Updating a DNSSEC config to use a different algorithm
Mal
malz at jetlan.com
Tue Feb 2 00:59:37 UTC 2021
On 02/02/2021 12:10 am, @lbutlr wrote:
> I've been using alg-7 for DNS, but that is no longer recommended. How difficult is it to change the signing algorithm and what is the process (Bind 9.16.11)?
I migrated recently from Alg8 to Alg13, no drama.. My registry does not
have a user portal for passing the new DS records, so the only risk was
making sure the operation took place when the registry had their DNS
support troops on deck.
My simple notes, including updating TLSA (DANE) AND DKIM keys at the end
of the process. Hope it helps..
I have all of my zone files (db.*domain*) in /etc/bind. Reflect your
path used when including the keys in your zone.
1. Generate new ZSK & KSK, Alg 13
==================================
dnssec-keygen -f KSK -3 -a ECDSAP256SHA256 -r /dev/random yourdomain.com
dnssec-keygen -3 -a ECDSAP256SHA256 -r /dev/random yourdomain.com
Check for your 4 new key files:
ls -lt k*
-rw-r--r-- 1 xxxx bind 345 Jan 15 10:10 Kyourdomain.com.+013+34567.key
-rw------- 1 xxxx bind 186 Jan 15 10:10
Kyourdomain.com.+013+34567.private
-rw-r--r-- 1 xxxx bind 344 Jan 15 10:10 Kyourdomain.com.+013+42793.key
-rw------- 1 xxxx bind 186 Jan 15 10:10
Kyourdomain.com.+013+42793.private
2. Include the new public keys in the Zone file & Increment zone serial
========================================================================
; yourdomain.com
$TTL 1200
yourdomain.com. IN SOA host01.yourdomain.com.
postmaster.yourdomain.com. (
2021020101 ; Serial.
12000 ; refresh
120 ; retry
14D ; expire
24H ; TTL
)
IN TXT "v=spf1 a mx ip4:77.123.45.67
ip6:2424:ae00:123:6::/64"
; Name Servers
IN NS host01.yourdomain.com. ; ns
IN NS host02.yourdomain.com. ; ns
IN NS host03.yourdomain.com. ; ns
; Mail Exchanger
IN MX 10 bigmx.yourdomain.com. ; mail
yourdomain.com. IN AAAA 2424:ae00:123:6::7
yourdomain.com. IN A 77.123.45.67
_25._tcp.host01.yourdomain.com. IN TLSA 3 1 1
53xxxxxx..xxxx33f1b8cf81e37c2e212b
_443._tcp.host01.yourdomain.com. IN TLSA 3 1 1
53xxxxxx..xxxx33f1b8cf81e37c2e212b
mail._domainkey IN TXT ( "v=DKIM1; h=sha256; k=rsa; s=email; "
"p=MIIxxxxxxxxxxxxxxxx...xxxxxxdu"
"axxxxxxxxxxxxxxxxxxxx....xxxxxAB" )
$INCLUDE Kyourdomain.com.+013+34567.key
$INCLUDE Kyourdomain.com.+013+42793.key
; EOF
save it right :)
3. Sign your Zone
==================
dnssec-signzone -S -K /etc/bind/ -g -a -r /dev/random -o yourdomain.com
db.yourdomain-com
xxxx at host01:/etc/bind# dnssec-signzone -S -K /etc/bind/ -g -a -r
/dev/random -o yourdomain.com db.yourdomain-com
Verifying the zone using the following algorithms: ECDSAP256SHA256.
Zone fully signed:
Algorithm: ECDSAP256SHA256: KSKs: 1 active, 0 stand-by, 0 revoked
ZSKs: 1 active, 0 stand-by, 0 revoked
db.yourdomain-com.signed
xxxx at host01:/etc/bind#
4. Collect your DS record HASH for the domain registry
=======================================================
Depending if you use a domain registry that you pass the DS record data
to OR a customer portal you enter this hash data yourself. Essentially,
remove existing entries (IF you have a previous Alg8 etc in place) and
install the new DS HASH Alg13.
You will need to provide the Alg type (13) & Digest (SHA256) either
way. "Algorithm 13, ECDSAP256SHA256" usually does the trick.
xxxx at host01:/etc/bind# ls -lt dsset*
-rw-r--r-- 1 xxxx bind 172 Jan 15 dsset-yourdomain.com.
xxxx at host01:/etc/bind# more dsset-yourdomain.com.
yourdomain.com. IN DS 42793 13 1
42YC45643B1EF30E42BBBBA9D73BDD4EBD8B02222
yourdomain.com. IN DS 42793 13 2
7A5A1408995DBBBBBBA92E8B575B30DC9BDD109999992F90C48C21B9A3 9A348929
Now get this record data to the registry via your registry method.
Kettle on.
5. Wait for Registry to complete entry & TXFR
==============================================
Check DNSVIZ for new key key ID and Alg displayed.. we all love DNSVIZ !
OR simply pass a query via DIG directly and review output:
xxxx at host01:/etc/bind# dig yourdomain.com dnskey +noall +answer +multiline
; <<>> DiG 9.9.5-9+debxxx <<>> yourdomain.com dnskey +noall +answer
+multiline
;; global options: +cmd
yourdomain.com. 1200 IN DNSKEY 257 3 13 (
ur4UnMMi4bDNfUEbJfRMlVQ/mxLSMF4quoPrCUopUp94
R9HEG6Sl9gIU9Nl73uRktnUxJspUjqrmOaWsUBcNXA==
) ; KSK; alg = ECDSAP256SHA256; key id =
42793
yourdomain.com. 1200 IN DNSKEY 256 3 13 (
w4SA1p/BBBrfs3216YNkQ6+xyoPkttXQNCHhoaNbPl4lI
l0PDL9REtOhjo54p943UNFWXg/ZHUqzZzzu321Ztgw==
) ; ZSK; alg = ECDSAP256SHA256; key id =
34567
xxxx at host01:/etc/bind#
6. Update your TLSA & DKIM records
==================================
Hopefully you are using DANE with Postfix, update your host TLSA entry
for your zone:
Update TLSA:
tlsa --create --selector 1 --certificate host01.yourdomain.com.pem
host01.yourdomain.com
xxxx at host01:/xx/xxxx# tlsa --create --selector 1 --certificate
host01.yourdomain.com.pem host01.yourdomain.com
Got a certificate with Subject: /CN=host01.yourdomain.com
_443._tcp.host01.yourdomain.com. IN TLSA 3 1 1
FF774433KK5cdbccb18f278fccfdb833f1b8cf81e37c2e212b147D88vBBns632
Update DKIM:
cd /etc/opendkim/keys/yourdomain.com
opendkim-genkey -r -h sha256 -d yourdomain.com -s mail -b 2048
root at host01:/etc/opendkim/keys/yourdomain.com# ls -lt
-rw------- 1 opendkim opendkim 1456 Jan 5 11:05 mail.private
-rw------- 1 opendkim opendkim 502 Jan 5 11:05 mail.txt
xxxx at host01:/etc/opendkim/keys/yourdomain.com# more mail.txt
mail._domainkey IN TXT ( "v=DKIM1; h=sha256; k=rsa; s=email; "
"p=MIIxxxxxxxxxxxxxxxx...etc.. xxxxxxw22"
"89uADXXUC/5BugylW8327dDQA18m1X...etc..F893P99xaAB ) ; -----
DKIM key mail for yourdomain.com
Place the new TLSA and DKIM records in your zone, inc Serial, re-sign.
Job done.
Mal
More information about the bind-users
mailing list