diff options
Diffstat (limited to 'doc/dnssec-guide/signing.rst')
-rw-r--r-- | doc/dnssec-guide/signing.rst | 1474 |
1 files changed, 1474 insertions, 0 deletions
diff --git a/doc/dnssec-guide/signing.rst b/doc/dnssec-guide/signing.rst new file mode 100644 index 0000000..8d3c159 --- /dev/null +++ b/doc/dnssec-guide/signing.rst @@ -0,0 +1,1474 @@ +.. Copyright (C) Internet Systems Consortium, Inc. ("ISC") +.. +.. SPDX-License-Identifier: MPL-2.0 +.. +.. This Source Code Form is subject to the terms of the Mozilla Public +.. License, v. 2.0. If a copy of the MPL was not distributed with this +.. file, you can obtain one at https://mozilla.org/MPL/2.0/. +.. +.. See the COPYRIGHT file distributed with this work for additional +.. information regarding copyright ownership. + +.. _dnssec_signing: + +Signing +------- + +.. _easy_start_guide_for_authoritative_servers: + +Easy-Start Guide for Signing Authoritative Zones +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +This section provides the basic information needed to set up a +DNSSEC-enabled authoritative name server. A DNSSEC-enabled (or +"signed") zone contains additional resource records that are used to +verify the authenticity of its zone information. + +To convert a traditional (insecure) DNS zone to a secure one, we need to +create some additional records (DNSKEY, RRSIG, and NSEC or NSEC3), and +upload verifiable information (such as a DS record) to the parent zone to +complete the chain of trust. For more information about DNSSEC resource +records, please see :ref:`what_does_dnssec_add_to_dns`. + +.. note:: + + In this chapter, we assume all configuration files, key files, and + zone files are stored in ``/etc/bind``, and most examples show + commands run as the root user. This may not be ideal, but the point is + not to distract from what is important here: learning how to sign + a zone. There are many best practices for deploying a more secure + BIND installation, with techniques such as jailed process and + restricted user privileges, but those are not covered + in this document. We trust you, a responsible DNS + administrator, to take the necessary precautions to secure your + system. + +For the examples below, we work with the assumption that +there is an existing insecure zone ``example.com`` that we are +converting to a secure zone. + +.. _signing_easy_start_policy_enable: + +Enabling Automated DNSSEC Zone Maintenance and Key Generation +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +To sign a zone, add the following statement to its +:any:`zone` clause in the BIND 9 configuration file: + +:: + + options { + directory "/etc/bind"; + recursion no; + ... + }; + + zone "example.com" in { + ... + dnssec-policy default; + inline-signing yes; + ... + }; + +The :any:`dnssec-policy` statement causes the zone to be signed and turns +on automatic maintenance for the zone. This includes re-signing the zone +as signatures expire and replacing keys on a periodic basis. The value +``default`` selects the default policy, which contains values suitable +for most situations. We cover the creation of a custom policy in +:ref:`signing_custom_policy`, but for the moment we are accepting the +default values. + +Using :any:`dnssec-policy` requires dynamic DNS or :any:`inline-signing` +to be enabled. + +.. note:: + + Previously, if a zone with a :any:`dnssec-policy` did not have dynamic + DNS set up and :any:`inline-signing` was not explicity set, BIND 9 used + inline-signing implicitly. But this caused a lot of problems when operators + switched on or off dynamic DNS for their zones. Therefor, you now have to + configure it explicitly. + +When the configuration file is updated, tell :iscman:`named` to +reload the configuration file by running :option:`rndc reconfig`: + +:: + + # rndc reconfig + +And that's it - BIND signs your zone. + +At this point, before you go away and merrily add :any:`dnssec-policy` +statements to all your zones, we should mention that, like a number of +other BIND configuration options, its scope depends on where it is placed. In +the example above, we placed it in a :any:`zone` clause, so it applied only +to the zone in question. If we had placed it in a :any:`view` clause, it +would have applied to all zones in the view; and if we had placed it in +the :namedconf:ref:`options` clause, it would have applied to all zones served by +this instance of BIND. + +.. _signing_verification: + +Verification +^^^^^^^^^^^^ + +The BIND 9 reconfiguration starts the process of signing the zone. +First, it generates a key for the zone and includes it +in the published zone. The log file shows messages such as these: + +:: + + 07-Apr-2020 16:02:55.045 zone example.com/IN (signed): reconfiguring zone keys + 07-Apr-2020 16:02:55.045 reloading configuration succeeded + 07-Apr-2020 16:02:55.046 keymgr: DNSKEY example.com/ECDSAP256SHA256/10376 (CSK) created for policy default + 07-Apr-2020 16:02:55.046 Fetching example.com/ECDSAP256SHA256/10376 (CSK) from key repository. + 07-Apr-2020 16:02:55.046 DNSKEY example.com/ECDSAP256SHA256/10376 (CSK) is now published + 07-Apr-2020 16:02:55.046 DNSKEY example.com/ECDSAP256SHA256/10376 (CSK) is now active + 07-Apr-2020 16:02:55.048 zone example.com/IN (signed): next key event: 07-Apr-2020 18:07:55.045 + +It then starts signing the zone. How long this process takes depends on the +size of the zone, the speed of the server, and how much activity is +taking place. We can check what is happening by using :iscman:`rndc`, +entering the command: + +:: + + # rndc signing -list example.com + +While the signing is in progress, the output is something like: + +:: + + Signing with key 10376/ECDSAP256SHA256 + +and when it is finished: + +:: + + Done signing with key 10376/ECDSAP256SHA256 + +When the second message appears, the zone is signed. + +Before moving on to the next step of coordinating with the parent zone, +let's make sure everything looks good using :iscman:`delv`. We want to +simulate what a validating resolver will check, by telling +:iscman:`delv` to use a specific trust anchor. + +First, we need to make a copy of the key created by BIND. This +is in the directory you set with the :any:`directory` statement in +your configuration file's :namedconf:ref:`options` clause, and is named something +like ``Kexample.com.+013.10376.key``: + +:: + + # cp /etc/bind/Kexample.com.+013+10376.key /tmp/example.key + +The original key file looks like this (with the actual key shortened for ease of display, +and comments omitted): + +:: + + # cat /etc/bind/Kexample.com.+013+10376.key + + ... + example.com. 3600 IN DNSKEY 257 3 13 6saiq99qDB...dqp+o0dw== + +We want to edit the copy to be in the :any:`trust-anchors` format, so that +it looks like this: + +:: + + # cat /tmp/example.key + trust-anchors { + example.com. static-key 257 3 13 "6saiq99qDB...dqp+o0dw=="; + }; + +Now we can run the :iscman:`delv` command and instruct it to use this +trusted-key file to validate the answer it receives from the +authoritative name server 192.168.1.13: + +:: + + $ delv @192.168.1.13 -a /tmp/example.key +root=example.com example.com. SOA +multiline + ; fully validated + example.com. 600 IN SOA ns1.example.com. admin.example.com. ( + 2020040703 ; serial + 1800 ; refresh (30 minutes) + 900 ; retry (15 minutes) + 2419200 ; expire (4 weeks) + 300 ; minimum (5 minutes) + ) + example.com. 600 IN RRSIG SOA 13 2 600 ( + 20200421150255 20200407140255 10376 example.com. + jBsz92zwAcGMNV/yu167aKQZvFyC7BiQe1WEnlogdLTF + oq4yBQumOhO5WX61LjA17l1DuLWcd/ASwlUZWFGCYQ== ) + +.. _signing_easy_start_upload_to_parent_zone: + +Uploading Information to the Parent Zone +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +Once everything is complete on our name server, we need to generate some +information to be uploaded to the parent zone to complete the chain of +trust. The format and the upload methods are actually dictated by your +parent zone's administrator, so contact your registrar or parent zone +administrator to find out what the actual format should be and how to +deliver or upload the information to the parent zone. + +What about your zone between the time you signed it and the time your +parent zone accepts the upload? To the rest of the world, your +zone still appears to be insecure, because if a validating +resolver attempts to validate your domain name via +your parent zone, your parent zone will indicate that you are +not yet signed (as far as it knows). The validating resolver will then +give up attempting to validate your domain name, and will fall back to the +insecure DNS. Until you complete this final step with your +parent zone, your zone remains insecure. + +.. note:: + + Before uploading to your parent zone, verify that your newly signed + zone has propagated to all of your name servers (usually via zone + transfers). If some of your name servers still have unsigned zone + data while the parent tells the world it should be signed, validating + resolvers around the world cannot resolve your domain name. + +Here are some examples of what you may upload to your parent zone, with +the DNSKEY/DS data shortened for display. Note that no matter what +format may be required, the end result is the parent zone +publishing DS record(s) based on the information you upload. Again, +contact your parent zone administrator(s) to find out the +correct format for their system. + +1. DS record format: + + :: + + example.com. 3600 IN DS 10376 13 2 B92E22CAE0...33B8312EF0 + +2. DNSKEY format: + + :: + + example.com. 3600 IN DNSKEY 257 3 13 6saiq99qDB...dqp+o0dw== + +The DS record format may be generated from the DNSKEY using the +:iscman:`dnssec-dsfromkey` tool, which is covered in +:ref:`parent_ds_record_format`. For more details and examples on how +to work with your parent zone, please see +:ref:`working_with_parent_zone`. + +.. _signing_easy_start_so_what_now: + +So... What Now? +^^^^^^^^^^^^^^^ + +Congratulations! Your zone is signed, your secondary servers have +received the new zone data, and the parent zone has accepted your upload +and published your DS record. Your zone is now officially +DNSSEC-enabled. What happens next? That is basically it - BIND +takes care of everything else. As for updating your zone file, you can +continue to update it the same way as prior to signing your +zone; the normal work flow of editing a zone file and using the :iscman:`rndc` +command to reload the zone still works as usual, and although you are +editing the unsigned version of the zone, BIND generates the signed +version automatically. + +Curious as to what all these commands did to your zone file? Read on to +:ref:`your_zone_before_and_after_dnssec` and find out. If you are +interested in how to roll this out to your existing primary and +secondary name servers, check out :ref:`recipes_inline_signing` in +the :ref:`dnssec_recipes` chapter. + +.. _your_zone_before_and_after_dnssec: + +Your Zone, Before and After DNSSEC +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +When we assigned the default DNSSEC policy to the zone, we provided the +minimal amount of information to convert a traditional DNS +zone into a DNSSEC-enabled zone. This is what the zone looked like +before we started: + +:: + + $ dig @192.168.1.13 example.com. AXFR +multiline +onesoa + + ; <<>> DiG 9.16.0 <<>> @192.168.1.13 example.com AXFR +multiline +onesoa + ; (1 server found) + ;; global options: +cmd + example.com. 600 IN SOA ns1.example.com. admin.example.com. ( + 2020040700 ; serial + 1800 ; refresh (30 minutes) + 900 ; retry (15 minutes) + 2419200 ; expire (4 weeks) + 300 ; minimum (5 minutes) + ) + example.com. 600 IN NS ns1.example.com. + ftp.example.com. 600 IN A 192.168.1.200 + ns1.example.com. 600 IN A 192.168.1.1 + web.example.com. 600 IN CNAME www.example.com. + www.example.com. 600 IN A 192.168.1.100 + +Below shows the test zone ``example.com`` after reloading the +server configuration. Clearly, the zone grew in size, and the +number of records multiplied: + +:: + + # dig @192.168.1.13 example.com. AXFR +multiline +onesoa + + ; <<>> DiG 9.16.0 <<>> @192.168.1.13 example.com AXFR +multiline +onesoa + ; (1 server found) + ;; global options: +cmd + example.com. 600 IN SOA ns1.example.com. admin.example.com. ( + 2020040703 ; serial + 1800 ; refresh (30 minutes) + 900 ; retry (15 minutes) + 2419200 ; expire (4 weeks) + 300 ; minimum (5 minutes) + ) + example.com. 300 IN RRSIG NSEC 13 2 300 ( + 20200413050536 20200407140255 10376 example.com. + drtV1rJbo5OMi65OJtu7Jmg/thgpdTWrzr6O3Pzt12+B + oCxMAv3orWWYjfP2n9w5wj0rx2Mt2ev7MOOG8IOUCA== ) + example.com. 300 IN NSEC ftp.example.com. NS SOA RRSIG NSEC DNSKEY TYPE65534 + example.com. 600 IN RRSIG NS 13 2 600 ( + 20200413130638 20200407140255 10376 example.com. + 2ipmzm1Ei6vfE9OLowPMsxLBCbjrCpWPgWJ0ekwZBbux + MLffZOXn8clt0Ql2U9iCPdyoQryuJCiojHSE2d6nrw== ) + example.com. 600 IN RRSIG SOA 13 2 600 ( + 20200421150255 20200407140255 10376 example.com. + jBsz92zwAcGMNV/yu167aKQZvFyC7BiQe1WEnlogdLTF + oq4yBQumOhO5WX61LjA17l1DuLWcd/ASwlUZWFGCYQ== ) + example.com. 0 IN RRSIG TYPE65534 13 2 0 ( + 20200413050536 20200407140255 10376 example.com. + Xjkom24N6qeCJjg9BMUfuWf+euLeZB169DHvLYZPZNlm + GgM2czUDPio6VpQbUw6JE5DSNjuGjgpgXC5SipC42g== ) + example.com. 3600 IN RRSIG DNSKEY 13 2 3600 ( + 20200421150255 20200407140255 10376 example.com. + maK75+28oUyDtci3V7wjTsuhgkLUZW+Q++q46Lea6bKn + Xj77kXcLNogNdUOr5am/6O6cnPeJKJWsnmTLISm62g== ) + example.com. 0 IN TYPE65534 \# 5 ( 0D28880001 ) + example.com. 3600 IN DNSKEY 257 3 13 ( + 6saiq99qDBb5b4G4cx13cPjFTrIvUs3NW44SvbbHorHb + kXwOzeGAWyPORN+pwEV/LP9+FHAF/JzAJYdqp+o0dw== + ) ; KSK; alg = ECDSAP256SHA256 ; key id = 10376 + example.com. 600 IN NS ns1.example.com. + ftp.example.com. 600 IN RRSIG A 13 3 600 ( + 20200413130638 20200407140255 10376 example.com. + UYo1njeUA49VhKnPSS3JO4G+/Xd2PD4m3Vaacnd191yz + BIoouEBAGPcrEM2BNrgR0op1EWSus9tG86SM1ZHGuQ== ) + ftp.example.com. 300 IN RRSIG NSEC 13 3 300 ( + 20200413130638 20200407140255 10376 example.com. + rPADrAMAPIPSF3S45OSY8kXBTYMS3nrZg4Awj7qRL+/b + sOKy6044MbIbjg+YWL69dBjKoTSeEGSCSt73uIxrYA== ) + ftp.example.com. 300 IN NSEC ns1.example.com. A RRSIG NSEC + ftp.example.com. 600 IN A 192.168.1.200 + ns1.example.com. 600 IN RRSIG A 13 3 600 ( + 20200413130638 20200407140255 10376 example.com. + Yeojg7qrJmxL6uLTnALwKU5byNldZ9Ggj5XjcbpPvujQ + ocG/ovGBg6pdugXC9UxE39bCDl8dua1frjDcRCCZAA== ) + ns1.example.com. 300 IN RRSIG NSEC 13 3 300 ( + 20200413130638 20200407140255 10376 example.com. + vukgQme6k7JwCf/mJOOzHXbE3fKtSro+Kc10T6dHMdsc + oM1/oXioZvgBZ9cKrQhIAUt7r1KUnrUwM6Je36wWFA== ) + ns1.example.com. 300 IN NSEC web.example.com. A RRSIG NSEC + ns1.example.com. 600 IN A 192.168.1.1 + web.example.com. 600 IN RRSIG CNAME 13 3 600 ( + 20200413130638 20200407140255 10376 example.com. + JXi4WYypofD5geUowVqlqJyHzvcRnsvU/ONhTBaUCw5Y + XtifKAXRHWrUL1HIwt37JYPLf5uYu90RfkWLj0GqTQ== ) + web.example.com. 300 IN RRSIG NSEC 13 3 300 ( + 20200413130638 20200407140255 10376 example.com. + XF4Hsd58dalL+s6Qu99bG80PQyMf7ZrHEzDiEflRuykP + DfBRuf34z27vj70LO1lp2ZiX4BB1ahcEK2ae9ASAmA== ) + web.example.com. 300 IN NSEC www.example.com. CNAME RRSIG NSEC + web.example.com. 600 IN CNAME www.example.com. + www.example.com. 600 IN RRSIG A 13 3 600 ( + 20200413050536 20200407140255 10376 example.com. + mACKXrDOF5JMWqncSiQ3pYWA6abyGDJ4wgGCumjLXhPy + 0cMzJmKv2s7G6+tW3TsA6BK3UoMfv30oblY2Mnl4/A== ) + www.example.com. 300 IN RRSIG NSEC 13 3 300 ( + 20200413050536 20200407140255 10376 example.com. + 1YQ22odVt0TeP5gbNJwkvS684ipDmx6sEOsF0eCizhCv + x8osuOATdlPjIEztt+rveaErZ2nsoLor5k1nQAHsbQ== ) + www.example.com. 300 IN NSEC example.com. A RRSIG NSEC + www.example.com. 600 IN A 192.168.1.100 + +But this is a really messy way to tell if the zone is set up properly +with DNSSEC. Fortunately, there are tools to help us with that. Read on +to :ref:`how_to_test_authoritative_server` to learn more. + +.. _how_to_test_authoritative_server: + +How To Test Authoritative Zones +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +So we've activated DNSSEC and uploaded some data to our parent zone. How +do we know our zone is signed correctly? Here are a few ways to check. + +.. _signing_verify_key_data: + +Look for Key Data in Your Zone +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +One way to see if your zone is signed is to check for the +presence of DNSKEY record types. In our example, we created a single +key, and we expect to see it returned when we query for it. + +:: + + $ dig @192.168.1.13 example.com. DNSKEY +multiline + + ; <<>> DiG 9.16.0 <<>> @10.53.0.6 example.com DNSKEY +multiline + ; (1 server found) + ;; global options: +cmd + ;; Got answer: + ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 18637 + ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 + ;; WARNING: recursion requested but not available + + ;; OPT PSEUDOSECTION: + ; EDNS: version: 0, flags:; udp: 4096 + ; COOKIE: efe186423313fb66010000005e8c997e99864f7d69ed7c11 (good) + ;; QUESTION SECTION: + ;example.com. IN DNSKEY + + ;; ANSWER SECTION: + example.com. 3600 IN DNSKEY 257 3 13 ( + 6saiq99qDBb5b4G4cx13cPjFTrIvUs3NW44SvbbHorHb + kXwOzeGAWyPORN+pwEV/LP9+FHAF/JzAJYdqp+o0dw== + ) ; KSK; alg = ECDSAP256SHA256 ; key id = 10376 + + +.. _signing_verify_signature: + +Look for Signatures in Your Zone +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +Another way to see if your zone data is signed is to check for the +presence of a signature. With DNSSEC, every record [#]_ now comes with at +least one corresponding signature, known as an RRSIG. + +:: + + $ dig @192.168.1.13 example.com. SOA +dnssec +multiline + + ; <<>> DiG 9.16.0 <<>> @10.53.0.6 example.com SOA +dnssec +multiline + ; (1 server found) + ;; global options: +cmd + ;; Got answer: + ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 45219 + ;; flags: qr aa rd; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1 + ;; WARNING: recursion requested but not available + + ;; OPT PSEUDOSECTION: + ; EDNS: version: 0, flags: do; udp: 4096 + ; COOKIE: 75adff4f4ce916b2010000005e8c99c0de47eabb7951b2f5 (good) + ;; QUESTION SECTION: + ;example.com. IN SOA + + ;; ANSWER SECTION: + example.com. 600 IN SOA ns1.example.com. admin.example.com. ( + 2020040703 ; serial + 1800 ; refresh (30 minutes) + 900 ; retry (15 minutes) + 2419200 ; expire (4 weeks) + 300 ; minimum (5 minutes) + ) + example.com. 600 IN RRSIG SOA 13 2 600 ( + 20200421150255 20200407140255 10376 example.com. + jBsz92zwAcGMNV/yu167aKQZvFyC7BiQe1WEnlogdLTF + oq4yBQumOhO5WX61LjA17l1DuLWcd/ASwlUZWFGCYQ== ) + +The serial number was automatically incremented from the old, unsigned +version. :iscman:`named` keeps track of the serial number of the signed version of +the zone independently of the unsigned version. If the unsigned zone is +updated with a new serial number that is higher than the one in the +signed copy, then the signed copy is increased to match it; +otherwise, the two are kept separate. + +.. _signing_verify_zone_file: + +Examine the Zone File +^^^^^^^^^^^^^^^^^^^^^ + +Our original zone file ``example.com.db`` remains untouched, and :iscman:`named` has +generated three additional files automatically for us (shown below). The +signed DNS data is stored in ``example.com.db.signed`` and in the +associated journal file. + +:: + + # cd /etc/bind + # ls + example.com.db example.com.db.jbk example.com.db.signed example.com.db.signed.jnl + +A quick description of each of the files: + +- ``.jbk``: a transient file used by :iscman:`named` + +- ``.signed``: the signed version of the zone in raw format + +- ``.signed.jnl``: a journal file for the signed version of the zone + +These files are stored in raw (binary) format for faster loading. To +reveal the human-readable version, use :iscman:`named-compilezone` +as shown below. In the example below, we run the command on the +raw format zone ``example.com.db.signed`` to produce a text version of +the zone ``example.com.text``: + +:: + + # named-compilezone -f raw -F text -o example.com.text example.com example.com.db.signed + zone example.com/IN: loaded serial 2014112008 (DNSSEC signed) + dump zone to example.com.text...done + OK + +.. _signing_verify_check_parent: + +Check the Parent +^^^^^^^^^^^^^^^^ + +Although this is not strictly related to whether the zone is +signed, a critical part of DNSSEC is the trust relationship between the +parent and the child. Just because we, the child, have all the correctly +signed records in our zone does not mean it can be fully validated by a +validating resolver, unless our parent's data agrees with ours. To check +if our upload to the parent was successful, ask the parent name server +for the DS record of our child zone; we should get back the DS record(s) +containing the information we uploaded in +:ref:`signing_easy_start_upload_to_parent_zone`: + +:: + + $ dig example.com. DS + + ; <<>> DiG 9.16.0 <<>> example.com DS + ; (1 server found) + ;; global options: +cmd + ;; Got answer: + ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 16954 + ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 + + ;; OPT PSEUDOSECTION: + ; EDNS: version: 0, flags:; udp: 4096 + ; COOKIE: db280d5b52576780010000005e8c9bf5b0d8de103d934e5d (good) + ;; QUESTION SECTION: + ;example.com. IN DS + + ;; ANSWER SECTION: + example.com. 61179 IN DS 10376 13 2 B92E22CAE0B41430EC38D3F7EDF1183C3A94F4D4748569250C15EE33B8312EF0 + +.. [#] + Well, almost every record: NS records and glue records for + delegations do not have RRSIG records. If there are + no delegations, then every record in your zone is + signed and comes with its own RRSIG. + +.. _signing_verify_external_tools: + +External Testing Tools +^^^^^^^^^^^^^^^^^^^^^^ + +We recommend two tools, below: Verisign DNSSEC Debugger and DNSViz. Others can +be found via a simple online search. These excellent online tools are an easy +way to verify that your domain name is fully secured. + +.. _signing_verify_external_tools_dnssec_debugger: + +Verisign DNSSEC Debugger +++++++++++++++++++++++++ + +URL: `<https://dnssec-debugger.verisignlabs.com/>`__ + +This tool shows a nice summary of checks performed on your domain name. +You can expand it to view more details for each of the items checked, to +get a detailed report. + +.. figure:: ../dnssec-guide/img/verisign-dnssec-debugger-example.png + :alt: Verisign DNSSEC Debugger + + Verisign DNSSEC Debugger + +.. _signing_verify_external_tools_dnsviz: + +DNSViz +++++++ + +URL: `<https://dnsviz.net/>`__ + +DNSViz provides a visual analysis of the DNSSEC authentication chain for +a domain name and its resolution path in the DNS namespace. + +.. figure:: ../dnssec-guide/img/dnsviz-example-small.png + :alt: DNSViz + :width: 80.0% + + DNSViz + +.. _signing_easy_start_explained: + +Signing Easy Start Explained +~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. _enable_automatic_maintenance_explained: + +Enable Automatic DNSSEC Maintenance Explained +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +Signing a zone requires a number of separate steps: + +- Generation of the keys to sign the zone. + +- Inclusion of the keys into the zone. + +- Signing of the records in the file (including the generation of the + NSEC or NSEC3 records). + +Maintaining a signed zone comprises a set of ongoing tasks: + +- Re-signing the zone as signatures approach expiration. + +- Generation of new keys as the time approaches for a key roll. + +- Inclusion of new keys into the zone when the rollover starts. + +- Transition from signing the zone with the old set of keys to signing + the zone with the new set of keys. + +- Waiting the appropriate interval before removing the old keys from + the zone. + +- Deleting the old keys. + +That is quite complex, and it is all handled in BIND 9 with the single +``dnssec-policy default`` statement. We will see later on (in the +:ref:`signing_custom_policy` section) how these actions can be tuned, by +setting up our own DNSSEC policy with customized parameters. However, in many +cases the defaults are adequate. + +At the time of this writing (mid-2020), :any:`dnssec-policy` is still a +relatively new feature in BIND. Although it is the preferred +way to run DNSSEC in a zone, it is not yet able to automatically implement +all the features that are available +with a more "hands-on" approach to signing and key maintenance. For this +reason, we cover alternative signing techniques in +:ref:`signing_alternative_ways`. + +.. _working_with_parent_zone: + +Working With the Parent Zone +~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +As mentioned in :ref:`signing_easy_start_upload_to_parent_zone`, +the format of the information uploaded to your parent zone is dictated +by your parent zone administrator. The two main formats are: + +1. DS record format + +2. DNSKEY format + +Check with your parent zone to see which format they require. + +But how can you get each of the formats from your existing data? + +When :iscman:`named` turned on automatic +DNSSEC maintenance, essentially the first thing it did was to create +the DNSSEC keys and put them in the directory you specified in the +configuration file. If you look in that directory, you will see three +files with names like ``Kexample.com.+013+10376.key``, +``Kexample.com.+013+10376.private``, and +``Kexample.com.+013+10376.state``. The one we are interested in is the +one with the ``.key`` suffix, which contains the zone's public key. (The +other files contain the zone's private key and the DNSSEC state +associated with the key.) This public key is used to generate the information we +need to pass to the parent. + +.. _parent_ds_record_format: + +DS Record Format +^^^^^^^^^^^^^^^^ + +Below is an example of a DS record format generated from the KSK we +created earlier (``Kexample.com.+013+10376.key``): + +:: + + # cd /etc/bind + dnssec-dsfromkey Kexample.com.+013+10376.key + example.com. IN DS 10376 13 2 B92E22CAE0B41430EC38D3F7EDF1183C3A94F4D4748569250C15EE33B8312EF0 + +Some registrars ask their customers to manually specify the types of algorithm +and digest used. In this example, 13 represents the algorithm used, and +2 represents the digest type (SHA-256). The key tag or key ID is 10376. + +.. _parent_dnskey_format: + +DNSKEY Format +^^^^^^^^^^^^^ + +Below is an example of the same key ID (10376) using DNSKEY format +(with the actual key shortened for ease of display): + +:: + + example.com. 3600 IN DNSKEY 257 3 13 (6saiq99qDB...dqp+o0dw==) ; key id = 10376 + +The key itself is easy to find (it's difficult to miss that long +base64 string) in the file. + +:: + + # cd /etc/bind + # cat Kexample.com.+013+10376.key + ; This is a key-signing key, keyid 10376, for example.com. + ; Created: 20200407150255 (Tue Apr 7 16:02:55 2020) + ; Publish: 20200407150255 (Tue Apr 7 16:02:55 2020) + ; Activate: 20200407150255 (Tue Apr 7 16:02:55 2020) + example.com. 3600 IN DNSKEY 257 3 13 6saiq99qDB...dqp+o0dw== + +.. _signing_custom_policy: + +Creating a Custom DNSSEC Policy +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +The remainder of this section describes the contents of a custom DNSSEC +policy. :ref:`dnssec_advanced_discussions` describes the concepts +involved here and the pros and cons of choosing particular values. If +you are not already familiar with DNSSEC, it may be worth reading that chapter +first. + +Setting up your own DNSSEC policy means that you must include a +:any:`dnssec-policy` clause in the zone file. This sets values for the +various parameters that affect the signing of zones and the rolling of +keys. The following is an example of such a clause: + +:: + + dnssec-policy standard { + dnskey-ttl 600; + keys { + ksk lifetime 365d algorithm ecdsap256sha256; + zsk lifetime 60d algorithm ecdsap256sha256; + }; + max-zone-ttl 600; + parent-ds-ttl 600; + parent-propagation-delay 2h; + publish-safety 7d; + retire-safety 7d; + signatures-refresh 5d; + signatures-validity 15d; + signatures-validity-dnskey 15d; + zone-propagation-delay 2h; + }; + +The policy has multiple parts: + +- The name must be specified. As each zone can use a different policy, + :iscman:`named` needs to be able to distinguish between policies. This is + done by giving each policy a name, such as ``standard`` in the above + example. + +- The :any:`keys` clause lists all keys that should be in the zone, along + with their associated parameters. In this example, we are using the + conventional KSK/ZSK split, with the KSK changed every year and the + ZSK changed every two months (the ``default`` DNSSEC policy sets a + CSK that is never changed). Keys are created using the + ECDSAPS256SHA256 algorithm; each KSK/ZSK pair must have the same + algorithm. A CSK combines the functionality of a ZSK and a KSK. + +- The parameters ending in ``-ttl`` are, as expected, the TTLs of the + associated records. Remember that during a key rollover, + we have to wait for records to expire from caches? The values + here tell BIND 9 the maximum amount of time it has to wait for this to + happen. Values can be set for the DNSKEY records in your zone, the + non-DNSKEY records in your zone, and the DS records in the parent + zone. + +- Another set of time-related parameters are those ending in + ``-propagation-delay``. These tell BIND how long it takes for a + change in zone contents to become available on all secondary servers. + (This may be non-negligible: for example, if a large zone is + transferred over a slow link.) + +- The policy also sets values for the various signature parameters: how + long the signatures on the DNSKEY and non-DNSKEY records are valid, + and how often BIND should re-sign the zone. + +- The parameters ending in ``-safety`` are there to give + you a bit of leeway in case a key roll doesn't go to plan. When + introduced into the zone, the :any:`publish-safety` time is the amount + of additional time, over and above that calculated from the other + parameters, during which the new key is in the zone but before BIND starts + to sign records with it. Similarly, the :any:`retire-safety` is the + amount of additional time, over and above that calculated from the + other parameters, during which the old key is retained in the zone before + being removed. + +- Finally, the :any:`purge-keys` option allows you to clean up key files + automatically after a period of time. If a key has been removed from the + zone, this option will determine how long its key files will be retained + on disk. + +(You do not have to specify all the items listed above in your policy +definition. Any that are not set simply take the default value.) + +Usually, the exact timing of a key roll, or how long a signature remains +valid, is not critical. For this reason, err on the side of caution when +setting values for the parameters. It is better to have an operation +like a key roll take a few days longer than absolutely required, than it +is to have a quick key roll but have users get validation failures +during the process. + +Having defined a new policy called "standard", we now need to tell +:iscman:`named` to use it. We do this by adding a ``dnssec-policy standard;`` +statement to the configuration file. Like many other configuration +statements, it can be placed in the :namedconf:ref:`options` statement (thus applying +to all zones on the server), a :any:`view` statement (applying to all zones +in the view), or a :any:`zone` statement (applying only to that zone). In +this example, we'll add it to the :any:`zone` statement: + +:: + + zone "example.net" in { + ... + dnssec-policy standard; + inline-signing yes; + ... + }; + +Finally, tell :iscman:`named` to use the new policy: + +:: + + # rndc reconfig + +... and that's it. :iscman:`named` now applies the "standard" policy to +your zone. + +.. _signing_maintenance_tasks: + +Maintenance Tasks +~~~~~~~~~~~~~~~~~ + +Zone data is signed and the parent zone has published your DS records: +at this point your zone is officially secure. When other +validating resolvers look up information in your zone, they are able to +follow the 12-step process as described in +:ref:`how_does_dnssec_change_dns_lookup_revisited` and verify the +authenticity and integrity of the answers. + +There is not that much left for you, as the DNS administrator, to do on +an ongoing basis. Whenever you update your zone, BIND automatically +re-signs your zone with new RRSIG and NSEC/NSEC3 records, and even +increments the serial number for you. If you choose to split your keys +into a KSK and ZSK, the rolling of the ZSK is completely automatic. +Rolling of a KSK or CSK may require some manual intervention, though, +so let's examine two more DNSSEC-related resource records, CDS and CDNSKEY. + +.. _cds_cdnskey: + +The CDS and CDNSKEY Resource Records +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +Passing the DS record to the organization running the parent zone has +always been recognized as a bottleneck in the key rollover process. To +automate the process, the CDS and CDNSKEY resource records were +introduced. + +The CDS and CDNSKEY records are identical to the DS and DNSKEY records, +except in the type code and the name. When such a record appears in the +child zone, it is a signal to the parent that it should update the DS it +has for that zone. In essence, when the parent notices +the presence of the CDS and/or CDNSKEY record(s) in the +child zone, it checks these records to verify that they are +signed by a valid key for the zone. If the record(s) successfully +validate, the parent zone's DS RRset for the child zone is changed to +correspond to the CDS (or CDNSKEY) records. (For more +information on how the signaling works and the issues surrounding it, +please refer to :rfc:`7344` and :rfc:`8078`.) + +.. _working_with_the_parent_2: + +Working with the Parent Zone (2) +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +Once the zone is signed, the only required manual tasks are +to monitor KSK or CSK key rolls and pass the new DS record to the +parent zone. However, if the parent can process CDS or CDNSKEY records, +you may not even have to do that [#]_. + +When the time approaches for the roll of a KSK or CSK, BIND adds a +CDS and a CDNSKEY record for the key in question to the apex of the +zone. If your parent zone supports polling for CDS/CDNSKEY records, they +are uploaded and the DS record published in the parent - at least ideally. + +If BIND is configured with :any:`parental-agents`, it will check for the DS +presence. Let's look at the following configuration excerpt: + +:: + + parental-agents "net" { + 10.53.0.11; 10.53.0.12; + }; + + zone "example.net" in { + ... + dnssec-policy standard; + inline-signing yes; + parental-agents { "net"; }; + ... + }; + +BIND will check for the presence of the DS record in the parent zone by querying +its parental agents (defined in :rfc:`7344` to be the entities that the child +zone has a relationship with to change its delegation information). In the +example above, The zone `example.net` is configured with two parental agents, +at the addresses 10.53.0.11 and 10.53.0.12. These addresses are used as an +example only. Both addresses will have to respond with a DS RRset that +includes the DS record identifying the key that is being rolled. If one or +both don't have the DS included yet the rollover is paused, and the check for +DS presence is retried after an hour. The same applies for DS withdrawal. + +Alternatively, you can use the :iscman:`rndc` tool to tell :iscman:`named` that the DS +record has been published or withdrawn. For example: + +:: + + # rndc dnssec -checkds published example.net + +If your parent zone doesn't support CDS/CDNSKEY, you will have to supply +the DNSKEY or DS record to the parent zone manually when a new KSK appears in +your zone, presumably using the same mechanism you used to upload the +records for the first time. Again, you need to use the :iscman:`rndc` tool +to tell :iscman:`named` that the DS record has been published. + +.. [#] + For security reasons, a parent zone that supports CDS/CDNSKEY may require + the DS record to be manually uploaded when we first sign the zone. + Until our zone is signed, the parent cannot be sure that a CDS or CDNSKEY + record it finds by querying our zone really comes from our zone; thus, it + needs to use some other form of secure transfer to obtain the information. + +.. _signing_alternative_ways: + +Alternate Ways of Signing a Zone +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Although use of the automatic :any:`dnssec-policy` is the preferred way to sign zones in +BIND, there are occasions where a more manual approach may be +needed, such as when external hardware is used to +generate and sign the zone. :any:`dnssec-policy` does not currently support +the use of external hardware, so if your security policy requires it, you +need to use one of the methods described here. + +The idea of DNSSEC was first discussed in the 1990s and has been +extensively developed over the intervening years. BIND has tracked the +development of this technology, often being the first name server +implementation to introduce new features. However, for compatibility reasons, BIND +retained older ways of doing things even when new ways were added. This +particularly applies to signing and maintaining zones, where different +levels of automation are available. + +The following is a list of the available methods of signing in BIND, in the +order that they were introduced - and in order of decreasing +complexity. + +Manual + "Manual" signing was the first method to be introduced into BIND and + its name describes it perfectly: the user needs to do everything. In the + more-automated methods, you load an unsigned zone file into + :iscman:`named`, which takes care of signing it. With manual signing, you + have to provide a signed zone for :iscman:`named` to serve. + + In practice, this means creating an unsigned zone file as usual, then + using the BIND-provided tools :iscman:`dnssec-keygen` to create the keys + and :iscman:`dnssec-signzone` to sign the zone. The signed zone is stored + in another file and is the one you tell BIND to load. To + update the zone (for example, to add a resource record), you update the + unsigned zone, re-sign it, and tell :iscman:`named` to load the updated + signed copy. The same goes for refreshing signatures or rolling keys; + the user is responsible for providing the signed zone served by + :iscman:`named`. (In the case of rolling keys, you are also responsible for + ensuring that the keys are added and removed at the correct times.) + + Why would you want to sign your zone this way? You probably + wouldn't in the normal course of events, but as there may be + circumstances in which it is required, the scripts have been left in + the BIND distribution. + +Semi-Automatic + The first step in DNSSEC automation came with BIND 9.7, when the + :any:`auto-dnssec` option was added. This causes :iscman:`named` to + periodically search the directory holding the key files (see + :ref:`generate_keys` for a description) and to + use the information in them to both add and remove keys and sign the + zone. + + Use of :any:`auto-dnssec` alone requires that the zone be dynamic, + something not suitable for a number of situations, so BIND 9.9 added the + :any:`inline-signing` option. With this, :iscman:`named` essentially keeps the + signed and unsigned copies of the zone separate. The signed zone is + created from the unsigned one using the key information; when the + unsigned zone is updated and the zone reloaded, :iscman:`named` detects the + changes and updates the signed copy of the zone. + + This mode of signing has been termed "semi-automatic" in this + document because keys still have to be manually created (and deleted + when appropriate). Although not an onerous task, it is still + additional work. + + Why would anyone want to use this + method when fully automated ones are available? At the time of + this writing (mid-2020), the fully automatic methods cannot handle all scenarios, + particularly that of having a single key shared among multiple + zones. They also do not handle keys stored in Hardware Security + Modules (HSMs), which are briefly covered in + :ref:`hardware_security_modules`. + +Fully Automatic with ``dnssec-keymgr`` + The next step in the automation of DNSSEC operations came with BIND + 9.11, which introduced the ``dnssec-keymgr`` utility. This is a + separate program and was expected to be run on a regular basis + (probably via ``cron``). It read a DNSSEC policy from its + configuration file and read timing information from the DNSSEC key + files. With this information it created new key files with timing + information in them consistent with the policy. :iscman:`named` was run as + usual, picking up the timing information in the key files to + determine when to add and remove keys, and when to sign with them. + + In BIND 9.17.0 and later, this method of handling DNSSEC + policies has been replaced by the :any:`dnssec-policy` statement in the + configuration file. + +Fully Automatic with :any:`dnssec-policy` + Introduced a BIND 9.16, :any:`dnssec-policy` replaces ``dnssec-keymgr`` from BIND + 9.17 onwards and avoids the need to run a separate program. It also + handles the creation of keys if a zone is added (``dnssec-keymgr`` + requires an initial key) and deletes old key files as they are + removed from the zone. This is the method described in + :ref:`easy_start_guide_for_authoritative_servers`. + +We now look at some of these methods in more detail. We cover +semi-automatic signing first, as that contains a lot of useful +information about keys and key timings. After that, we +touch on fully automatic signing with :any:`dnssec-policy`. Since this has +already been described in +:ref:`easy_start_guide_for_authoritative_servers`, we will just +mention a few additional points. Finally, we briefly describe manual signing. + +.. _semi_automatic_signing: + +Semi-Automatic Signing +^^^^^^^^^^^^^^^^^^^^^^ + +As noted above, the term semi-automatic signing has been used in this +document to indicate the mode of signing enabled by the :any:`auto-dnssec` +and :any:`inline-signing` keywords. :iscman:`named` signs the zone without any +manual intervention, based purely on the timing information in the +DNSSEC key files. The files, however, must be created manually. + +By appropriately setting the key parameters and the timing information +in the key files, you can implement any DNSSEC policy you want for your +zones. But why manipulate the key information yourself rather than rely +on :any:`dnssec-policy` to do it for you? The answer +is that semi-automatic signing allows you to do things that, at the time of this writing +(mid-2020), are currently not possible with one of the key managers: for +example, the ability to use an HSM to store keys, or the ability to use +the same key for multiple zones. + +To convert a traditional +(insecure) DNS zone to a secure one, we need to create various +additional records (DNSKEY, RRSIG, NSEC/NSEC3) and, as with +fully automatic signing, to upload verifiable information (such as a DS +record) to the parent zone to complete the chain of trust. + +.. note:: + + Again, we assume all configuration files, key + files, and zone files are stored in ``/etc/bind``, and most examples + show commands run + as the root user. This may not be ideal, but the point is not + to distract from what is important here: learning how to sign + a zone. There are many best practices for deploying a more secure + BIND installation, with techniques such as jailed process and + restricted user privileges, but those are not covered + in this document. We trust you, a responsible DNS + administrator, to take the necessary precautions to secure your + system. + + For our examples below, we work with the assumption that + there is an existing insecure zone ``example.com`` that we are + converting to a secure version. The secure version uses both a KSK + and a ZSK. + +.. _generate_keys: + +Generate Keys ++++++++++++++ + +Everything in DNSSEC centers around keys, so we begin by +generating our own keys. + +.. code-block:: console + + # cd /etc/bind/keys + # dnssec-keygen -a ECDSAP256SHA256 example.com + Generating key pair...........................+++++ ......................+++++ + Kexample.com.+013+34371 + # dnssec-keygen -a ECDSAP256SHA256 -f KSK example.com + Generating key pair........................+++ ..................................+++ + Kexample.com.+013+00472 + +This command generates four key files in ``/etc/bind/keys``: + +- Kexample.com.+013+34371.key + +- Kexample.com.+013+34371.private + +- Kexample.com.+013+00472.key + +- Kexample.com.+013+00472.private + +The two files ending in ``.key`` are the public keys. These contain the +DNSKEY resource records that appear in the zone. The two files +ending in ``.private`` are the private keys, and contain the information +that :iscman:`named` actually uses to sign the zone. + +Of the two pairs, one is the zone-signing key (ZSK), and one is the +key-signing key (KSK). We can tell which is which by looking at the file +contents (the actual keys are shortened here for ease of display): + +.. code-block:: console + + # cat Kexample.com.+013+34371.key + ; This is a zone-signing key, keyid 34371, for example.com. + ; Created: 20200616104249 (Tue Jun 16 11:42:49 2020) + ; Publish: 20200616104249 (Tue Jun 16 11:42:49 2020) + ; Activate: 20200616104249 (Tue Jun 16 11:42:49 2020) + example.com. IN DNSKEY 256 3 13 AwEAAfel66...LqkA7cvn8= + # cat Kexample.com.+013+00472.key + ; This is a key-signing key, keyid 472, for example.com. + ; Created: 20200616104254 (Tue Jun 16 11:42:54 2020) + ; Publish: 20200616104254 (Tue Jun 16 11:42:54 2020) + ; Activate: 20200616104254 (Tue Jun 16 11:42:54 2020) + example.com. IN DNSKEY 257 3 13 AwEAAbCR6U...l8xPjokVU= + +The first line of each file tells us what type of key it is. Also, by +looking at the actual DNSKEY record, we can tell them apart: 256 is +ZSK, and 257 is KSK. + +The name of the file also tells us something +about the contents. See chapter :ref:`zone_keys` for more details. + +Make sure that these files are readable by :iscman:`named` and that the +``.private`` files are not readable by anyone else. + +Alternativelly, the :iscman:`dnssec-keyfromlabel` program is used to get a key +pair from a crypto hardware device and build the key files. Its usage is +similar to :iscman:`dnssec-keygen`. + +Setting Key Timing Information +++++++++++++++++++++++++++++++ + +You may remember that in the above description of this method, we said +that time information related to rolling keys is stored in the key +files. This is placed there by :iscman:`dnssec-keygen` when the file is +created, and it can be modified using :iscman:`dnssec-settime`. By default, +only a limited amount of timing information is included in the file, as +illustrated in the examples in the previous section. + +All the dates are the same, and are the date and time that +:iscman:`dnssec-keygen` created the key. We can use :iscman:`dnssec-settime` to +modify the dates [#]_. For example, to publish this key in +the zone on 1 July 2020, use it to sign records for a year starting on +15 July 2020, and remove it from the zone at the end of July 2021, we +can use the following command: + +.. code-block:: console + + # dnssec-settime -P 20200701 -A 20200715 -I 20210715 -D 20210731 Kexample.com.+013+34371.key + ./Kexample.com.+013+34371.key + ./Kexample.com.+013+34371.private + +which would set the contents of the key file to: + +.. code-block:: none + + ; This is a zone-signing key, keyid 34371, for example.com. + ; Created: 20200616104249 (Tue Jun 16 11:42:49 2020) + ; Publish: 20200701000000 (Wed Jul 1 01:00:00 2020) + ; Activate: 20200715000000 (Wed Jul 15 01:00:00 2020) + ; Inactive: 20210715000000 (Thu Jul 15 01:00:00 2021) + ; Delete: 20210731000000 (Sat Jul 31 01:00:00 2021) + example.com. IN DNSKEY 256 3 13 AwEAAfel66...LqkA7cvn8= + +(The actual key is truncated here to improve readability.) + +Below is a complete list of each of the metadata fields, and how each +one affects the signing of your zone: + +1. *Created*: This records the date on which the key was created. It is + not used in calculations; it is useful simply for documentation + purposes. + +2. *Publish*: This sets the date on which a key is to be published to the + zone. After that date, the key is included in the zone but is + not used to sign it. This allows validating resolvers to get a + copy of the new key in their cache before there are any resource + records signed with it. By default, if not specified at creation + time, this is set to the current time, meaning the key is + published as soon as :iscman:`named` picks it up. + +3. *Activate*: This sets the date on which the key is to be activated. After + that date, resource records are signed with the key. By default, + if not specified during creation time, this is set to the current + time, meaning the key is used to sign data as soon as :iscman:`named` + picks it up. + +4. *Revoke:* This sets the date on which the key is to be revoked. After that + date, the key is flagged as revoked, although it is still included in the + zone and used to sign it. This is used to notify validating + resolvers that this key is about to be removed or retired from the + zone. (This state is not used in normal day-to-day operations. See + :rfc:`5011` to understand the circumstances where it may be used.) + +5. *Inactive*: This sets the date on which the key is to become inactive. + After that date, the key is still included in the zone, but it + is no longer used to sign it. This sets the "expiration" or "retire" + date for a key. + +6. *Delete*: This sets the date on which the key is to be deleted. After that + date, the key is no longer included in the zone, but it + continues to exist on the file system or key repository. + +This can be summarized as follows: + +.. table:: Key Metadata Comparison + + +----------+------------------+------------------+------------------+ + | Metadata | Included in Zone | Used to Sign | Purpose | + | | File? | Data? | | + +==========+==================+==================+==================+ + | Created | No | No | Recording of | + | | | | key creation | + +----------+------------------+------------------+------------------+ + | Publish | Yes | No | Introduction of | + | | | | a key soon to be | + | | | | active | + +----------+------------------+------------------+------------------+ + | Activate | Yes | Yes | Activation date | + | | | | for new key | + +----------+------------------+------------------+------------------+ + | Revoke | Yes | Yes | Notification of | + | | | | a key soon to be | + | | | | retired | + +----------+------------------+------------------+------------------+ + | Inactive | Yes | No | Inactivation or | + | | | | retirement of a | + | | | | key | + +----------+------------------+------------------+------------------+ + | Delete | No | No | Deletion or | + | | | | removal of a key | + | | | | from a zone | + +----------+------------------+------------------+------------------+ + +The publication date is the date the key is introduced into the zone. +Sometime later it is activated and is used to sign resource records. +After a specified period, BIND stops using it to sign records, and at some +other specified later time it is removed from the zone. + +Finally, we should note that the :iscman:`dnssec-keygen` command supports the +same set of switches so we could have set the dates +when we created the key. + +.. _semi_automatic_signing_reconfigure_bind: + +Reconfiguring BIND +++++++++++++++++++ + +Having created the keys with the appropriate timing information, the +next step is to turn on DNSSEC signing. Below is a very simple +:iscman:`named.conf`; in our example environment, this file is +``/etc/bind/named.conf``. + +:: + + options { + directory "/etc/bind"; + recursion no; + minimal-responses yes; + }; + + zone "example.com" IN { + type primary; + file "example.com.db"; + auto-dnssec maintain; + inline-signing yes; + }; + +Once the configuration file is updated, tell :iscman:`named` to +reload: + +:: + + # rndc reload + server reload successful + +.. _semi_automated_signing_verification: + +Verifying That the Zone Is Signed Correctly ++++++++++++++++++++++++++++++++++++++++++++ + +You should now check that the zone is signed. Follow the steps in +:ref:`signing_verification`. + +.. _semi_automatic_signing_upload_ds: + +Uploading the DS Record to the Parent ++++++++++++++++++++++++++++++++++++++ + +As described in :ref:`signing_easy_start_upload_to_parent_zone`, we +must now upload the new information to the parent zone. The format of the +information and how to generate it is described in +:ref:`working_with_parent_zone`, although it is important to remember that you must +use the contents of the KSK file that you generated above as part of the +process. + +When the DS record is published in the parent zone, your zone is fully +signed. + +Checking That Your Zone Can Be Validated +++++++++++++++++++++++++++++++++++++++++ + +Finally, follow the steps in :ref:`how_to_test_authoritative_server` +to confirm that a query recognizes the zone as properly signed and +vouched for by the parent zone. + +So... What Now? ++++++++++++++++ + +Once the zone is signed, it must be monitored as described +in :ref:`signing_maintenance_tasks`. However, +as the time approaches for a key roll, you must create the new key. Of +course, it is possible to create keys for the next fifty +years all at once and set the key times appropriately. Whether the +increased risk in having the private key files for future keys available +on disk offsets the overhead of having to remember to create a new key +before a rollover depends on your organization's security policy. + +.. _advanced_discussions_automatic_dnssec-policy: + +Fully Automatic Signing With :any:`dnssec-policy` +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +Since BIND 9.16, key management is fully integrated ingo :iscman:`named`. +Managing the signing process and rolling of these keys has been described in +:ref:`easy_start_guide_for_authoritative_servers` and is not +repeated here. A few points are worth noting, though: + +- The :any:`dnssec-policy` statement in the :iscman:`named` configuration file + describes all aspects of the DNSSEC policy, including the signing. + +- The :any:`dnssec-policy` statement requires to zone to use dynamic DNS, + or that :any:`inline-signing` is enabled. + +.. _advanced_discussions_manual_key_management_and_signing: + +Manual Signing +^^^^^^^^^^^^^^ + +Manual signing of a zone was the first method of signing introduced into +BIND and offers, as the name suggests, no automation. The user must +handle everything: create the keys, sign the zone file with them, load +the signed zone, periodically re-sign the zone, and manage key rolls, +including interaction with the parent. A user certainly can do all this, +but why not use one of the automated methods? Nevertheless, it may +be useful for test purposes, so we cover it briefly here. + +BIND 9 ships with several tools that are used in +this process, which are explained in more detail below. In all cases, +the ``-h`` option prints a full list of parameters. Note that the DNSSEC +tools require the keyset files to be in the working directory or the +directory specified by the ``-d`` option. + +The first step is to create the keys as described in :ref:`generate_keys`. + +Then, edit the zone file to make sure the proper DNSKEY entries are included. +The public keys should be inserted into the zone file by +including the ``.key`` files using ``$INCLUDE`` statements. + +Finally, use the command :iscman:`dnssec-signzone`. +Any ``keyset`` files corresponding to secure sub-zones should be +present. The zone signer generates ``NSEC``, ``NSEC3``, and ``RRSIG`` +records for the zone, as well as ``DS`` for the child zones if +:option:`-g <dnssec-signzone -g>` is specified. If +:option:`-g <dnssec-signzone -g>` is not specified, then DS RRsets for the +secure child zones need to be added manually. + +By default, all zone keys which have an available private key are used +to generate signatures. The following command signs the zone, assuming +it is in a file called ``zone.child.example``, using manually specified keys: + +.. code-block:: console + + # cd /etc/bind/keys/example.com/ + # dnssec-signzone -t -N INCREMENT -o example.com -f /etc/bind/db/example.com.signed.db \ + /etc/bind/db/example.com.db Kexample.com.+013+17694.key Kexample.com.+013+06817.key + Verifying the zone using the following algorithms: ECDSAP256SHA256. + Zone fully signed: + Algorithm: ECDSAP256SHA256: KSKs: 1 active, 0 stand-by, 0 revoked + ZSKs: 1 active, 0 stand-by, 0 revoked + /etc/bind/db/example.com.signed.db + Signatures generated: 17 + Signatures retained: 0 + Signatures dropped: 0 + Signatures successfully verified: 0 + Signatures unsuccessfully verified: 0 + Signing time in seconds: 0.046 + Signatures per second: 364.634 + Runtime in seconds: 0.055 + +The :option:`-o <dnssec-signzone -o>` switch explicitly defines the domain name +(``example.com`` in this case), while the :option:`-f <dnssec-signzone -f>` +switch specifies the output file name. The second line has three parameters: +the unsigned zone name (``/etc/bind/db/example.com.db``), the ZSK file name, +and the KSK file name. This also generates a plain-text file +``/etc/bind/db/example.com.signed.db``, which can be manually verified for correctness. + +:iscman:`dnssec-signzone` also produces keyset and dsset files. These are used +to provide the parent zone administrators with the ``DNSKEY`` records (or their +corresponding ``DS`` records) that are the secure entry point to the zone. + +Finally, :iscman:`named.conf` needs to be updated to load the signed version +of the zone, which looks something like this: + +.. code-block:: none + + zone "example.com" IN { + type primary; + file "db/example.com.signed.db"; + }; + +Once the :option:`rndc reconfig` command is issued, BIND serves a signed +zone. The file ``dsset-example.com`` (created by :iscman:`dnssec-signzone` +when it signed the ``example.com`` zone) contains the DS record for the +zone's KSK. You will need to pass that to the administrator of the parent +zone, to be placed in the zone. + +Since this is a manual process, you will need to re-sign periodically, +as well as every time the zone +data changes. You will also need to manually roll the keys by adding and +removing DNSKEY records (and interacting with the parent) at the +appropriate times. + +.. [#] + The dates can also be modified using an editor, but that is likely to + be more error-prone than using :iscman:`dnssec-settime`. + +.. [#] + Only one key file - for either a KSK or ZSK - is needed to signal the + presence of the zone. :iscman:`dnssec-keygen` creates files of both + types as needed. |