09fe1b16b0d85a4b43987628152f516df3ae9838dnielsen

09fe1b16b0d85a4b43987628152f516df3ae9838dnielsen DNSSEC and UPDATE

09fe1b16b0d85a4b43987628152f516df3ae9838dnielsen

09fe1b16b0d85a4b43987628152f516df3ae9838dnielsen Converting from insecure to secure

09fe1b16b0d85a4b43987628152f516df3ae9838dnielsen

09fe1b16b0d85a4b43987628152f516df3ae9838dnielsenAs of BIND 9.6.0 it is possible to move a zone between being insecure

09fe1b16b0d85a4b43987628152f516df3ae9838dnielsento secure and back again. A secure zone can be using NSEC or NSEC3.

09fe1b16b0d85a4b43987628152f516df3ae9838dnielsen

09fe1b16b0d85a4b43987628152f516df3ae9838dnielsenTo move a zone from insecure to secure you need to configure named

09fe1b16b0d85a4b43987628152f516df3ae9838dnielsenso that it can see the K* files which contain the public and private

09fe1b16b0d85a4b43987628152f516df3ae9838dnielsenparts of the keys that will be used to sign the zone. These files

09fe1b16b0d85a4b43987628152f516df3ae9838dnielsenwill have been generated by dnssec-keygen. You can do this by

09fe1b16b0d85a4b43987628152f516df3ae9838dnielsenplacing them in the key-directory as specified in named.conf.

09fe1b16b0d85a4b43987628152f516df3ae9838dnielsen

09fe1b16b0d85a4b43987628152f516df3ae9838dnielsen zone example.net {

09fe1b16b0d85a4b43987628152f516df3ae9838dnielsen type master;

09fe1b16b0d85a4b43987628152f516df3ae9838dnielsen allow-update { .... };

09fe1b16b0d85a4b43987628152f516df3ae9838dnielsen file "dynamic/example.net/example.net";

09fe1b16b0d85a4b43987628152f516df3ae9838dnielsen key-directory "dynamic/example.net";

09fe1b16b0d85a4b43987628152f516df3ae9838dnielsen };

09fe1b16b0d85a4b43987628152f516df3ae9838dnielsen

ed31198c686205a26320612d2a5dd7b26ae63a15John SonnenscheinAssuming one KSK and ons ZSK DNSKEY key has been generated. Then

09fe1b16b0d85a4b43987628152f516df3ae9838dnielsenthis will cause the zone to be signed with the ZSK and the DNSKEY

09fe1b16b0d85a4b43987628152f516df3ae9838dnielsenRRset to be signed with the KSK DNSKEY. A NSEC chain will also be

09fe1b16b0d85a4b43987628152f516df3ae9838dnielsengenerated as part of the initial signing process.

09fe1b16b0d85a4b43987628152f516df3ae9838dnielsen

09fe1b16b0d85a4b43987628152f516df3ae9838dnielsen % nsupdate

09fe1b16b0d85a4b43987628152f516df3ae9838dnielsen > ttl 3600

09fe1b16b0d85a4b43987628152f516df3ae9838dnielsen > update add example.net DNSKEY 256 3 7 AwEAAZn17pUF0KpbPA2c7Gz76Vb18v0teKT3EyAGfBfL8eQ8al35zz3Y I1m/SAQBxIqMfLtIwqWPdgthsu36azGQAX8=

09fe1b16b0d85a4b43987628152f516df3ae9838dnielsen > update add example.net DNSKEY 257 3 7 AwEAAd/7odU/64o2LGsifbLtQmtO8dFDtTAZXSX2+X3e/UNlq9IHq3Y0 XtC0Iuawl/qkaKVxXe2lo8Ct+dM6UehyCqk=

09fe1b16b0d85a4b43987628152f516df3ae9838dnielsen > send

09fe1b16b0d85a4b43987628152f516df3ae9838dnielsen

09fe1b16b0d85a4b43987628152f516df3ae9838dnielsenWhile the update request will complete almost immediately the zone

09fe1b16b0d85a4b43987628152f516df3ae9838dnielsenwill not be completely signed until named has hand time to walk the

09fe1b16b0d85a4b43987628152f516df3ae9838dnielsenzone and generate the NSEC and RRSIG records. Initially the NSEC

09fe1b16b0d85a4b43987628152f516df3ae9838dnielsenrecord at the zone apex will have the OPT bit set. When the NSEC

09fe1b16b0d85a4b43987628152f516df3ae9838dnielsenchain is complete the OPT bit will be cleared. Additionally when

09fe1b16b0d85a4b43987628152f516df3ae9838dnielsenthe zone fully signed the private type (default TYPE65535) records

09fe1b16b0d85a4b43987628152f516df3ae9838dnielsenwill have a non zero value for the final octet.

09fe1b16b0d85a4b43987628152f516df3ae9838dnielsen

09fe1b16b0d85a4b43987628152f516df3ae9838dnielsenThe private type record has 5 octets.

09fe1b16b0d85a4b43987628152f516df3ae9838dnielsen algorithm (octet 1)

09fe1b16b0d85a4b43987628152f516df3ae9838dnielsen key id in network order (octet 2 and 3)

09fe1b16b0d85a4b43987628152f516df3ae9838dnielsen removal flag (octet 4)

09fe1b16b0d85a4b43987628152f516df3ae9838dnielsen complete flag (octet 5)

09fe1b16b0d85a4b43987628152f516df3ae9838dnielsen

09fe1b16b0d85a4b43987628152f516df3ae9838dnielsenIf you wish to go straight to a secure zone using NSEC3 you should

09fe1b16b0d85a4b43987628152f516df3ae9838dnielsenalso add a NSECPARAM record to the update request with the flags

09fe1b16b0d85a4b43987628152f516df3ae9838dnielsenfield set to indicate whether the NSEC3 chain will have the OPTOUT

09fe1b16b0d85a4b43987628152f516df3ae9838dnielsenbit set or not.

09fe1b16b0d85a4b43987628152f516df3ae9838dnielsen

09fe1b16b0d85a4b43987628152f516df3ae9838dnielsen % nsupdate

09fe1b16b0d85a4b43987628152f516df3ae9838dnielsen > ttl 3600

09fe1b16b0d85a4b43987628152f516df3ae9838dnielsen > update add example.net DNSKEY 256 3 7 AwEAAZn17pUF0KpbPA2c7Gz76Vb18v0teKT3EyAGfBfL8eQ8al35zz3Y I1m/SAQBxIqMfLtIwqWPdgthsu36azGQAX8=

09fe1b16b0d85a4b43987628152f516df3ae9838dnielsen > update add example.net DNSKEY 257 3 7 AwEAAd/7odU/64o2LGsifbLtQmtO8dFDtTAZXSX2+X3e/UNlq9IHq3Y0 XtC0Iuawl/qkaKVxXe2lo8Ct+dM6UehyCqk=

09fe1b16b0d85a4b43987628152f516df3ae9838dnielsen > update add example.net NSEC3PARAM 1 1 100 1234567890

09fe1b16b0d85a4b43987628152f516df3ae9838dnielsen > send

09fe1b16b0d85a4b43987628152f516df3ae9838dnielsen

09fe1b16b0d85a4b43987628152f516df3ae9838dnielsenAgain the update request will complete almost immediately however the

09fe1b16b0d85a4b43987628152f516df3ae9838dnielsenNSEC3PARAM record will have additional flag bits set indicating that the

09fe1b16b0d85a4b43987628152f516df3ae9838dnielsenNSEC3 chain is under construction. When the NSEC3 chain is complete the

09fe1b16b0d85a4b43987628152f516df3ae9838dnielsenflags field will be set to zero.

09fe1b16b0d85a4b43987628152f516df3ae9838dnielsen

09fe1b16b0d85a4b43987628152f516df3ae9838dnielsenWhile the initial signing and NSEC/NSEC3 chain generation is happening

09fe1b16b0d85a4b43987628152f516df3ae9838dnielsenother updates are possible.

09fe1b16b0d85a4b43987628152f516df3ae9838dnielsen

09fe1b16b0d85a4b43987628152f516df3ae9838dnielsen DNSKEY roll overs via UPDATE

09fe1b16b0d85a4b43987628152f516df3ae9838dnielsen

09fe1b16b0d85a4b43987628152f516df3ae9838dnielsenIt is possible to perform key rollovers via update. You need to

09fe1b16b0d85a4b43987628152f516df3ae9838dnielsenadd the K* files for the new keys so that named can find them. You

09fe1b16b0d85a4b43987628152f516df3ae9838dnielsencan then add the new DNSKEY RRs via update. Named will then cause

09fe1b16b0d85a4b43987628152f516df3ae9838dnielsenthe zone to be signed with the new keys. When the signing is

09fe1b16b0d85a4b43987628152f516df3ae9838dnielsencomplete the private type records will be updated so that the last

09fe1b16b0d85a4b43987628152f516df3ae9838dnielsenoctet is non zero.

09fe1b16b0d85a4b43987628152f516df3ae9838dnielsen

If this is for a KSK you need to inform the parent and any trust

anchor repositories of the new KSK.

You should then wait for the maximum TLL in the zone before removing the

old DNSKEY. If it is a KSK that is being updated you also need to wait

for the DS RRset in the parent to be updated and its TTL to expire.

This ensures that all clients will be able to verify atleast a signature

when you remove the old DNSKEY.

The can be removed the old DNSKEY via UPDATE. Take care to specify

the correct key. Named will clean out any signatures generated by

the old key after the update completes.

NSEC3PARAM rollovers via UPDATE.

Add the new NSEC3PARAM record via update. When the new NSEC3 chain

has been generated the NSEC3PARAM flag field will be zero. At this

point you can remove the old NSEC3PARAM record. The old chain will

be removed after the update request completes.

Converting from NSEC to NSEC3

To do this you just need to add a NSEC3PARAM record. When the

conversion is complete the NSEC chain will have been removed and

the NSEC3PARAM record will have a zero flag field. The NSEC3 chain

will be generated before the NSEC chain is destroyed.

Converting from NSEC3 to NSEC

To do this remove all NSEC3PARAM records with a zero flag field. The

NSEC chain will be generated before the NSEC3 chain is removed.

Converting from secure to insecure

To do this remove all the DNSKEY records. Any NSEC or NSEC3 chains

will be removed as will as associated NSEC3PARAM records. The will

take place after the update requests completes.

Periodic re-signing.

Named will periodically re-sign RRsets which have not been re-signed

as a result of some update action. The signature lifetimes will

be adjusted so as to spread the re-sign load over time rather than

all at once.

NSEC3 and OPTOUT

Named only supports creating new NSEC3 chains where all the NSEC3

records in the zone have the same OPTOUT state. Named supports

UPDATES to zones where the NSEC3 records in the chain have mixed

OPTOUT state. Named does not support changing the OPTOUT state of

an individual NSEC3 record, the entire chain needs to be changed if

the OPTOUT state of an individual NSEC3 needs to be changed.