c52afe031a
security patches to the 9.6.1 version, as well as many other bug fixes. This version also incorporates a different fix for the problem we had patched in contrib/bind9/bin/dig/dighost.c, so that file is now back to being the same as the vendor version. Due to the fact that the DNSSEC algorithm that will be used to sign the root zone is only included in this version and in 9.7.x those who wish to do validation MUST upgrade to one of these prior to July 2010.
129 lines
5.2 KiB
Plaintext
129 lines
5.2 KiB
Plaintext
|
|
DNSSEC and UPDATE
|
|
|
|
Converting from insecure to secure
|
|
|
|
As of BIND 9.6.0 it is possible to move a zone between being insecure
|
|
to secure and back again. A secure zone can be using NSEC or NSEC3.
|
|
|
|
To move a zone from insecure to secure you need to configure named
|
|
so that it can see the K* files which contain the public and private
|
|
parts of the keys that will be used to sign the zone. These files
|
|
will have been generated by dnssec-keygen. You can do this by
|
|
placing them in the key-directory as specified in named.conf.
|
|
|
|
zone example.net {
|
|
type master;
|
|
allow-update { .... };
|
|
file "dynamic/example.net/example.net";
|
|
key-directory "dynamic/example.net";
|
|
};
|
|
|
|
Assuming one KSK and one ZSK DNSKEY key have been generated. Then
|
|
this will cause the zone to be signed with the ZSK and the DNSKEY
|
|
RRset to be signed with the KSK DNSKEY. A NSEC chain will also be
|
|
generated as part of the initial signing process.
|
|
|
|
% nsupdate
|
|
> ttl 3600
|
|
> update add example.net DNSKEY 256 3 7 AwEAAZn17pUF0KpbPA2c7Gz76Vb18v0teKT3EyAGfBfL8eQ8al35zz3Y I1m/SAQBxIqMfLtIwqWPdgthsu36azGQAX8=
|
|
> update add example.net DNSKEY 257 3 7 AwEAAd/7odU/64o2LGsifbLtQmtO8dFDtTAZXSX2+X3e/UNlq9IHq3Y0 XtC0Iuawl/qkaKVxXe2lo8Ct+dM6UehyCqk=
|
|
> send
|
|
|
|
While the update request will complete almost immediately the zone
|
|
will not be completely signed until named has had time to walk the
|
|
zone and generate the NSEC and RRSIG records. Initially the NSEC
|
|
record at the zone apex will have the OPT bit set. When the NSEC
|
|
chain is complete the OPT bit will be cleared. Additionally when
|
|
the zone is fully signed the private type (default TYPE65534) records
|
|
will have a non zero value for the final octet.
|
|
|
|
The private type record has 5 octets.
|
|
algorithm (octet 1)
|
|
key id in network order (octet 2 and 3)
|
|
removal flag (octet 4)
|
|
complete flag (octet 5)
|
|
|
|
If you wish to go straight to a secure zone using NSEC3 you should
|
|
also add a NSEC3PARAM record to the update request with the flags
|
|
field set to indicate whether the NSEC3 chain will have the OPTOUT
|
|
bit set or not.
|
|
|
|
% nsupdate
|
|
> ttl 3600
|
|
> update add example.net DNSKEY 256 3 7 AwEAAZn17pUF0KpbPA2c7Gz76Vb18v0teKT3EyAGfBfL8eQ8al35zz3Y I1m/SAQBxIqMfLtIwqWPdgthsu36azGQAX8=
|
|
> update add example.net DNSKEY 257 3 7 AwEAAd/7odU/64o2LGsifbLtQmtO8dFDtTAZXSX2+X3e/UNlq9IHq3Y0 XtC0Iuawl/qkaKVxXe2lo8Ct+dM6UehyCqk=
|
|
> update add example.net NSEC3PARAM 1 1 100 1234567890
|
|
> send
|
|
|
|
Again the update request will complete almost immediately however the
|
|
NSEC3PARAM record will have additional flag bits set indicating that the
|
|
NSEC3 chain is under construction. When the NSEC3 chain is complete the
|
|
flags field will be set to zero.
|
|
|
|
While the initial signing and NSEC/NSEC3 chain generation is happening
|
|
other updates are possible.
|
|
|
|
DNSKEY roll overs via UPDATE
|
|
|
|
It is possible to perform key rollovers via update. You need to
|
|
add the K* files for the new keys so that named can find them. You
|
|
can then add the new DNSKEY RRs via update. Named will then cause
|
|
the zone to be signed with the new keys. When the signing is
|
|
complete the private type records will be updated so that the last
|
|
octet is non zero.
|
|
|
|
If this is for a KSK you need to inform the parent and any trust
|
|
anchor repositories of the new KSK.
|
|
|
|
You should then wait for the maximum TLL in the zone before removing the
|
|
old DNSKEY. If it is a KSK that is being updated you also need to wait
|
|
for the DS RRset in the parent to be updated and its TTL to expire.
|
|
This ensures that all clients will be able to verify at least a signature
|
|
when you remove the old DNSKEY.
|
|
|
|
The old DNSKEY can be removed via UPDATE. Take care to specify
|
|
the correct key. Named will clean out any signatures generated by
|
|
the old key after the update completes.
|
|
|
|
NSEC3PARAM rollovers via UPDATE.
|
|
|
|
Add the new NSEC3PARAM record via update. When the new NSEC3 chain
|
|
has been generated the NSEC3PARAM flag field will be zero. At this
|
|
point you can remove the old NSEC3PARAM record. The old chain will
|
|
be removed after the update request completes.
|
|
|
|
Converting from NSEC to NSEC3
|
|
|
|
To do this you just need to add a NSEC3PARAM record. When the
|
|
conversion is complete the NSEC chain will have been removed and
|
|
the NSEC3PARAM record will have a zero flag field. The NSEC3 chain
|
|
will be generated before the NSEC chain is destroyed.
|
|
|
|
Converting from NSEC3 to NSEC
|
|
|
|
To do this remove all NSEC3PARAM records with a zero flag field. The
|
|
NSEC chain will be generated before the NSEC3 chain is removed.
|
|
|
|
Converting from secure to insecure
|
|
|
|
To do this remove all the DNSKEY records. Any NSEC or NSEC3 chains
|
|
will be removed as well as associated NSEC3PARAM records. This will
|
|
take place after the update requests completes.
|
|
|
|
Periodic re-signing.
|
|
|
|
Named will periodically re-sign RRsets which have not been re-signed
|
|
as a result of some update action. The signature lifetimes will
|
|
be adjusted so as to spread the re-sign load over time rather than
|
|
all at once.
|
|
|
|
NSEC3 and OPTOUT
|
|
|
|
Named only supports creating new NSEC3 chains where all the NSEC3
|
|
records in the zone have the same OPTOUT state. Named supports
|
|
UPDATES to zones where the NSEC3 records in the chain have mixed
|
|
OPTOUT state. Named does not support changing the OPTOUT state of
|
|
an individual NSEC3 record, the entire chain needs to be changed if
|
|
the OPTOUT state of an individual NSEC3 needs to be changed.
|