dnssec.xml revision 79ce3a9e82384cc31fd6b86be8f3d1474fcfd9f4
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews - Copyright (C) 2010 Internet Systems Consortium, Inc. ("ISC")
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews - Permission to use, copy, modify, and/or distribute this software for any
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews - purpose with or without fee is hereby granted, provided that the above
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews - copyright notice and this permission notice appear in all copies.
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews - PERFORMANCE OF THIS SOFTWARE.
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews<!-- $Id: dnssec.xml,v 1.5 2011/06/10 01:51:09 each Exp $ -->
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews <title>DNSSEC, Dynamic Zones, and Automatic Signing</title>
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews <para>As of BIND 9.7.0 it is possible to change a dynamic zone
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews from insecure to signed and back again. A secure zone can use
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews either NSEC or NSEC3 chains.</para>
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews <title>Converting from insecure to secure</title>
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews <para>Changing a zone from insecure to secure can be done in two
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews ways: using a dynamic DNS update, or the
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews <command>auto-dnssec</command> zone option.</para>
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews <para>For either method, you need to configure
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews <command>named</command> so that it can see the
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews <filename>K*</filename> files which contain the public and private
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews parts of the keys that will be used to sign the zone. These files
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews will have been generated by
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews <command>dnssec-keygen</command>. You can do this by placing them
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews in the key-directory, as specified in
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews <programlisting>
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews type master;
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews update-policy local;
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews</programlisting>
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews <para>If one KSK and one ZSK DNSKEY key have been generated, this
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews configuration will cause all records in the zone to be signed
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews with the ZSK, and the DNSKEY RRset to be signed with the KSK as
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews well. An NSEC chain will be generated as part of the initial
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews signing process.</para>
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews <para>To insert the keys via dynamic update:</para>
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews > ttl 3600
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews > update add example.net DNSKEY 256 3 7 AwEAAZn17pUF0KpbPA2c7Gz76Vb18v0teKT3EyAGfBfL8eQ8al35zz3Y I1m/SAQBxIqMfLtIwqWPdgthsu36azGQAX8=
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews > update add example.net DNSKEY 257 3 7 AwEAAd/7odU/64o2LGsifbLtQmtO8dFDtTAZXSX2+X3e/UNlq9IHq3Y0 XtC0Iuawl/qkaKVxXe2lo8Ct+dM6UehyCqk=
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews <para>While the update request will complete almost immediately,
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews the zone will not be completely signed until
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews <command>named</command> has had time to walk the zone and
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews generate the NSEC and RRSIG records. The NSEC record at the apex
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews will be added last, to signal that there is a complete NSEC
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews chain.</para>
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews <para>If you wish to sign using NSEC3 instead of NSEC, you should
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews add an NSEC3PARAM record to the initial update request. If you
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews wish the NSEC3 chain to have the OPTOUT bit set, set it in the
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews flags field of the NSEC3PARAM record.</para>
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews > ttl 3600
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews > update add example.net DNSKEY 256 3 7 AwEAAZn17pUF0KpbPA2c7Gz76Vb18v0teKT3EyAGfBfL8eQ8al35zz3Y I1m/SAQBxIqMfLtIwqWPdgthsu36azGQAX8=
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews > update add example.net DNSKEY 257 3 7 AwEAAd/7odU/64o2LGsifbLtQmtO8dFDtTAZXSX2+X3e/UNlq9IHq3Y0 XtC0Iuawl/qkaKVxXe2lo8Ct+dM6UehyCqk=
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews > update add example.net NSEC3PARAM 1 1 100 1234567890
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews <para>Again, this update request will complete almost
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews immediately; however, the record won't show up until
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews <command>named</command> has had a chance to build/remove the
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews relevant chain. A private type record will be created to record
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews the state of the operation (see below for more details), and will
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews be removed once the operation completes.</para>
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews <para>While the initial signing and NSEC/NSEC3 chain generation
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews is happening, other updates are possible as well.</para>
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews <para>To enable automatic signing, add the
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews <command>auto-dnssec</command> option to the zone statement in
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews <command>auto-dnssec</command> has two possible arguments:
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews <command>named</command> can search the key directory for keys
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews matching the zone, insert them into the zone, and use them to
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews sign the zone. It will do so only when it receives an
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews <command>rndc sign <zonename></command>.</para>
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews <!-- TODO: this is repeated in the ARM -->
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews <command>auto-dnssec maintain</command> includes the above
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews functionality, but will also automatically adjust the zone's
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews DNSKEY records on schedule according to the keys' timing metadata.
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews <xref linkend="man.dnssec-settime"/> for more information.)
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews <command>named</command> will periodically search the key directory
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews for keys matching the zone, and if the keys' metadata indicates
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews that any change should be made the zone, such as adding, removing,
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews or revoking a key, then that action will be carried out. By default,
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews the key directory is checked for changes every 60 minutes; this period
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews can be adjusted with the <command>dnssec-loadkeys-interval</option>, up
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews to a maximum of 24 hours. The <command>rndc loadkeys</command> forces
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews <command>named</command> to check for key updates immediately.
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews If keys are present in the key directory the first time the zone
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews is loaded, the zone will be signed immediately, without waiting for an
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews <command>rndc sign</command> or <command>rndc loadkeys</command>
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews command. (Those commands can still be used when there are unscheduled
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews key changes, however.)
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews If you wish the zone to be signed using NSEC3 instead of NSEC,
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews submit an NSEC3PARAM record via dynamic update prior to the
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews scheduled publication and activation of the keys. If you wish the
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews NSEC3 chain to have the OPTOUT bit set, set it in the flags field
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews of the NSEC3PARAM record. The NSEC3PARAM record will not appear in
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews the zone immediately, but it will be stored for later reference. When
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews the zone is signed and the NSEC3 chain is completed, the NSEC3PARAM
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews record will appear in the zone.
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews <para>Using the
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews <command>auto-dnssec</command> option requires the zone to be
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews configured to allow dynamic updates, by adding an
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews <command>update-policy</command> statement to the zone
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews configuration. If this has not been done, the configuration will
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews fail.</para>
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews <para>The state of the signing process is signaled by
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews private-type records (with a default type value of 65534). When
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews signing is complete, these records will have a nonzero value for
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews the final octet (for those records which have a nonzero initial
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews octet).</para>
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews <para>The private type record format: If the first octet is
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews non-zero then the record indicates that the zone needs to be
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews signed with the key matching the record, or that all signatures
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews that match the record should be removed.</para>
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews <literallayout>
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews<!-- TODO: how to format this? -->
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews algorithm (octet 1)
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews key id in network order (octet 2 and 3)
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews removal flag (octet 4)
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews complete flag (octet 5)
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews</literallayout>