DNSSEC upgrade

Mark Elkins mje at posix.co.za
Fri Apr 30 04:56:04 UTC 2021

Waiting twice the TTL is the safe option. Start counting from when you 
see the new DS record in the parent. To be even more pedantic, start 
counting after all authoritative Nameservers have the new DS record...
Quite easy to do from a script.

And the recommendation to move to ecdsa-p256-sha256 is a good one - 
makes you a lot less appetising to be used in a DNS amplification attack.

On 4/30/21 3:05 AM, Edwardo Garcia wrote:
> Halo Tony,
> Thank you, wow ecdsa-p256-sha256 produce keys 1/10th the size of rsa, 
> strange how this better but we have made change as
> from your howto, thank you, now 24 hour and all seems ok from what we 
> tell, and the test site says all good.
> One question however it talk about longest TTL, does this mean also 
> root TLD zones (.com, .net) which from memory are 48 hours, so before 
> we delete old keys we need wait 48 hours, even though our zone TTL was 
> 24 ?
> Thank you, wow much much easy than I hoped for :-)
> On Wed, Apr 28, 2021 at 12:08 PM Tony Finch <dot at dotat.at 
> <mailto:dot at dotat.at>> wrote:
>     Edwardo Garcia <wdgarc88 at gmail.com <mailto:wdgarc88 at gmail.com>> wrote:
>     >
>     > Many year ago we set up DNSSEC, our key were generated with sha1
>     as was
>     > recommended way back all them years. We too are not DNSSEC guru,
>     so some
>     > answer may be simple
>     Well, you are going to do an algorithm rollover, which is one of
>     the more
>     tricky things you can do with DNSSEC. So, plan to do some testing,
>     a trial
>     run, with a spare zone that you can break without worrying.
>     If you like to understand things by getting an idea of the wider
>     context
>     then there are a couple of RFCs on the general subject of key
>     rollovers.
>     The parts that are most relevant are the algorithm rollover
>     section in RFC
>     6781 and the double-KSK section in RFC 7583.
>     https://tools.ietf.org/html/rfc6781
>     <https://tools.ietf.org/html/rfc6781>
>     https://tools.ietf.org/html/rfc7583
>     <https://tools.ietf.org/html/rfc7583>
>     DNSSEC has got easier since those RFCs were written, so you might
>     as well
>     just skip to the howto bits below :-) It turns out, I wrote most
>     of this
>     reply over a year ago...
>     > Also we use ZSK -b 1024 and KSK -b 4096
>     > even modern google from apnic show example  ZSK of only 1024? is
>     this still
>     > secure?
>     The current recommendation for DNSSEC algorithms is:
>       * you already know you want to choose something based on sha256
>     - it's
>         secure enough, so there's no need for bigger hashes
>       * ecdsa-p256-sha256 (13) is the best choice, because it is widely
>         supported and produces small signatures
>       * if you must use RSA, use 2048 bit keys for both zsk and ksk.
>     1024 bits
>         is not secure; 2048 has a roughly comparable security level to
>     sha256
>         (112ish bits vs 128 bits); 4096 is big and slow and probably
>     not worth
>         the cost
>       * I would like to be able to deploy ed25519 (a better elliptic curve
>         than p256) but it is not yet supported well enough
>     > Is best practise for doing this, replacing the keys completely,
>     more or
>     > less like start fresh again?
>     >
>     > We do use inline signing and automatic maintain.
>     I did a wholesale algorithm rollover from RSASHA1 to p256 around
>     the end
>     of 2019 and I wrote an algorithm rollover guide for colleagues in
>     other
>     parts of our university who run their own DNS. It's basically
>     three steps
>     with lots of waiting in between:
>     https://www.dns.cam.ac.uk/news/2020-01-15-rollover.html
>     <https://www.dns.cam.ac.uk/news/2020-01-15-rollover.html>
>     The "Semi-automated DS updates" section probably isn't relevant to
>     you,
>     and the "Future" section has been made obsolete by dnssec-policy.
>     But the
>     rest of it should guide you through the essentials.
>     (Also, the RIPE NCC does now support CDS records.)
>     And use these DNS checking services to verify that it is working as
>     expected:
>     https://dnsviz.net/ <https://dnsviz.net/>
>     https://zonemaster.net/ <https://zonemaster.net/>
>     Tony.
>     -- 
>     f.anthony.n.finch  <dot at dotat.at <mailto:dot at dotat.at>>
>     https://dotat.at/ <https://dotat.at/>
>     Rattray Head to Berwick upon Tweed: North or northeast 4 or 5,
>     occasionally 3 later. Slight or moderate. Showers. Good.
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
> ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

Mark James ELKINS  -  Posix Systems - (South) Africa
mje at posix.co.za       Tel: +27.826010496 <tel:+27826010496>
For fast, reliable, low cost Internet in ZA: https://ftth.posix.co.za 

Posix SystemsVCARD for MJ Elkins

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20210430/eba7e1b4/attachment-0001.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: abessive_logo.jpg
Type: image/jpeg
Size: 6410 bytes
Desc: not available
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20210430/eba7e1b4/attachment-0001.jpg>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: QR-MJElkins.png
Type: image/png
Size: 2163 bytes
Desc: not available
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20210430/eba7e1b4/attachment-0001.png>

More information about the bind-users mailing list