Updating a DNSSEC config to use a different algorithm

Mal malz at jetlan.com
Tue Feb 2 00:59:37 UTC 2021

On 02/02/2021 12:10 am, @lbutlr wrote:
> I've been using alg-7 for DNS, but that is no longer recommended. How difficult is it to change the signing algorithm and what is the process (Bind 9.16.11)?

I migrated recently from Alg8 to Alg13, no drama..  My registry does not
have a user portal for passing the new DS records, so the only risk was
making sure the operation took place when the registry had their DNS
support troops on deck.

My simple notes, including updating TLSA (DANE) AND DKIM keys at the end
of the process.  Hope it helps..

I have all of my zone files (db.*domain*) in /etc/bind.  Reflect your
path used when including the keys in your zone.

1.  Generate new ZSK & KSK, Alg 13

dnssec-keygen -f KSK -3 -a ECDSAP256SHA256 -r /dev/random yourdomain.com

dnssec-keygen -3 -a ECDSAP256SHA256 -r /dev/random yourdomain.com

Check for your 4 new key files:

ls -lt k*

-rw-r--r-- 1 xxxx bind    345 Jan 15 10:10 Kyourdomain.com.+013+34567.key
-rw------- 1 xxxx bind    186 Jan 15 10:10
-rw-r--r-- 1 xxxx bind    344 Jan 15 10:10 Kyourdomain.com.+013+42793.key
-rw------- 1 xxxx bind    186 Jan 15 10:10

2.  Include the new public keys in the Zone file & Increment zone serial

; yourdomain.com
$TTL 1200
yourdomain.com. IN          SOA   host01.yourdomain.com.
postmaster.yourdomain.com. (
                                2021020101    ; Serial.
                                12000         ; refresh
                                120           ; retry
                                14D           ; expire
                                24H           ; TTL

                        IN TXT "v=spf1 a mx ip4:
                        ; Name Servers
                        IN      NS      host01.yourdomain.com.      ; ns
                        IN      NS      host02.yourdomain.com.      ; ns
                        IN      NS      host03.yourdomain.com.      ; ns

                        ; Mail Exchanger
                        IN      MX      10 bigmx.yourdomain.com.    ; mail

yourdomain.com.                     IN      AAAA    2424:ae00:123:6::7
yourdomain.com.                     IN      A

_25._tcp.host01.yourdomain.com.     IN      TLSA 3 1 1     
_443._tcp.host01.yourdomain.com.    IN      TLSA 3 1 1     

mail._domainkey IN      TXT     ( "v=DKIM1; h=sha256; k=rsa; s=email; "
        "axxxxxxxxxxxxxxxxxxxx....xxxxxAB" )

$INCLUDE        Kyourdomain.com.+013+34567.key
$INCLUDE        Kyourdomain.com.+013+42793.key


save it right :)

3.  Sign your Zone

dnssec-signzone -S -K /etc/bind/ -g -a -r /dev/random -o yourdomain.com

xxxx at host01:/etc/bind# dnssec-signzone -S -K /etc/bind/ -g -a -r
/dev/random -o yourdomain.com db.yourdomain-com
Verifying the zone using the following algorithms: ECDSAP256SHA256.
Zone fully signed:
Algorithm: ECDSAP256SHA256: KSKs: 1 active, 0 stand-by, 0 revoked
                            ZSKs: 1 active, 0 stand-by, 0 revoked

xxxx at host01:/etc/bind#

4.  Collect your DS record HASH for the domain registry

Depending if you use a domain registry that you pass the DS record data
to OR a customer portal you enter this hash data yourself.  Essentially,
remove existing entries (IF you have a previous Alg8 etc in place) and
install the new DS HASH Alg13.
You will need to provide the Alg type (13) & Digest (SHA256) either
way.  "Algorithm 13, ECDSAP256SHA256" usually does the trick.

xxxx at host01:/etc/bind# ls -lt dsset*

-rw-r--r-- 1 xxxx bind    172 Jan 15 dsset-yourdomain.com.

xxxx at host01:/etc/bind# more dsset-yourdomain.com.
yourdomain.com.         IN DS 42793 13 1
yourdomain.com.         IN DS 42793 13 2
7A5A1408995DBBBBBBA92E8B575B30DC9BDD109999992F90C48C21B9A3 9A348929

Now get this record data to the registry via your registry method. 
Kettle on.

5.  Wait for Registry to complete entry & TXFR

Check DNSVIZ for new key key ID and Alg displayed..  we all love DNSVIZ !

OR simply pass a query via DIG directly and review output:

xxxx at host01:/etc/bind# dig yourdomain.com dnskey +noall +answer +multiline

; <<>> DiG 9.9.5-9+debxxx <<>> yourdomain.com dnskey +noall +answer
;; global options: +cmd
yourdomain.com.         1200 IN DNSKEY 257 3 13 (
                                ) ; KSK; alg = ECDSAP256SHA256; key id =
yourdomain.com.         1200 IN DNSKEY 256 3 13 (
                                ) ; ZSK; alg = ECDSAP256SHA256; key id =
xxxx at host01:/etc/bind#

6. Update your TLSA & DKIM records

Hopefully you are using DANE with Postfix, update your host TLSA entry
for your zone:

Update TLSA:

tlsa --create --selector 1 --certificate host01.yourdomain.com.pem 

xxxx at host01:/xx/xxxx# tlsa --create --selector 1 --certificate
host01.yourdomain.com.pem  host01.yourdomain.com
Got a certificate with Subject: /CN=host01.yourdomain.com
_443._tcp.host01.yourdomain.com. IN TLSA 3 1 1

Update DKIM:

cd /etc/opendkim/keys/yourdomain.com
opendkim-genkey -r -h sha256 -d yourdomain.com -s mail -b 2048

root at host01:/etc/opendkim/keys/yourdomain.com# ls -lt
-rw------- 1 opendkim opendkim 1456 Jan 5  11:05 mail.private
-rw------- 1 opendkim opendkim  502 Jan 5  11:05 mail.txt

xxxx at host01:/etc/opendkim/keys/yourdomain.com#  more mail.txt
mail._domainkey IN      TXT     ( "v=DKIM1; h=sha256; k=rsa; s=email; "
          "p=MIIxxxxxxxxxxxxxxxx...etc.. xxxxxxw22"
          "89uADXXUC/5BugylW8327dDQA18m1X...etc..F893P99xaAB )  ; -----
DKIM key mail for yourdomain.com

Place the new TLSA and DKIM records in your zone, inc Serial, re-sign. 
Job done.


More information about the bind-users mailing list