.. Copyright (C) Internet Systems Consortium, Inc. ("ISC") .. .. SPDX-License-Identifier: MPL-2.0 .. .. This Source Code Form is subject to the terms of the Mozilla Public .. License, v. 2.0. If a copy of the MPL was not distributed with this .. file, you can obtain one at https://mozilla.org/MPL/2.0/. .. .. See the COPYRIGHT file distributed with this work for additional .. information regarding copyright ownership. .. highlight: console .. _man_dnssec-cds: dnssec-cds - change DS records for a child zone based on CDS/CDNSKEY -------------------------------------------------------------------- Synopsis ~~~~~~~~ :program:`dnssec-cds` [**-a** alg...] [**-c** class] [**-D**] {**-d** dsset-file} {**-f** child-file} [**-i**[extension]] [**-s** start-time] [**-T** ttl] [**-u**] [**-v** level] [**-V**] {domain} Description ~~~~~~~~~~~ The ``dnssec-cds`` command changes DS records at a delegation point based on CDS or CDNSKEY records published in the child zone. If both CDS and CDNSKEY records are present in the child zone, the CDS is preferred. This enables a child zone to inform its parent of upcoming changes to its key-signing keys (KSKs); by polling periodically with ``dnssec-cds``, the parent can keep the DS records up-to-date and enable automatic rolling of KSKs. Two input files are required. The ``-f child-file`` option specifies a file containing the child's CDS and/or CDNSKEY records, plus RRSIG and DNSKEY records so that they can be authenticated. The ``-d path`` option specifies the location of a file containing the current DS records. For example, this could be a ``dsset-`` file generated by ``dnssec-signzone``, or the output of ``dnssec-dsfromkey``, or the output of a previous run of ``dnssec-cds``. The ``dnssec-cds`` command uses special DNSSEC validation logic specified by :rfc:`7344`. It requires that the CDS and/or CDNSKEY records be validly signed by a key represented in the existing DS records. This is typically the pre-existing KSK. For protection against replay attacks, the signatures on the child records must not be older than they were on a previous run of ``dnssec-cds``. Their age is obtained from the modification time of the ``dsset-`` file, or from the ``-s`` option. To protect against breaking the delegation, ``dnssec-cds`` ensures that the DNSKEY RRset can be verified by every key algorithm in the new DS RRset, and that the same set of keys are covered by every DS digest type. By default, replacement DS records are written to the standard output; with the ``-i`` option the input file is overwritten in place. The replacement DS records are the same as the existing records, when no change is required. The output can be empty if the CDS/CDNSKEY records specify that the child zone wants to be insecure. .. warning:: Be careful not to delete the DS records when ``dnssec-cds`` fails! Alternatively, ``dnssec-cds -u`` writes an ``nsupdate`` script to the standard output. The ``-u`` and ``-i`` options can be used together to maintain a ``dsset-`` file as well as emit an ``nsupdate`` script. Options ~~~~~~~ ``-a algorithm`` This option specifies a digest algorithm to use when converting CDNSKEY records to DS records. This option can be repeated, so that multiple DS records are created for each CDNSKEY record. This option has no effect when using CDS records. The algorithm must be one of SHA-1, SHA-256, or SHA-384. These values are case-insensitive, and the hyphen may be omitted. If no algorithm is specified, the default is SHA-256. ``-c class`` This option specifies the DNS class of the zones. ``-D`` This option generates DS records from CDNSKEY records if both CDS and CDNSKEY records are present in the child zone. By default CDS records are preferred. ``-d path`` This specifies the location of the parent DS records. The path can be the name of a file containing the DS records; if it is a directory, ``dnssec-cds`` looks for a ``dsset-`` file for the domain inside the directory. To protect against replay attacks, child records are rejected if they were signed earlier than the modification time of the ``dsset-`` file. This can be adjusted with the ``-s`` option. ``-f child-file`` This option specifies the file containing the child's CDS and/or CDNSKEY records, plus its DNSKEY records and the covering RRSIG records, so that they can be authenticated. The examples below describe how to generate this file. ``-iextension`` This option updates the ``dsset-`` file in place, instead of writing DS records to the standard output. There must be no space between the ``-i`` and the extension. If no extension is provided, the old ``dsset-`` is discarded. If an extension is present, a backup of the old ``dsset-`` file is kept with the extension appended to its filename. To protect against replay attacks, the modification time of the ``dsset-`` file is set to match the signature inception time of the child records, provided that it is later than the file's current modification time. ``-s start-time`` This option specifies the date and time after which RRSIG records become acceptable. This can be either an absolute or a relative time. An absolute start time is indicated by a number in YYYYMMDDHHMMSS notation; 20170827133700 denotes 13:37:00 UTC on August 27th, 2017. A time relative to the ``dsset-`` file is indicated with ``-N``, which is N seconds before the file modification time. A time relative to the current time is indicated with ``now+N``. If no start-time is specified, the modification time of the ``dsset-`` file is used. ``-T ttl`` This option specifies a TTL to be used for new DS records. If not specified, the default is the TTL of the old DS records. If they had no explicit TTL, the new DS records also have no explicit TTL. ``-u`` This option writes an ``nsupdate`` script to the standard output, instead of printing the new DS reords. The output is empty if no change is needed. Note: The TTL of new records needs to be specified: it can be done in the original ``dsset-`` file, with the ``-T`` option, or using the ``nsupdate`` ``ttl`` command. ``-V`` This option prints version information. ``-v level`` This option sets the debugging level. Level 1 is intended to be usefully verbose for general users; higher levels are intended for developers. ``domain`` This indicates the name of the delegation point/child zone apex. Exit Status ~~~~~~~~~~~ The ``dnssec-cds`` command exits 0 on success, or non-zero if an error occurred. If successful, the DS records may or may not need to be changed. Examples ~~~~~~~~ Before running ``dnssec-signzone``, ensure that the delegations are up-to-date by running ``dnssec-cds`` on every ``dsset-`` file. To fetch the child records required by ``dnssec-cds``, invoke ``dig`` as in the script below. It is acceptable if the ``dig`` fails, since ``dnssec-cds`` performs all the necessary checking. :: for f in dsset-* do d=${f#dsset-} dig +dnssec +noall +answer $d DNSKEY $d CDNSKEY $d CDS | dnssec-cds -i -f /dev/stdin -d $f $d done When the parent zone is automatically signed by ``named``, ``dnssec-cds`` can be used with ``nsupdate`` to maintain a delegation as follows. The ``dsset-`` file allows the script to avoid having to fetch and validate the parent DS records, and it maintains the replay attack protection time. :: dig +dnssec +noall +answer $d DNSKEY $d CDNSKEY $d CDS | dnssec-cds -u -i -f /dev/stdin -d $f $d | nsupdate -l See Also ~~~~~~~~ :manpage:`dig(1)`, :manpage:`dnssec-settime(8)`, :manpage:`dnssec-signzone(8)`, :manpage:`nsupdate(1)`, BIND 9 Administrator Reference Manual, :rfc:`7344`.