Updating a DNSSEC config to use a different algorithm

Mal malz at jetlan.com
Tue Feb 2 00:59:37 UTC 2021


On 02/02/2021 12:10 am, @lbutlr wrote:
> I've been using alg-7 for DNS, but that is no longer recommended. How difficult is it to change the signing algorithm and what is the process (Bind 9.16.11)?


I migrated recently from Alg8 to Alg13, no drama..  My registry does not
have a user portal for passing the new DS records, so the only risk was
making sure the operation took place when the registry had their DNS
support troops on deck.

My simple notes, including updating TLSA (DANE) AND DKIM keys at the end
of the process.  Hope it helps..




I have all of my zone files (db.*domain*) in /etc/bind.  Reflect your
path used when including the keys in your zone.

1.  Generate new ZSK & KSK, Alg 13
==================================

dnssec-keygen -f KSK -3 -a ECDSAP256SHA256 -r /dev/random yourdomain.com

dnssec-keygen -3 -a ECDSAP256SHA256 -r /dev/random yourdomain.com


Check for your 4 new key files:

ls -lt k*

-rw-r--r-- 1 xxxx bind    345 Jan 15 10:10 Kyourdomain.com.+013+34567.key
-rw------- 1 xxxx bind    186 Jan 15 10:10
Kyourdomain.com.+013+34567.private
-rw-r--r-- 1 xxxx bind    344 Jan 15 10:10 Kyourdomain.com.+013+42793.key
-rw------- 1 xxxx bind    186 Jan 15 10:10
Kyourdomain.com.+013+42793.private



2.  Include the new public keys in the Zone file & Increment zone serial
========================================================================

; yourdomain.com
$TTL 1200
yourdomain.com. IN          SOA   host01.yourdomain.com.
postmaster.yourdomain.com. (
                                2021020101    ; Serial.
                                12000         ; refresh
                                120           ; retry
                                14D           ; expire
                                24H           ; TTL
                                )

                        IN TXT "v=spf1 a mx ip4:77.123.45.67
ip6:2424:ae00:123:6::/64"
                       
                        ; Name Servers
                        IN      NS      host01.yourdomain.com.      ; ns
                        IN      NS      host02.yourdomain.com.      ; ns
                        IN      NS      host03.yourdomain.com.      ; ns

                        ; Mail Exchanger
                        IN      MX      10 bigmx.yourdomain.com.    ; mail

yourdomain.com.                     IN      AAAA    2424:ae00:123:6::7
yourdomain.com.                     IN      A       77.123.45.67

_25._tcp.host01.yourdomain.com.     IN      TLSA 3 1 1     
53xxxxxx..xxxx33f1b8cf81e37c2e212b
_443._tcp.host01.yourdomain.com.    IN      TLSA 3 1 1     
53xxxxxx..xxxx33f1b8cf81e37c2e212b

mail._domainkey IN      TXT     ( "v=DKIM1; h=sha256; k=rsa; s=email; "
        "p=MIIxxxxxxxxxxxxxxxx...xxxxxxdu"
        "axxxxxxxxxxxxxxxxxxxx....xxxxxAB" )

$INCLUDE        Kyourdomain.com.+013+34567.key
$INCLUDE        Kyourdomain.com.+013+42793.key

; EOF


save it right :)



3.  Sign your Zone
==================

dnssec-signzone -S -K /etc/bind/ -g -a -r /dev/random -o yourdomain.com
db.yourdomain-com


xxxx at host01:/etc/bind# dnssec-signzone -S -K /etc/bind/ -g -a -r
/dev/random -o yourdomain.com db.yourdomain-com
Verifying the zone using the following algorithms: ECDSAP256SHA256.
Zone fully signed:
Algorithm: ECDSAP256SHA256: KSKs: 1 active, 0 stand-by, 0 revoked
                            ZSKs: 1 active, 0 stand-by, 0 revoked
db.yourdomain-com.signed

xxxx at host01:/etc/bind#



4.  Collect your DS record HASH for the domain registry
=======================================================

Depending if you use a domain registry that you pass the DS record data
to OR a customer portal you enter this hash data yourself.  Essentially,
remove existing entries (IF you have a previous Alg8 etc in place) and
install the new DS HASH Alg13.
You will need to provide the Alg type (13) & Digest (SHA256) either
way.  "Algorithm 13, ECDSAP256SHA256" usually does the trick.

xxxx at host01:/etc/bind# ls -lt dsset*

-rw-r--r-- 1 xxxx bind    172 Jan 15 dsset-yourdomain.com.

xxxx at host01:/etc/bind# more dsset-yourdomain.com.
yourdomain.com.         IN DS 42793 13 1
42YC45643B1EF30E42BBBBA9D73BDD4EBD8B02222
yourdomain.com.         IN DS 42793 13 2
7A5A1408995DBBBBBBA92E8B575B30DC9BDD109999992F90C48C21B9A3 9A348929


Now get this record data to the registry via your registry method. 
Kettle on.



5.  Wait for Registry to complete entry & TXFR
==============================================

Check DNSVIZ for new key key ID and Alg displayed..  we all love DNSVIZ !


OR simply pass a query via DIG directly and review output:

xxxx at host01:/etc/bind# dig yourdomain.com dnskey +noall +answer +multiline

; <<>> DiG 9.9.5-9+debxxx <<>> yourdomain.com dnskey +noall +answer
+multiline
;; global options: +cmd
yourdomain.com.         1200 IN DNSKEY 257 3 13 (
                                ur4UnMMi4bDNfUEbJfRMlVQ/mxLSMF4quoPrCUopUp94
                                R9HEG6Sl9gIU9Nl73uRktnUxJspUjqrmOaWsUBcNXA==
                                ) ; KSK; alg = ECDSAP256SHA256; key id =
42793
yourdomain.com.         1200 IN DNSKEY 256 3 13 (
                               
w4SA1p/BBBrfs3216YNkQ6+xyoPkttXQNCHhoaNbPl4lI
                                l0PDL9REtOhjo54p943UNFWXg/ZHUqzZzzu321Ztgw==
                                ) ; ZSK; alg = ECDSAP256SHA256; key id =
34567
xxxx at host01:/etc/bind#



6. Update your TLSA & DKIM records
==================================

Hopefully you are using DANE with Postfix, update your host TLSA entry
for your zone:


Update TLSA:

tlsa --create --selector 1 --certificate host01.yourdomain.com.pem 
host01.yourdomain.com

xxxx at host01:/xx/xxxx# tlsa --create --selector 1 --certificate
host01.yourdomain.com.pem  host01.yourdomain.com
Got a certificate with Subject: /CN=host01.yourdomain.com
_443._tcp.host01.yourdomain.com. IN TLSA 3 1 1
FF774433KK5cdbccb18f278fccfdb833f1b8cf81e37c2e212b147D88vBBns632


Update DKIM:

cd /etc/opendkim/keys/yourdomain.com
opendkim-genkey -r -h sha256 -d yourdomain.com -s mail -b 2048

root at host01:/etc/opendkim/keys/yourdomain.com# ls -lt
-rw------- 1 opendkim opendkim 1456 Jan 5  11:05 mail.private
-rw------- 1 opendkim opendkim  502 Jan 5  11:05 mail.txt

xxxx at host01:/etc/opendkim/keys/yourdomain.com#  more mail.txt
mail._domainkey IN      TXT     ( "v=DKIM1; h=sha256; k=rsa; s=email; "
          "p=MIIxxxxxxxxxxxxxxxx...etc.. xxxxxxw22"
          "89uADXXUC/5BugylW8327dDQA18m1X...etc..F893P99xaAB )  ; -----
DKIM key mail for yourdomain.com



Place the new TLSA and DKIM records in your zone, inc Serial, re-sign. 
Job done.

Mal




More information about the bind-users mailing list