DNSSEC signing common zone in views
Matthijs Mekking
matthijs at isc.org
Thu Sep 8 09:56:23 UTC 2022
Hi Josef,
First of all I would like to point out the KB article about to
dnssec-policy, especially the part about migrating.
https://kb.isc.org/docs/dnssec-key-and-signing-policy
Although we try to asses the current signing situation, since there are
no key state files it will be an educated guess. Switching to a policy
that doesn't match your current situation might lead to withdrawing
existing signatures and keys too soon.
Once BIND is maintaining key states, it is safe to change your
dnssec-policy to whatever you want. BIND will gradually move to the new
desired
policy, possibly doing key (algorithm) rollovers.
Key rollovers happen automatically, but since you are using an unlimited
lifetime they will never be triggered unless manually with rndc.
There is one manual step that needs to be performed during CSK and KSK
rollovers, that is updating the DS RRset to the parent. Once that is
done you can run the related 'rndc dnssec -checkds' commands.
Or you can set up parental-agents that would check for the DS in the
parent automatically.
As long as you use the same dnssec-policy for the zones, you can use the
same key-directory (since 9.16.18). The key rollover would happen at the
same time for the zone.
You can also set a different key-directory. In that case the key is not
shared, each view of the zone would have a separate DNSSEC key.
I think it is fine using the same key-directory. The only thing is when
you change your configuration in the future such that the dnssec-policy
is different for each view of the zone, you have to also change the
key-directory to be different.
Best regards,
Matthijs
On 07-09-2022 15:19, Josef Vybíhal wrote:
> Hello all,
> I am consolidating our old split DNS consisting of internal and
> external dedicated servers(VMs) into one primary server with views
> (there will be secondaries, but they are not important to the
> question). The old previous configuration is using inline-signing and
> auto-dnssec. I will be switching to dnssec-policy with csk. This is
> fine.
>
> My question is what would be considered best practice when I want the
> zone to be signed by the same CSK in every view. Should I point both
> zones to the same "key-directory", or should I use a different
> directory for every view? And how would the key rollover work in such
> a case?
>
> I have tried to use the same key-directory for both zones in each
> view. It seems to technically work. But maybe someone could point out
> some disadvantages I will be facing in the future? Is there common
> consensus on how this is supposed to be approached? Maybe I am
> handling it all wrong and there is a much better way :)
>
>
> The config I tested:
>
> dnssec-policy "ACME" {
> keys { csk key-directory lifetime unlimited algorithm 13; };
> nsec3param iterations 1 optout false salt-length 16;
> };
>
> view internal {
>
> match-clients { internal; };
>
> zone "ACME.cz" {
> type primary;
> file "primary/internal/ACME.cz/ACME.cz.zone";
> inline-signing yes;
> key-directory "dnssec-keys/ACME.cz";
> dnssec-policy "ACME";
> };
>
> };
>
> view external {
>
> match-clients { external; };
>
> zone "ACME.cz" {
> type primary;
> file "primary/external/ACME.cz/ACME.cz.zone";
> inline-signing yes;
> key-directory "dnssec-keys/ACME.cz";
> dnssec-policy "ACME";
> };
>
> };
>
>
> ---
>
> ns1-new /var/named/dnssec-keys/ACME.cz # cat KACME.cz.+013+14237.state
> ; This is the state of key 14237, for ACME.cz.
> Algorithm: 13
> Length: 256
> Lifetime: 0
> KSK: yes
> ZSK: yes
> Generated: 20190611121855 (Tue Jun 11 14:18:55 2019)
> Published: 20190611121855 (Tue Jun 11 14:18:55 2019)
> Active: 20190611121855 (Tue Jun 11 14:18:55 2019)
> PublishCDS: 20190612132355 (Wed Jun 12 15:23:55 2019)
> DNSKEYChange: 20220907123627 (Wed Sep 7 14:36:27 2022)
> ZRRSIGChange: 20220907123627 (Wed Sep 7 14:36:27 2022)
> KRRSIGChange: 20220907123627 (Wed Sep 7 14:36:27 2022)
> DSChange: 20220907123627 (Wed Sep 7 14:36:27 2022)
> DNSKEYState: omnipresent
> ZRRSIGState: omnipresent
> KRRSIGState: omnipresent
> DSState: rumoured
> GoalState: omnipresent
>
> # named -V
> BIND 9.18.6 (Stable Release) <id:8dbd488>
> running on Linux x86_64 4.18.0-372.19.1.el8_6.x86_64 #1 SMP Tue Aug 2
> 16:19:42 UTC 2022
> ....
>
>
>
> Thanks,
> Josef
More information about the bind-users
mailing list