NEW on migrating DNSSEC config

at lbutlr at lbutlr
Wed Feb 10 11:14:11 UTC 2021 

[Skip to end for some notes on this process and why it was difficult for me.]

Just want to double check this before I set off on the next steps in this process, now that the test domain is all setup and everyone is happy and I know where things fell apart in the testing. Hopefully this helps someone in the future. Or future me.

Given:
#v+
named.conf:
dnssec-policy alg13-ksk-unlimited-zsk-60day {
       keys {
          ksk key-directory lifetime unlimited algorithm 7 2048;
          zsk key-directory lifetime P60D algorithm 7 1024 ;
       };
};

zone "example.com" { 
	type primary; 
	file "example.com"; 
	dnssec-policy alg13-ksk-unlimited-zsk-60day; 
	allow-update { key "rndc-key";
	}; 
};
#v-

I tell bind to sign the zone (or restart bind) and then run

 # dnssec-dsfromkey -a SHA256 /path/to/alg-13.key
 # dsnssec-verify -zI text -o example.com /path/to/signed/zone-file

Add the new key ID and digest to the registrar's DS and sit back until the alg-7 keys are no longer attached to the zone.

If example.com currently is using alg-7 this configuration will, as I understand it

   1) add alg-13 keys to the domain
   2) rolloff the alg-7 keys in (less than?) 60 days 
   3) after 61+ days I can remove the kay and private files
      for the alg-7 files

If that is correct, once all the zones have moved to alg-13 can I then eliminate the dnssec-policy block in the named.conf and set each zone to 'dnssec-policy default;'?



Notes:
The main thing that caused my problems was not verifying against the SIGNED zone file, which led to a lot of wasted effort. This was the biggest cause of delays and pain, as it turns out, since it appears my first forays were entirely successful, and the verify errors were all based on this mistake.

When I first setup DNNSEC years ago the zone files remained untouched other than adding the keys as $INCLUDE statements and new zone.signed files were created using the key files that were on the $INCLUDE lines in the zone files.

Second, though rather minor, <https://bind9.readthedocs.io/en/latest/dnssec-guide.html> suggested running `rndc signing -list` but that returns an error "zone uses dnssec-policy, use rndc dnssec command instead". This was not in itself a problem, but it sent me off trying to find out why the command was failing, assuming I was doing something wrong since it follows in the above link from setting up dnssec.

And, of course, searching for information on bind and dnssec returns a lot of things that are very old and out of date. A lot of them revolving around bind 9.7.x.

Third, I needed to go kick the secondary DNS server.

-- 
I hear hurricanes a-blowing, I know the end is coming soon. I fear
	rivers over-flowing. I hear the voice of rage and ruin.

More information about the bind-users mailing list