the draft-ietf-dnsop-nsec3-guidance and while it's a bit above my 
level of understanding, I think the gist is that one should not use 
'advanced' NSEC3 features like iterations and salt - achieved by setting 
NSEC3PARAM to 1 0 0 - .


     Regards,
       Danilo

More information about the bind-users mailing list