Single-key rollover

Mark Andrews marka at isc.org
Wed Jun 20 01:08:47 UTC 2012 

In message <CABUciRnyNVAMGU=0a6bQNuBYST2yeC6S9A2GnPBQM9pnrvBkzQ at mail.gmail.com>
, Alexander Gurvitz writes:
> >
> >
> > That paragraph from 4.1.4 is just plain wrong and following it will
> > lead to cached data that can't be validated once retrieved.
> >
> > Lets say that all data in the zone has a TTL of 3600.
> >
> > At T - 3500 you have retrieved the DNSKEY while validating a MX RRset.
> > At T - 100 you lookup a A record and validate it with the previously
> > validated
> > DNSKEY RRset.
> > At T you update the zone's contents as per above.
> > At T + 100 the DNSKEY RRset expires from the cache.
> > At T + 200 a validating stub resolver looks up the A record and gets
> > RRSIG(KEY1).  It then does a DNSKEY retrieval and only gets KEY2.
> >
> > Mark Andrews, ISC
> > 1 Seymour St., Dundas Valley, NSW 2117, Australia
> > PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org
> >
> 
> At T+200 resolver will get RRSIG(KEY2). But your idea stands, the last
> sentence should read something like this:
> "One replaces the DNSKEY_S_1 signatures with signatures
>  made with DNSKEY_S_2 AND, AFTER OLD RRSIG EXPIRE FROM CACHES,
>  REMOVES DNSKEY_S_1."
> 
> The scenario wil be:
> 1. DNSKEY#1 + RRSIGS#1 + DS#1 (initial state)
> 2. DNSKEY#1, DNSKEY#2 +  RRSIGS(DNKSEY)#1,#2 + RRSIGS(ZONE)#2 + DS#1 (add
> new DNSKEY, sign DNSKEYs with both DNSKEYs, sign zone with new DNSKEY only
> (remove old RRSIGs))
> 3. (wait DNSKEY propagation delay)
> 4. DNSKEY#1, DNSKEY#2 +  RRSIGS(DNKSEY)#1,#2 + RRSIGS(ZONE)#2 + DS#2
> (change DS#1 to DS#2)
> 5. (wait DS propagation delay + RRSIG propagation delay since step 2)
> 6. DNSKEY#2 +  RRSIGS#2 + DS#2 (remove DNSKEY#1, and the corresponding
> DNSKEY signatures)
> 
> Anyhow, my question was if that would be possible to achieve with BIND.
> 
> Alex

We don't have a dnskey only flag though you can do what you want with
dnssec-signzone then post process the zone to remove the necessary
signatures.

You can do single signature key roll over with named and with named-signzone.

* Publish the new DNSKEY.  Add DS for it.
* Wait for DS RRset to time out of caches.
* Activate the new DNSKEY, deactivate the old DNSKEY and bump the serial.  This will result in the DNSKEY and SOA being signed with the new key.
- If you are using dnssec-signzone the entire zone will be signed with the
new key.  You can remove the old signatures if you want with dnssec-sign zone.
- If you are doing this with named as the signatures fall due for re-signing
they will be done with the new key and the old signatures will be removed.
This takes most of the sig-validity-interval to happen.
You can also force the zone to be re-signed using rndc.
* You can un-publish the old key once the last old signature has expired
from caches.
* You can remove old DS after waiting DNSKEY TTL after deactivating
the old KEY.

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org

More information about the bind-users mailing list