DNSSEC with 9.7.2-P2

Mark Andrews marka at isc.org
Sat Nov 13 00:35:57 UTC 2010 

In message <4CDD6467.9050708 at imperial.ac.uk>, Phil Mayers writes:
> On 12/11/10 15:45, Lightner, Jeff wrote:
> 
> > For Production (RPM based system) you should use RHEL or CentOS which
> > has a much longer life cycle.  (Speaking of which, RHEL6 was just put in
> 
> I don't agree with your line of reasoning. RHEL may have longer update 
> cycles, but there's no guarantee a particular RHEL install will be 
> applying updates in real-time, so the keys in the dnssec-conf package 
> may still get out of date, or a RHEL install may run after it's 5-year 
> update cycle ends.
> 
> I think the dnssec-conf package should have had a nightly cron job to 
> refresh these keys, and it was a mistake to deploy without such.
> 
> Just my opinion of course.
> _______________________________________________
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

I use the following scripts (update-trusted-keys and commit-trusted-keys)
to manage my trust anchors.  I run update-trusted-keys nightly from cron
and manually update when I get email that there has been a change.

update-trusted-keys replaces the trust anchor when the tld gets a DS
record added to the root zone.  With no arguements it just updates the
current list of zones listed is /etc/trusted-keys.

To bootstrap the process run it with a "." and the TLDs.

e.g.
	/etc/update-trusted-keys . br org com net ....

and then add a include line to each zone to /etc/named.conf.

e.g.
	include "/etc/trusted-keys/ROOT";
	include "/etc/trusted-keys/br";
	include "/etc/trusted-keys/org";
	include "/etc/trusted-keys/com";
	include "/etc/trusted-keys/net";

Mark

/etc/update-trusted-keys:
#!/bin/sh -f

#
# 	The directory containing the trusted keys.
#
d=/etc/trusted-keys

#	If we havn't been given a list of zones then get the list
#	of zones from trusted-keys directory excluding files that
#	may have been the result of mapping the zone name to something
#	suitable for the file system.
#
if test ! -n "$*"
then
	set `ls "${d}/" | grep -v .new | grep -v _ | sed 's/^ROOT$/./'`
fi

#
#	For each zone attempt to get the DNSKEY RRset.  This will be
#	validated by the the nameserver before being returned to us.
#	If there are keys with the KSK flag set then use them to create
#	a new trusted-key set otherwise use all keys.
#
#	Report when the trusted-key set has changed.
#
#	Note: this code assumes that there is a proper key rollover
#	where multiple keys are active for a significant amount of time
#
for i in $@
do
	f=`echo "${i}" | tr '[A-Z/ ]' '[a-z__]'`
	n=".new-${f}"
	i=`echo "${i}" | tr '[A-Z]' '[a-z]'`
	case $i in
	.) f="ROOT"; n=".new-ROOT";;
	*.) ;;
	*) i=${i}.;;
	esac
	case ${i} in
	.) DS=0;;
	*) DS=`/usr/local/bin/dig +noall +answer DS "${i}" @127.0.0.1 |
	    grep -v '^;;' | wc -l | sed 's/ *//g'`;;
	esac
	REM=""
	if test ${DS} -gt 0
	then
		if test `expr "${i}" : '^[a-z0-9-][a-z0-9-]*\.$'` != 0
		then
			REM="// "
		fi
	fi
	/usr/local/bin/dig +noall +answer dnskey "${i}" @127.0.0.1 |
	sort |
	awk -v DS=${DS} -v REM="${REM}" '
	BEGIN {
		ksks = "";
		zsks = "";
	}
	$4 == "DNSKEY" && $5 == "257" {
		key = "";
		for (i = 8; i <= NF; i++) key = key $i;
		if (key ~ /INVALID/) REM="// ";
		ksks = ksks "\t" REM $1 " " $5 " " $6 " " $7 " \"" key "\";\n";
		next;
	}
	$4 == "DNSKEY" && $5 == "256" {
		key = "";
		for (i = 8; i <= NF; i++) key = key $i;
		if (key ~ /INVALID/) REM="// ";
		zsks = zsks "\t" REM $1 " " $5 " " $6 " " $7 " \"" key "\";\n";
	}
	END {
		if ( ksks != "" ) {
			print "trusted-keys {" 
			if (DS != 0)
				print "\n\t/* " DS " DS records found. */\n";
			print ksks "};";
		} else if (zsks != "") {
			print "trusted-keys {"
			if (DS != 0)
				print "\n\t/* " DS " DS records found. */\n";
			print zsks "};";
		}
	}
	' > "${d}/${n}"

	#
	# Test to see if we actually wrote anything.
	#
	if test -s "${d}/${n}"
	then
		if ! test -f "${d}/${f}"
		then
			touch "${d}/${f}"
		fi
		diff -u "${d}/${f}" "${d}/${n}"
	elif test -s "${d}/${f}"
	then
		diff -u "${d}/${f}" "${d}/${n}"
	fi
done

cd /etc
fetch -qm https://www.ripe.net/projects/disi/keys/ripe-ncc-dnssec-keys-new.txt
diff -u ripe-ncc-dnssec-keys.conf ripe-ncc-dnssec-keys-new.txt



/etc/commit-trusted-keys:
#!/bin/sh
reload=no
for i in /etc/trusted-keys/.new-*
do
	b=`echo "${i}" | sed s/.new-//`
	if test ! -s "${b}" -a ! -s "${i}"
	then
		continue;
	fi
	if ! diff -u "$b" "$i"
	then
		echo -n "update $b: "
		read ans
		ans=`echo "$ans" |tr '[A-Z]' '[a-z]'`
		case "$ans" in
		y|yes)
			mv "${i}" "${b}"
			reload=yes
			;;
		esac
	fi
done
b=/etc/ripe-ncc-dnssec-keys.conf
i=/etc/ripe-ncc-dnssec-keys-new.txt
if ! diff -u "$b" "$i"
then
	echo -n "update $b: "
	read ans
	ans=`echo "$ans" |tr '[A-Z]' '[a-z]'`
	case "$ans" in
	y|yes)
		mv $i $b
		reload=yes
		;;
	esac
fi
case $reload in
yes)
	rndc reload
	;;
esac
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org

More information about the bind-users mailing list