diff options
Diffstat (limited to 'doc/dnssec-guide/recipes.rst')
-rw-r--r-- | doc/dnssec-guide/recipes.rst | 1084 |
1 files changed, 1084 insertions, 0 deletions
diff --git a/doc/dnssec-guide/recipes.rst b/doc/dnssec-guide/recipes.rst new file mode 100644 index 0000000..a4bdffa --- /dev/null +++ b/doc/dnssec-guide/recipes.rst @@ -0,0 +1,1084 @@ +.. Copyright (C) Internet Systems Consortium, Inc. ("ISC") +.. +.. SPDX-License-Identifier: MPL-2.0 +.. +.. This Source Code Form is subject to the terms of the Mozilla Public +.. License, v. 2.0. If a copy of the MPL was not distributed with this +.. file, you can obtain one at https://mozilla.org/MPL/2.0/. +.. +.. See the COPYRIGHT file distributed with this work for additional +.. information regarding copyright ownership. + +.. _dnssec_recipes: + +Recipes +------- + +This chapter provides step-by-step "recipes" for some common +DNSSEC configurations. + +.. _recipes_inline_signing: + +DNSSEC Signing +~~~~~~~~~~~~~~ + +There are two recipes here: the first shows an example using DNSSEC +signing on the primary server, which has been covered in this +guide; the second shows how to setup a "bump in the +wire" between a hidden primary and the secondary servers to seamlessly +sign the zone "on the fly." + +.. _recipes_inline_signing_primary: + +Primary Server DNSSEC Signing +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +In this recipe, our servers are illustrated as shown in +:ref:`dnssec-signing-1`: we have a primary server +(192.168.1.1) and three secondary servers (192.168.1.2, 192.168.1.3, and +192.168.1.4) that receive zone transfers. To get the zone +signed, we need to reconfigure the primary server. Once reconfigured, a +signed version of the zone is generated on the fly; +zone transfers take care of synchronizing the signed zone data +to all secondary name servers, without configuration or software changes +on them. + +.. _dnssec-signing-1: + +.. figure:: ../dnssec-guide/img/dnssec-inline-signing-1.png + :alt: DNSSEC Signing Recipe #1 + :width: 80.0% + + DNSSEC Signing Recipe #1 + +Using the method described in +:ref:`easy_start_guide_for_authoritative_servers`, we just need to +add a ``dnssec-policy`` statement to the relevant zone clause. This is +what the ``named.conf`` zone statement looks like on the primary server, 192.168.1.1: + +:: + + zone "example.com" IN { + type primary; + file "db/example.com.db"; + key-directory "keys/example.com"; + dnssec-policy default; + inline-signing yes; + allow-transfer { 192.168.1.2; 192.168.1.3; 192.168.1.4; }; + }; + +We have chosen to use the default policy, storing the keys generated for +the zone in the directory ``keys/example.com``. To use a +custom policy, define the policy in the configuration +file and select it in the zone statement (as described in +:ref:`signing_custom_policy`). + +On the secondary servers, ``named.conf`` does not need to be updated, +and it looks like this: + +:: + + zone "example.com" IN { + type secondary; + file "db/example.com.db"; + primaries { 192.168.1.1; }; + }; + +In fact, the secondary servers do not even need to be running BIND; they +can run any DNS product that supports DNSSEC. + +.. _recipes_inline_signing_bump_in_the_wire: + +"Bump in the Wire" Signing +^^^^^^^^^^^^^^^^^^^^^^^^^^ + +In this recipe, we take advantage of the power of automated signing +by placing an additional name server (192.168.1.5) between the hidden +primary (192.168.1.1) and the DNS secondaries (192.168.1.2, 192.168.1.3, +and 192.168.1.4). The additional name server, 192.168.1.5, acts as a "bump +in the wire," taking an unsigned zone from the hidden primary, +and sending out signed data on the other end to the secondary name +servers. The steps described in this recipe may be used as part of a +DNSSEC deployment strategy, since it requires only minimal changes made to +the existing hidden DNS primary and DNS secondaries. + +.. _dnssec-signing-2: + +.. figure:: ../dnssec-guide/img/dnssec-inline-signing-2.png + :alt: DNSSEC Signing Recipe #2 + :width: 100.0% + + DNSSEC Signing Recipe #2 + +It is important to remember that 192.168.1.1 in this case is a hidden +primary not exposed to the world, and it must not be listed in the NS RRset. +Otherwise the world will get conflicting answers: unsigned answers from +the hidden primary and signed answers from the other name servers. + +The only configuration change needed on the hidden primary, 192.168.1.1, +is to make sure it allows our middle box to perform a zone transfer: + +:: + + zone "example.com" IN { + ... + allow-transfer { 192.168.1.5; }; + ... + }; + +On the middle box, 192.168.1.5, all the tasks described in +:ref:`easy_start_guide_for_authoritative_servers` still need to be +performed, such as generating key pairs and uploading information to +the parent zone. This server is configured as secondary to the hidden +primary 192.168.1.1 to receive the unsigned data; then, using keys +accessible to this middle box, to sign data on the fly; and finally, to send out the +signed data via zone transfer to the other three DNS secondaries. Its +``named.conf`` zone statement looks like this: + +:: + + zone example.com { + type secondary; + primaries { 192.168.1.1; }; + file "db/example.com.db"; + key-directory "keys/example.com"; + dnssec-policy default; + inline-signing yes; + allow-transfer { 192.168.1.2; 192.168.1.3; 192.168.1.4; }; + }; + +(As before, the default policy has been selected here. See +:ref:`signing_custom_policy` for instructions on how to define +and use a custom policy.) + +Finally, on the three secondary servers, the configuration should be updated +to receive a zone transfer from 192.168.1.5 (the middle box) instead of +from 192.168.1.1 (the hidden primary). If using BIND, the ``named.conf`` file looks +like this: + +:: + + zone "example.com" IN { + type secondary; + file "db/example.com.db"; + primaries { 192.168.1.5; }; # this was 192.168.1.1 before! + }; + +.. _recipes_rollovers: + +Rollovers +~~~~~~~~~ + +If you are signing your zone using a ``dnssec-policy`` statement, this +section is not really relevant to you. In the policy statement, you set how long +you want your keys to be valid for, the time +taken for information to propagate through your zone, the time it takes +for your parent zone to register a new DS record, etc., and that's more +or less it. ``named`` implements everything for you automatically, apart from +uploading the new DS records to your parent zone - which is covered in +:ref:`signing_easy_start_upload_to_parent_zone`. (Some +screenshots from a session where a KSK is uploaded to the parent zone +are presented here for convenience.) However, these recipes may be useful +in describing what happens +through the rollover process and what you should be monitoring. + +.. _recipes_zsk_rollover: + +ZSK Rollover +^^^^^^^^^^^^ + +This recipe covers how to perform a ZSK rollover using what is known as +the Pre-Publication method. For other ZSK rolling methods, please see +:ref:`zsk_rollover_methods` in :ref:`dnssec_advanced_discussions`. + +Below is a sample timeline for a ZSK rollover to occur on January 1, 2021: + +1. December 1, 2020 (one month before rollover) + + - Generate new ZSK + + - Add DNSKEY for new ZSK to zone + +2. January 1, 2021 (day of rollover) + + - New ZSK used to replace RRSIGs for the bulk of the zone + +3. February 1, 2021 (one month after rollover) + + - Remove old ZSK DNSKEY RRset from zone + + - DNSKEY signatures made with KSK are changed + +The current active ZSK has the ID 17694 in the example below. For more +information on key management and rollovers, please see +:ref:`advanced_discussions_key_management`. + +One Month Before ZSK Rollover ++++++++++++++++++++++++++++++ + +On December 1, 2020, a month before the example rollover, you (as administrator) +should change the parameters on the current key (17694). Set it to become inactive on +January 1, 2021 and be deleted from the zone on February 1, 2021; also, +generate a successor key (51623): + +:: + + # cd /etc/bind/keys/example.com/ + # dnssec-settime -I 20210101 -D 20210201 Kexample.com.+008+17694 + ./Kexample.com.+008+17694.key/GoDaddy + + ./Kexample.com.+008+17694.private + # dnssec-keygen -S Kexample.com.+008+17694 + Generating key pair..++++++ ...........++++++ + Kexample.com.+008+51623 + +The first command gets us into the key directory +``/etc/bind/keys/example.com/``, where keys for ``example.com`` are +stored. + +The second, ``dnssec-settime``, sets an inactive (``-I``) date of January 1, +2021, and a deletion (``-D``) date of February 1, 2021, for the current ZSK +(``Kexample.com.+008+17694``). + +The third command, ``dnssec-keygen``, creates a successor key, using +the exact same parameters (algorithms, key sizes, etc.) as the current +ZSK. The new ZSK created in our example is ``Kexample.com.+008+51623``. + +Make sure the successor keys are readable by ``named``. + +``named``'s logging messages indicate when the next +key checking event is scheduled to occur, the frequency of which can be +controlled by ``dnssec-loadkeys-interval``. The log message looks like +this: + +:: + + zone example.com/IN (signed): next key event: 01-Dec-2020 00:13:05.385 + +And you can check the publish date of the key by looking at the key +file: + +:: + + # cd /etc/bind/keys/example.com + # cat Kexample.com.+008+51623.key + ; This is a zone-signing key, keyid 11623, for example.com. + ; Created: 20201130160024 (Mon Dec 1 00:00:24 2020) + ; Publish: 20201202000000 (Fri Dec 2 08:00:00 2020) + ; Activate: 20210101000000 (Sun Jan 1 08:00:00 2021) + ... + +Since the publish date is set to the morning of December 2, and our example +scenario takes place on December 1, the next +morning you will notice that your zone has gained a new DNSKEY record, +but the new ZSK is not yet being used to generate signatures. Below is +the abbreviated output - with shortened DNSKEY and RRSIG - when querying the +authoritative name server, 192.168.1.13: + +:: + + $ dig @192.168.1.13 example.com. DNSKEY +dnssec +multiline + + ... + ;; ANSWER SECTION: + example.com. 600 IN DNSKEY 257 3 8 ( + AwEAAcWDps...lM3NRn/G/R + ) ; KSK; alg = RSASHA256; key id = 6817 + example.com. 600 IN DNSKEY 256 3 8 ( + AwEAAbi6Vo...qBW5+iAqNz + ) ; ZSK; alg = RSASHA256; key id = 51623 + example.com. 600 IN DNSKEY 256 3 8 ( + AwEAAcjGaU...0rzuu55If5 + ) ; ZSK; alg = RSASHA256; key id = 17694 + example.com. 600 IN RRSIG DNSKEY 8 2 600 ( + 20210101000000 20201201230000 6817 example.com. + LAiaJM26T7...FU9syh/TQ= ) + example.com. 600 IN RRSIG DNSKEY 8 2 600 ( + 20210101000000 20201201230000 17694 example.com. + HK4EBbbOpj...n5V6nvAkI= ) + ... + +For good measure, let's take a look at the SOA record and its +signature for this zone. Notice the RRSIG is signed by the current ZSK, +17694. This will come in handy later when you want to verify whether +the new ZSK is in effect: + +:: + + $ dig @192.168.1.13 example.com. SOA +dnssec +multiline + + ... + ;; ANSWER SECTION: + example.com. 600 IN SOA ns1.example.com. admin.example.com. ( + 2020120102 ; serial + 1800 ; refresh (30 minutes) + 900 ; retry (15 minutes) + 2419200 ; expire (4 weeks) + 300 ; minimum (5 minutes) + ) + example.com. 600 IN RRSIG SOA 8 2 600 ( + 20201230160109 20201130150109 17694 example.com. + YUTC8rFULaWbW+nAHzbfGwNqzARHevpryzRIJMvZBYPo + NAeejNk9saNAoCYKWxGJ0YBc2k+r5fYq1Mg4ll2JkBF5 + buAsAYLw8vEOIxVpXwlArY+oSp9T1w2wfTZ0vhVIxaYX + 6dkcz4I3wbDx2xmG0yngtA6A8lAchERx2EGy0RM= ) + +These are all the manual tasks you need to perform for a ZSK rollover. +If you have followed the configuration examples in this guide of using +``inline-signing`` and ``auto-dnssec``, everything else is automated for +you by BIND. + +Day of ZSK Rollover ++++++++++++++++++++ + +On the actual day of the rollover, although there is technically nothing +for you to do, you should still keep an eye on the zone to make sure new +signatures are being generated by the new ZSK (51623 in this example). +The easiest way is to query the authoritative name server 192.168.1.13 +for the SOA record as you did a month ago: + +:: + + $ dig @192.168.1.13 example.com. SOA +dnssec +multiline + + ... + ;; ANSWER SECTION: + example.com. 600 IN SOA ns1.example.com. admin.example.com. ( + 2020112011 ; serial + 1800 ; refresh (30 minutes) + 900 ; retry (15 minutes) + 2419200 ; expire (4 weeks) + 300 ; minimum (5 minutes) + ) + example.com. 600 IN RRSIG SOA 8 2 600 ( + 20210131000000 20201231230000 51623 example.com. + J4RMNpJPOmMidElyBugJp0RLqXoNqfvo/2AT6yAAvx9X + zZRL1cuhkRcyCSLZ9Z+zZ2y4u2lvQGrNiondaKdQCor7 + uTqH5WCPoqalOCBjqU7c7vlAM27O9RD11nzPNpVQ7xPs + y5nkGqf83OXTK26IfnjU1jqiUKSzg6QR7+XpLk0= ) + ... + +As you can see, the signature generated by the old ZSK (17694) has +disappeared, replaced by a new signature generated from the new ZSK +(51623). + +.. note:: + + Not all signatures will disappear magically on the same day; + it depends on when each one was generated. In the worst-case scenario, + a new signature could have been signed by the old ZSK (17694) moments + before it was deactivated, meaning that the signature could live for almost + 30 more days, until just before February 1. + + This is why it is important to keep the old ZSK in the + zone and not delete it right away. + +One Month After ZSK Rollover +++++++++++++++++++++++++++++ + +Again, technically there is nothing you need to do on this day, +but it doesn't hurt to verify that the old ZSK (17694) is now completely +gone from your zone. ``named`` will not touch +``Kexample.com.+008+17694.private`` and ``Kexample.com.+008+17694.key`` +on your file system. Running the same ``dig`` command for DNSKEY should +suffice: + +:: + + $ dig @192.168.1.13 example.com. DNSKEY +multiline +dnssec + + ... + ;; ANSWER SECTION: + example.com. 600 IN DNSKEY 257 3 8 ( + AwEAAcWDps...lM3NRn/G/R + ) ; KSK; alg = RSASHA256; key id = 6817 + example.com. 600 IN DNSKEY 256 3 8 ( + AwEAAdeCGr...1DnEfX+Xzn + ) ; ZSK; alg = RSASHA256; key id = 51623 + example.com. 600 IN RRSIG DNSKEY 8 2 600 ( + 20170203000000 20170102230000 6817 example.com. + KHY8P0zE21...Y3szrmjAM= ) + example.com. 600 IN RRSIG DNSKEY 8 2 600 ( + 20170203000000 20170102230000 51623 example.com. + G2g3crN17h...Oe4gw6gH8= ) + ... + +Congratulations, the ZSK rollover is complete! As for the actual key +files (the files ending in ``.key`` and ``.private``), they may be deleted at this +point, but they do not have to be. + +.. _recipes_ksk_rollover: + +KSK Rollover +^^^^^^^^^^^^ + +This recipe describes how to perform KSK rollover using the Double-DS +method. For other KSK rolling methods, please see +:ref:`ksk_rollover_methods` in +:ref:`dnssec_advanced_discussions`. The registrar used in this +recipe is `GoDaddy <https://www.godaddy.com>`__. Also for this recipe, +we are keeping the number of DS records down to just one per active set +using just SHA-1, for the sake of better clarity, although in practice +most zone operators choose to upload two DS records as shown in +:ref:`working_with_parent_zone`. For more information on key +management and rollovers, +please see :ref:`advanced_discussions_key_management`. + +Below is a sample timeline for a KSK rollover to occur on January 1, 2021: + +1. December 1, 2020 (one month before rollover) + + - Change timer on the current KSK + + - Generate new KSK and DS records + + - Add DNSKEY for the new KSK to zone + + - Upload new DS records to parent zone + +2. January 1, 2021 (day of rollover) + + - Use the new KSK to sign all DNSKEY RRsets, which generates new + RRSIGs + + - Add new RRSIGs to the zone + + - Remove RRSIG for the old ZSK from zone + + - Start using the new KSK to sign DNSKEY + +3. February 1, 2021 (one month after rollover) + + - Remove the old KSK DNSKEY from zone + + - Remove old DS records from parent zone + +The current active KSK has the ID 24828, and this is the DS record that +has already been published by the parent zone: + +:: + + # dnssec-dsfromkey -a SHA-1 Kexample.com.+007+24828.key + example.com. IN DS 24828 7 1 D4A33E8DD550A9567B4C4971A34AD6C4B80A6AD3 + +.. _one_month_before_ksk_rollover: + +One Month Before KSK Rollover ++++++++++++++++++++++++++++++ + +On December 1, 2020, a month before the planned rollover, you (as +administrator) should +change the parameters on the current key. Set it to become inactive on January +1, 2021, and be deleted from the zone on February 1st, 2021; +also generate a successor key (23550). Finally, generate a new +DS record based on the new key, 23550: + +:: + + # cd /etc/bind/keys/example.com/ + # dnssec-settime -I 20210101 -D 20210201 Kexample.com.+007+24828 + ./Kexample.com.+007+24848.key + ./Kexample.com.+007+24848.private + # dnssec-keygen -S Kexample.com.+007+24848 + Generating key pair.......................................................................................++ ...................................++ + Kexample.com.+007+23550 + # dnssec-dsfromkey -a SHA-1 Kexample.com.+007+23550.key + example.com. IN DS 23550 7 1 54FCF030AA1C79C0088FDEC1BD1C37DAA2E70DFB + +The first command gets us into the key directory +``/etc/bind/keys/example.com/``, where keys for ``example.com`` are +stored. + +The second, ``dnssec-settime``, sets an inactive (``-I``) date of January 1, +2021, and a deletion (``-D``) date of February 1, 2021 for the current KSK +(``Kexample.com.+007+24848``). + +The third command, ``dnssec-keygen``, creates a successor key, using +the exact same parameters (algorithms, key sizes, etc.) as the current +KSK. The new key pair created in our example is ``Kexample.com.+007+23550``. + +The fourth and final command, ``dnssec-dsfromkey``, creates a DS record +from the new KSK (23550), using SHA-1 as the digest type. Again, in +practice most people generate two DS records for both supported digest +types (SHA-1 and SHA-256), but for our example here we are only using +one to keep the output small and hopefully clearer. + +Make sure the successor keys are readable by ``named``. + +The ``syslog`` message indicates when the next key +checking event is. The log message looks like this: + +:: + + zone example.com/IN (signed): next key event: 01-Dec-2020 00:13:05.385 + +You can check the publish date of the key by looking at the key +file: + +:: + + # cd /etc/bind/keys/example.com + # cat Kexample.com.+007+23550.key + ; This is a key-signing key, keyid 23550, for example.com. + ; Created: 20201130160024 (Thu Dec 1 00:00:24 2020) + ; Publish: 20201202000000 (Fri Dec 2 08:00:00 2020) + ; Activate: 20210101000000 (Sun Jan 1 08:00:00 2021) + ... + +Since the publish date is set to the morning of December 2, and our example +scenario takes place on December 1, the next +morning you will notice that your zone has gained a new DNSKEY record +based on your new KSK, but with no corresponding RRSIG yet. Below is the +abbreviated output - with shortened DNSKEY and RRSIG - when querying the +authoritative name server, 192.168.1.13: + +:: + + $ dig @192.168.1.13 example.com. DNSKEY +dnssec +multiline + + ... + ;; ANSWER SECTION: + example.com. 300 IN DNSKEY 256 3 7 ( + AwEAAdYqAc...TiSlrma6Ef + ) ; ZSK; alg = NSEC3RSASHA1; key id = 29747 + example.com. 300 IN DNSKEY 257 3 7 ( + AwEAAeTJ+w...O+Zy9j0m63 + ) ; KSK; alg = NSEC3RSASHA1; key id = 24828 + example.com. 300 IN DNSKEY 257 3 7 ( + AwEAAc1BQN...Wdc0qoH21H + ) ; KSK; alg = NSEC3RSASHA1; key id = 23550 + example.com. 300 IN RRSIG DNSKEY 7 2 300 ( + 20201206125617 20201107115617 24828 example.com. + 4y1iPVJOrK...aC3iF9vgc= ) + example.com. 300 IN RRSIG DNSKEY 7 2 300 ( + 20201206125617 20201107115617 29747 example.com. + g/gfmPjr+y...rt/S/xjPo= ) + + ... + +Anytime after generating the DS record, you can upload it; +it is not necessary to wait for the DNSKEY to be published in your zone, +since this new KSK is not active yet. You can do it +immediately after the new DS record has been generated on December 1, +or you can wait until the next day after you have verified that the +new DNSKEY record is added to the zone. Below are some screenshots from +GoDaddy's web-based interface, used to add a new DS record [#]_. + +1. After logging in, click the green "Launch" button next to the domain + name you want to manage. + + .. _add-ds-1: + + .. figure:: ../dnssec-guide/img/add-ds-1.png + :alt: Upload DS Record Step #1 + :width: 70.0% + + Upload DS Record Step #1 + +2. Scroll down to the "DS Records" section and click "Manage." + + .. _add-ds-2: + + .. figure:: ../dnssec-guide/img/add-ds-2.png + :alt: Upload DS Record Step #2 + :width: 40.0% + + Upload DS Record Step #2 + +3. A dialog appears, displaying the current key (24828). Click "Add DS + Record." + + .. _add-ds-3: + + .. figure:: ../dnssec-guide/img/add-ds-3.png + :alt: Upload DS Record Step #3 + :width: 80.0% + + Upload DS Record Step #3 + +4. Enter the Key ID, algorithm, digest type, and the digest, then click + "Next." + + .. _add-ds-4: + + .. figure:: ../dnssec-guide/img/add-ds-4.png + :alt: Upload DS Record Step #4 + :width: 80.0% + + Upload DS Record Step #4 + +5. Address any errors and click "Finish." + + .. _add-ds-5: + + .. figure:: ../dnssec-guide/img/add-ds-5.png + :alt: Upload DS Record Step #5 + :width: 80.0% + + Upload DS Record Step #5 + +6. Both DS records are shown. Click "Save." + + .. _add-ds-6: + + .. figure:: ../dnssec-guide/img/add-ds-6.png + :alt: Upload DS Record Step #6 + :width: 80.0% + + Upload DS Record Step #6 + +Finally, let's verify that the registrar has published the new DS +record. This may take anywhere from a few minutes to a few days, +depending on your parent zone. You can verify whether your +parent zone has published the new DS record by querying for the DS +record of your zone. In the example below, the Google public DNS server +8.8.8.8 is used: + +:: + + $ dig @8.8.8.8 example.com. DS + + ... + ;; ANSWER SECTION: + example.com. 21552 IN DS 24828 7 1 D4A33E8DD550A9567B4C4971A34AD6C4B80A6AD3 + example.com. 21552 IN DS 23550 7 1 54FCF030AA1C79C0088FDEC1BD1C37DAA2E70DFB + +You can also query your parent zone's authoritative name servers +directly to see if these records have been published. DS records will +not show up on your own authoritative zone, so you cannot query your own +name servers for them. In this recipe, the parent zone is ``.com``, so +querying a few of the ``.com`` name servers is another appropriate +verification. + +Day of KSK Rollover ++++++++++++++++++++ + +If you have followed the examples in this document, as described in +:ref:`easy_start_guide_for_authoritative_servers`, there is +technically nothing you need to do manually on the actual day of the +rollover. However, you should still keep an eye on the zone to make sure +new signature(s) are being generated by the new KSK (23550 in this +example). The easiest way is to query the authoritative name server +192.168.1.13 for the same DNSKEY and signatures, as you did a month +ago: + +:: + + $ dig @192.168.1.13 example.com. DNSKEY +dnssec +multiline + + ... + ;; ANSWER SECTION: + example.com. 300 IN DNSKEY 256 3 7 ( + AwEAAdYqAc...TiSlrma6Ef + ) ; ZSK; alg = NSEC3RSASHA1; key id = 29747 + example.com. 300 IN DNSKEY 257 3 7 ( + AwEAAeTJ+w...O+Zy9j0m63 + ) ; KSK; alg = NSEC3RSASHA1; key id = 24828 + example.com. 300 IN DNSKEY 257 3 7 ( + AwEAAc1BQN...Wdc0qoH21H + ) ; KSK; alg = NSEC3RSASHA1; key id = 23550 + example.com. 300 IN RRSIG DNSKEY 7 2 300 ( + 20210201074900 20210101064900 23550 mydnssecgood.org. + S6zTbBTfvU...Ib5eXkbtE= ) + example.com. 300 IN RRSIG DNSKEY 7 2 300 ( + 20210105074900 20201206064900 29747 mydnssecgood.org. + VY5URQA2/d...OVKr1+KX8= ) + ... + +As you can see, the signature generated by the old KSK (24828) has +disappeared, replaced by a new signature generated from the new KSK +(23550). + +One Month After KSK Rollover +++++++++++++++++++++++++++++ + +While the removal of the old DNSKEY from the zone should be automated by +``named``, the removal of the DS record is manual. You should make sure +the old DNSKEY record is gone from your zone first, by querying for the +DNSKEY records of the zone; this time we expect not to see +the key with an ID of 24828: + +:: + + $ dig @192.168.1.13 example.com. DNSKEY +dnssec +multiline + + ... + ;; ANSWER SECTION: + example.com. 300 IN DNSKEY 256 3 7 ( + AwEAAdYqAc...TiSlrma6Ef + ) ; ZSK; alg = NSEC3RSASHA1; key id = 29747 + example.com. 300 IN DNSKEY 257 3 7 ( + AwEAAc1BQN...Wdc0qoH21H + ) ; KSK; alg = NSEC3RSASHA1; key id = 23550 + example.com. 300 IN RRSIG DNSKEY 7 2 300 ( + 20210208000000 20210105230000 23550 mydnssecgood.org. + Qw9Em3dDok...bNCS7KISw= ) + example.com. 300 IN RRSIG DNSKEY 7 2 300 ( + 20210208000000 20210105230000 29747 mydnssecgood.org. + OuelpIlpY9...XfsKupQgc= ) + ... + +Since the key with the ID 24828 is gone, you can now remove the old DS +record for that key from our parent zone. +Be careful to remove the correct DS record. If you accidentally remove +the new DS record(s) with key ID 23550, it could lead to a problem called +"security lameness," as discussed in +:ref:`troubleshooting_security_lameness`, and may cause users to be unable +to resolve any names in the zone. + +1. After logging in (again, GoDaddy.com in our example) and launching the domain, scroll down to the "DS + Records" section and click Manage. + + .. _remove-ds-1: + + .. figure:: ../dnssec-guide/img/remove-ds-1.png + :alt: Remove DS Record Step #1 + :width: 40.0% + + Remove DS Record Step #1 + +2. A dialog appears, displaying both keys (24828 and 23550). Use the far + right-hand X button to remove key 24828. + + .. _remove-ds-2: + + .. figure:: ../dnssec-guide/img/remove-ds-2.png + :alt: Remove DS Record Step #2 + :width: 80.0% + + Remove DS Record Step #2 + +3. Key 24828 now appears crossed out; click "Save" to complete the + removal. + + .. _remove-ds-3: + + .. figure:: ../dnssec-guide/img/remove-ds-3.png + :alt: Remove DS Record Step #3 + :width: 80.0% + + Remove DS Record Step #3 + +Congratulations, the KSK rollover is complete! As for the actual key +files (ending in ``.key`` and ``.private``), they may be deleted at this +point, but they do not have to be. + +.. [#] + The screenshots were taken from GoDaddy's interface at the time the + original version of this guide was published (2015). It may have + changed since then. + +.. _recipes_nsec3: + +NSEC and NSEC3 +~~~~~~~~~~~~~~ + +.. _recipes_nsec_to_nsec3: + +Migrating from NSEC to NSEC3 +^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +This recipe describes how to transition from using NSEC to NSEC3, as described +in :ref:`advanced_discussions_proof_of_nonexistence`. This recipe +assumes that the zones are already signed, and that ``named`` is configured +according to the steps described in +:ref:`easy_start_guide_for_authoritative_servers`. + +.. warning:: + + If your zone is signed with RSASHA1 (algorithm 5), you cannot migrate + to NSEC3 without also performing an + algorithm rollover + to RSASHA1-NSEC3-SHA1 (algorithm 7), as described in + :ref:`advanced_discussions_DNSKEY_algorithm_rollovers`. This + ensures that older validating resolvers that do not understand + NSEC3 will fall back to treating the zone as unsecured (rather than + "bogus"), as described in Section 2 of :rfc:`5155`. + +To enable NSEC3, update your ``dnssec-policy`` and add the desired NSEC3 +parameters. The example below enables NSEC3 for zones with the ``standard`` +DNSSEC policy, using 0 additional iterations, no opt-out, and a zero-length salt: + +:: + + dnssec-policy "standard" { + nsec3param iterations 0 optout no salt-length 0; + }; + +Then reconfigure the server with ``rndc``. You can tell that it worked if you +see the following debug log messages: + +:: + + Oct 21 13:47:21 received control channel command 'reconfig' + Oct 21 13:47:21 zone example.com/IN (signed): zone_addnsec3chain(1,CREATE,0,-) + +You can also verify that it worked by querying for a name that you know +does not exist, and checking for the presence of the NSEC3 record. +For example: + +:: + + $ dig @192.168.1.13 thereisnowaythisexists.example.com. A +dnssec +multiline + + ... + 5A03TL362CS8VSIH69CVA4MJIKRHFQH3.example.com. 300 IN NSEC3 1 0 0 - ( + TQ9QBEGA6CROHEOC8KIH1A2C06IVQ5ER + NS SOA RRSIG DNSKEY NSEC3PARAM ) + ... + +Our example used four parameters: 1, 0, 0, and -, in +order. 1 represents the algorithm, 0 represents the +opt-out flag, 0 represents the number of additional iterations, and +- denotes no salt is used. To learn more about each of these +parameters, please see :ref:`advanced_discussions_nsec3param`. + +.. _recipes_nsec3_to_nsec: + +Migrating from NSEC3 to NSEC +^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +Migrating from NSEC3 back to NSEC is easy; just remove the ``nsec3param`` +configuration option from your ``dnssec-policy`` and reconfigure the name +server. You can tell that it worked if you see these messages in the log: + +:: + + named[14093]: received control channel command 'reconfig' + named[14093]: zone example.com/IN: zone_addnsec3chain(1,REMOVE,0,-) + +You can also query for a name that you know does not exist, +and you should no longer see any traces of NSEC3 records. + +:: + + $ dig @192.168.1.13 reieiergiuhewhiouwe.example.com. A +dnssec +multiline + + ... + example.com. 300 IN NSEC aaa.example.com. NS SOA RRSIG NSEC DNSKEY + ... + ns1.example.com. 300 IN NSEC web.example.com. A RRSIG NSEC + ... + +.. _recipes_nsec3_optout: + +NSEC3 Opt-Out +^^^^^^^^^^^^^ + +This recipe discusses how to enable and disable NSEC3 opt-out, and how to show +the results of each action. As discussed in +:ref:`advanced_discussions_nsec3_optout`, NSEC3 opt-out is a feature +that can help conserve resources on parent zones with many +delegations that have not yet been signed. + +.. warning:: + NSEC3 Opt-Out feature brings benefit only to _extremely_ large zones with lots + of insecure delegations. It's use is counterproductive in all other cases as + it decreases tamper-resistance of the zone and also decreases efficiency of + resolver cache (see :rfc:`8198`). + + In other words, don't enable Opt-Out unless you are serving an equivalent of + ``com.`` zone. + +Because the NSEC3PARAM record does not keep track of whether opt-out is used, +it is hard to check whether changes need to be made to the NSEC3 chain if the flag +is changed. Similar to changing the NSEC3 salt, your best option is to change +the value of ``optout`` together with another NSEC3 parameter, like +``iterations``, and in a following step restore the ``iterations`` value. + +For this recipe we assume the zone ``example.com`` +has the following four entries (for this example, it is not relevant what +record types these entries are): + +- ``ns1.example.com`` + +- ``ftp.example.com`` + +- ``www.example.com`` + +- ``web.example.com`` + +And the zone ``example.com`` has five delegations to five subdomains, only one of +which is signed and has a valid DS RRset: + +- ``aaa.example.com``, not signed + +- ``bbb.example.com``, signed + +- ``ccc.example.com``, not signed + +- ``ddd.example.com``, not signed + +- ``eee.example.com``, not signed + +Before enabling NSEC3 opt-out, the zone ``example.com`` contains ten +NSEC3 records; below is the list with the plain text name before the actual +NSEC3 record: + +- *aaa.example.com*: IFA1I3IE7EKCTPHM6R58URO3Q846I52M.example.com + +- *bbb.example.com*: ROJUF3VJSJO6LQ2LC1DNSJ5GBAUJPVHE.example.com + +- *ccc.example.com*: 0VPUT696LUVDPDS5NIHSHBH9KLV20V5K.example.com + +- *ddd.example.com*: UHPBD5U4HRGB84MLC2NQOVEFNAKJU0CA.example.com + +- *eee.example.com*: NF7I61FA4C2UEKPMEDSOC25FE0UJIMKT.example.com + +- *ftp.example.com*: 8P15KCUAT1RHCSDN46HBQVPI5T532IN1.example.com + +- *ns1.example.com*: GUFVRA2SFIO8RSFP7UO41E8AD1KR41FH.example.com + +- *web.example.com*: CVQ4LA4ALPQIAO2H3N2RB6IR8UHM91E7.example.com + +- *www.example.com*: MIFDNDT3NFF3OD53O7TLA1HRFF95JKUK.example.com + +- *example.com*: ONIB9MGUB9H0RML3CDF5BGRJ59DKJHVK.example.com + +We can enable NSEC3 opt-out with the following configuration, changing +the ``optout`` configuration value from ``no`` to ``yes``: + +:: + + dnssec-policy "standard" { + nsec3param iterations 0 optout yes salt-length 0; + }; + +After NSEC3 opt-out is enabled, the number of NSEC3 records is reduced. +Notice that the unsigned delegations ``aaa``, ``ccc``, ``ddd``, and +``eee`` no longer have corresponding NSEC3 records. + +- *bbb.example.com*: ROJUF3VJSJO6LQ2LC1DNSJ5GBAUJPVHE.example.com + +- *ftp.example.com*: 8P15KCUAT1RHCSDN46HBQVPI5T532IN1.example.com + +- *ns1.example.com*: GUFVRA2SFIO8RSFP7UO41E8AD1KR41FH.example.com + +- *web.example.com*: CVQ4LA4ALPQIAO2H3N2RB6IR8UHM91E7.example.com + +- *www.example.com*: MIFDNDT3NFF3OD53O7TLA1HRFF95JKUK.example.com + +- *example.com*: ONIB9MGUB9H0RML3CDF5BGRJ59DKJHVK.example.com + +To undo NSEC3 opt-out, change the configuration again: + +:: + + dnssec-policy "standard" { + nsec3param iterations 0 optout no salt-length 0; + }; + +.. note:: + + NSEC3 hashes the plain text domain name, and we can compute our own + hashes using the tool ``nsec3hash``. For example, to compute the + hashed name for ``www.example.com`` using the parameters we listed + above, we can execute this command: + + :: + + # nsec3hash - 1 0 www.example.com. + MIFDNDT3NFF3OD53O7TLA1HRFF95JKUK (salt=-, hash=1, iterations=0) + +.. _revert_to_unsigned: + +Reverting to Unsigned +~~~~~~~~~~~~~~~~~~~~~ + +This recipe describes how to revert from a signed zone (DNSSEC) back to +an unsigned (DNS) zone. + +Here is what :iscman:`named.conf` looks like when it is signed: + +.. code-block:: none + :emphasize-lines: 4 + + zone "example.com" IN { + type primary; + file "db/example.com.db"; + dnssec-policy "default"; + inline-signing yes; + }; + +To indicate the reversion to unsigned, change the ``dnssec-policy`` line: + +.. code-block:: none + :emphasize-lines: 4 + + zone "example.com" IN { + type primary; + file "db/example.com.db"; + dnssec-policy "insecure"; + inline-signing yes; + }; + +Then use :option:`rndc reload` to reload the zone. + +The "insecure" policy is a built-in policy (like "default"). It makes sure +the zone is still DNSSEC-maintained, to allow for a graceful transition to +unsigned. It also publishes the CDS and CDNSKEY DELETE records automatically +at the appropriate time. + +If the parent zone allows management of DS records via CDS/CDNSKEY, as described in +:rfc:`8078`, the DS record should be removed from the parent automatically. + +Otherwise, DS records can be removed via the registrar. Below is an example +showing how to remove DS records using the +`GoDaddy <https://www.godaddy.com>`__ web-based interface: + +1. After logging in, click the green "Launch" button next to the domain + name you want to manage. + +.. _unsign-1: + + .. figure:: ../dnssec-guide/img/unsign-1.png + :alt: Revert to Unsigned Step #1 + :width: 60.0% + + Revert to Unsigned Step #1 + +2. Scroll down to the "DS Records" section and click Manage. + +.. _unsign-2: + + .. figure:: ../dnssec-guide/img/unsign-2.png + :alt: Revert to Unsigned Step #2 + :width: 40.0% + + Revert to Unsigned Step #2 + +3. A dialog appears, displaying all current keys. Use the far right-hand + X button to remove each key. + +.. _unsign-3: + + .. figure:: ../dnssec-guide/img/unsign-3.png + :alt: Revert to Unsigned Step #3 + :width: 70.0% + + Revert to Unsigned Step #3 + +4. Click Save. + +.. _unsign-4: + + .. figure:: ../dnssec-guide/img/unsign-4.png + :alt: Revert to Unsigned Step #4 + :width: 70.0% + + Revert to Unsigned Step #4 + +When the DS records have been removed from the parent zone, use +``rndc dnssec -checkds -key <id> withdrawn example.com`` to tell ``named`` that +the DS is removed, and the remaining DNSSEC records will be removed in a timely +manner. Or, if parental agents are configured, the DNSSEC records will be +automatically removed after BIND has seen that the parental agents no longer +serve the DS RRset for this zone. + +After a while, the zone is reverted back to the traditional, insecure DNS +format. This can be verified by checking that all DNSKEY and RRSIG records have been +removed from the zone. + +The ``dnssec-policy`` line can then be removed from :iscman:`named.conf` and +the zone reloaded. The zone will no longer be subject to any DNSSEC +maintenance. |