NSEC3-NOTES revision 8e4f3f1cbceef520ba889270c993de0ac376a2a7
5ae0e2c8b72fa44237edeb37d1945b1c3535ca39Automatic Updater DNSSEC and UPDATE
59dd3b3cd954239d98ef52cd26328856cb6f2975Automatic Updater Converting from insecure to secure
7af91d15b2ce1ce32f7320f6d5cc3b83621c241aAutomatic UpdaterAs of BIND 9.6.0 it is possible to move a zone between being insecure
7b67cfadd077feb0ec3e6c78385ba0d845a9789bMark Andrewsto secure and back again. A secure zone can be using NSEC or NSEC3.
a3b428812703d22a605a9f882e71ed65f0ffdc65Mark AndrewsTo move a zone from insecure to secure you need to configure named
bb93c8542756719b53096b9939e4041d0966026fAutomatic Updaterso that it can see the K* files which contain the public and private
90ff38a0d8deaf5f9c2aa5916d99b2e572d28738Automatic Updaterparts of the keys that will be used to sign the zone. These files
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellingtonwill have been generated by dnssec-keygen. You can do this by
ac4e70ff8955669341f435bc0a734a17c01af124Mark Andrewsplacing them in the key-directory as specified in named.conf.
5c0fc20d6e59216d9a142409e5fdb498153aeaa5Automatic Updater allow-update { .... };
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews key-directory "dynamic/example.net";
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark AndrewsAssuming one KSK and one ZSK DNSKEY key have been generated. Then
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrewsthis will cause the zone to be signed with the ZSK and the DNSKEY
7eda3642eea03f1181e41540c7c8791a57759383Automatic UpdaterRRset to be signed with the KSK DNSKEY. A NSEC chain will also be
4b2cb1422c7c600fbc13b1cb06a8b4693bc11af8Mark Andrewsgenerated as part of the initial signing process.
aa1d397c4736cd86540555193d71e55fa3b37b2aMark Andrews > update add example.net DNSKEY 256 3 7 AwEAAZn17pUF0KpbPA2c7Gz76Vb18v0teKT3EyAGfBfL8eQ8al35zz3Y I1m/SAQBxIqMfLtIwqWPdgthsu36azGQAX8=
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson > update add example.net DNSKEY 257 3 7 AwEAAd/7odU/64o2LGsifbLtQmtO8dFDtTAZXSX2+X3e/UNlq9IHq3Y0 XtC0Iuawl/qkaKVxXe2lo8Ct+dM6UehyCqk=
91216cff91b34c9ff6e846dc23f248219cafe660Andreas GustafssonWhile the update request will complete almost immediately the zone
aa1d397c4736cd86540555193d71e55fa3b37b2aMark Andrewswill not be completely signed until named has had time to walk the
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellingtonzone and generate the NSEC and RRSIG records. The NSEC record at the
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updaterapex will be added last to signal that there is a complete NSEC chain.
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark AndrewsAdditionally when the zone is fully signed the private type (default
fc3576328379e813ccf6b3a6e66d9bb701a79c83Automatic UpdaterTYPE65534) records will have a non zero value for the final octet for
298c514fff250c1a147176cfbbc1c0ca441d1ea5Automatic Updaterthose record with a none zero initial octet.
bbb069be941f649228760edcc241122933c066d2Automatic UpdaterThe private type record format:
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark AndrewsIf the first octet is non-zero then the record indicates that the zone needs
3098364bcdd7a719fbafa5fc8d2cc9e90e5a5989Automatic Updaterto be signed with the key matching the record or that all signatures that
9d330c054e02f52cefd8dc0e71550b0fe07e077eAutomatic Updatermatch the record should be removed.
ca904804e43f663f08eb1ac9d6d617930b9a3cd3Automatic Updater algorithm (octet 1)
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews key id in network order (octet 2 and 3)
c0b771f68361b073388b85a689c12cbe502880eeAutomatic Updater removal flag (octet 4)
4b2cb1422c7c600fbc13b1cb06a8b4693bc11af8Mark Andrews complete flag (octet 5)
aa1d397c4736cd86540555193d71e55fa3b37b2aMark AndrewsOnly records with the complete flag set can be removed via nsupdate.
91216cff91b34c9ff6e846dc23f248219cafe660Andreas GustafssonAttempts to remove other private type records will be silently ignored.
efb0e886f18894a1d2489f1ad74ad14b579e11c7Mark AndrewsIf the first octet is zero (this is a reserved algorithm number
efb0e886f18894a1d2489f1ad74ad14b579e11c7Mark Andrewsthat should never appear in a DNSKEY record) then the record indicates
aa1d397c4736cd86540555193d71e55fa3b37b2aMark Andrewschanges to the NSEC3 chains are in progress. The rest of the record
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafssoncontains a NSEC3PARAM record. The flag field tells what operation
aa1d397c4736cd86540555193d71e55fa3b37b2aMark Andrewsto perform based on the flag bits.
723bfc0fc28c486c805de016c4475a35328eb8abAutomatic UpdaterIf you wish to go straight to a secure zone using NSEC3 you should
723bfc0fc28c486c805de016c4475a35328eb8abAutomatic Updateralso add a NSEC3PARAM record to the update request with the flags
723bfc0fc28c486c805de016c4475a35328eb8abAutomatic Updaterfield set to indicate whether the NSEC3 chain will have the OPTOUT
2a31bd531072824ef252c18303859d6af7451b00Francis Dupontbit set or not.
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews > update add example.net DNSKEY 256 3 7 AwEAAZn17pUF0KpbPA2c7Gz76Vb18v0teKT3EyAGfBfL8eQ8al35zz3Y I1m/SAQBxIqMfLtIwqWPdgthsu36azGQAX8=
7af91d15b2ce1ce32f7320f6d5cc3b83621c241aAutomatic Updater > update add example.net DNSKEY 257 3 7 AwEAAd/7odU/64o2LGsifbLtQmtO8dFDtTAZXSX2+X3e/UNlq9IHq3Y0 XtC0Iuawl/qkaKVxXe2lo8Ct+dM6UehyCqk=
7af91d15b2ce1ce32f7320f6d5cc3b83621c241aAutomatic Updater > update add example.net NSEC3PARAM 1 1 100 1234567890
4d0520004a9663324a6a30f2d1716565e6d0024cAutomatic UpdaterAgain the update request will complete almost immediately however
7af91d15b2ce1ce32f7320f6d5cc3b83621c241aAutomatic Updaterthe record won't show up or be deleted until named has had a chance
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrewsto build/remove the relevent chain. A private type record will be
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updatercreated to record the operatation and will be removed once the
7af91d15b2ce1ce32f7320f6d5cc3b83621c241aAutomatic Updateroperation completes.
efb0e886f18894a1d2489f1ad74ad14b579e11c7Mark AndrewsWhile the initial signing and NSEC/NSEC3 chain generation is happening
fe80a4909bf62b602feaf246866e9d29f7654194Automatic Updaterother updates are possible.
fe80a4909bf62b602feaf246866e9d29f7654194Automatic Updater DNSKEY roll overs via UPDATE
fe80a4909bf62b602feaf246866e9d29f7654194Automatic UpdaterIt is possible to perform key rollovers via update. You need to
fe80a4909bf62b602feaf246866e9d29f7654194Automatic Updateradd the K* files for the new keys so that named can find them. You
aa1d397c4736cd86540555193d71e55fa3b37b2aMark Andrewscan then add the new DNSKEY RRs via update. Named will then cause
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafssonthe zone to be signed with the new keys. When the signing is
aa1d397c4736cd86540555193d71e55fa3b37b2aMark Andrewscomplete the private type records will be updated so that the last
aa1d397c4736cd86540555193d71e55fa3b37b2aMark Andrewsoctet is non zero.
aa1d397c4736cd86540555193d71e55fa3b37b2aMark AndrewsIf this is for a KSK you need to inform the parent and any trust
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafssonanchor repositories of the new KSK.
d145b64cacc8d9cda51f9924ec70cd4661c3e2cfAutomatic UpdaterYou should then wait for the maximum TLL in the zone before removing the
19b3dc94bce93fa76bd7e066f9298630dbc9dcb4Automatic Updaterold DNSKEY. If it is a KSK that is being updated you also need to wait
bb93c8542756719b53096b9939e4041d0966026fAutomatic Updaterfor the DS RRset in the parent to be updated and its TTL to expire.
bb93c8542756719b53096b9939e4041d0966026fAutomatic UpdaterThis ensures that all clients will be able to verify at least a signature
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updaterwhen you remove the old DNSKEY.
4cda4fd158d6ded5586bacea8c388445d99611eaAutomatic UpdaterThe old DNSKEY can be removed via UPDATE. Take care to specify
3098364bcdd7a719fbafa5fc8d2cc9e90e5a5989Automatic Updaterthe correct key. Named will clean out any signatures generated by
19b3dc94bce93fa76bd7e066f9298630dbc9dcb4Automatic Updaterthe old key after the update completes.
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater NSEC3PARAM rollovers via UPDATE.
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic UpdaterAdd the new NSEC3PARAM record via update. When the new NSEC3 chain
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updaterhas been generated the NSEC3PARAM flag field will be zero. At this
5ae0e2c8b72fa44237edeb37d1945b1c3535ca39Automatic Updaterpoint you can remove the old NSEC3PARAM record. The old chain will
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updaterbe removed after the update request completes.
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater Converting from NSEC to NSEC3
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic UpdaterTo do this you just need to add a NSEC3PARAM record. When the
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updaterconversion is complete the NSEC chain will have been removed and
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updaterthe NSEC3PARAM record will have a zero flag field. The NSEC3 chain
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updaterwill be generated before the NSEC chain is destroyed.
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater Converting from NSEC3 to NSEC
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic UpdaterTo do this remove all NSEC3PARAM records with a zero flag field. The
19b3dc94bce93fa76bd7e066f9298630dbc9dcb4Automatic UpdaterNSEC chain will be generated before the NSEC3 chain is removed.
19b3dc94bce93fa76bd7e066f9298630dbc9dcb4Automatic Updater Converting from secure to insecure
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic UpdaterTo do this remove all the DNSKEY records. Any NSEC or NSEC3 chains
19b3dc94bce93fa76bd7e066f9298630dbc9dcb4Automatic Updaterwill be removed as well as associated NSEC3PARAM records. This will
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updatertake place after the update requests completes. This requires
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updaterdnssec-secure-to-insecure to be set in named.conf.
b0d566a2ce0f5a67f537ee7f8233f82f2584cc61Automatic Updater Periodic re-signing.
71bd43eebd9d6e42dbcae62b730f5b6508d5acd8Automatic UpdaterNamed will periodically re-sign RRsets which have not been re-signed
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updateras a result of some update action. The signature lifetimes will
7262eb86f2b465822206122921e2f357218f0cfdAutomatic Updaterbe adjusted so as to spread the re-sign load over time rather than
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater NSEC3 and OPTOUT
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic UpdaterNamed only supports creating new NSEC3 chains where all the NSEC3
4cda4fd158d6ded5586bacea8c388445d99611eaAutomatic Updaterrecords in the zone have the same OPTOUT state. Named supports
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark AndrewsUPDATES to zones where the NSEC3 records in the chain have mixed
b0d566a2ce0f5a67f537ee7f8233f82f2584cc61Automatic UpdaterOPTOUT state. Named does not support changing the OPTOUT state of
7af91d15b2ce1ce32f7320f6d5cc3b83621c241aAutomatic Updateran individual NSEC3 record, the entire chain needs to be changed if
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrewsthe OPTOUT state of an individual NSEC3 needs to be changed.