DNSSEC Improved Smart Signing
DNSSEC keys are now automatically imported directly into the zone using the new Smart Signing feature introduced in BIND 9.7.0
In our previous article, we covered how BIND 9.7.0 embeds timing metadata directly in DNSSEC keys as its method for DNSSEC key lifecycle management. In this article, we discuss the new BIND 9.7.0 Smart Signing feature and how it improves and simplifies the process of signing a single zone.
With all the DNSSEC related changes in BIND 9.7.0, it should come as no surprise that many of the BIND-provided utilities have been updated, and a few new ones have been added to the distribution. First two (2) new utilities have been added:
dnssec-settime- used to either get OR set DNSSEC key metadata timers of KSKsdnssec-revoke- used to set the REVOKED bit on a DNSSEC key
Major changes to existing tools include:
rndc sign- this option is new to Bind 9.7.0 to support "Smart Signing" and one-touch signing of a zonednssec-keygen -K- this option will inform dnssec-keygen where to write out DNSSEC keysdnssec-keygen -C- Compatibility Mode for suppressing metadata in the DNSSEC keysdnssec-keygen -P, -A, -R, -I, -D date/[+-]offset- These options are used to set DNSSEC key lifecycle metadatadnssec-signzone -S- this option is used for performing "Smart Signing"
One of the first improvements that was made to BIND 9.7.0 over its predecessors is the fact that it is now much easier to sign zones. There are fewer steps, and reduced risk of human mishap. The following is the list of steps now required to sign a zone:
- generate Zone Signing Key(s) or ZSK(s)
- generate Key Signing Key(s) or KSK(s)
- sign the zone with the "active" KSK using smart sign
In previous versions of BIND you had to ensure that the keys were embedded in the zone by either pasting the key material directly into the zone, or you had to perform a $include at the bottom of the zone to "pull" in the keys. This is one of the improvements to BIND 9.7.0 Smart Singing feature set.
To sign our fictitious zone example.com, we first generate our ZSK as follows:
-bash-4.0$ dnssec-keygen -r /dev/urandom example.com Generating key pair.................++++++ ............++++++ Kexample.com.+005+42423
In most cases you will need to pass the -r <random_device> for entropy. After running that command, two output files are produced with a base file name like Kexample.com.+005+42423. Our private key ends with the .private extension and the public key has the .key extension.
Next, we generate our KSK as follows:
-bash-4.0$ dnssec-keygen -r /dev/urandom -f KEY example.com Generating key pair........................................+++ ...................+++ Kexample.com.+005+50902
By passing the -f KEY argument, we've generated the KSK for signing the zone material. Two (2) additional key files are generated, a public key and a private key.
Using "Smart Sign", we sign the zone as follows:
-bash-4.0$ dnssec-signzone -r /dev/urandom -S example.com
Fetching ZSK 42423/RSASHA1 from key repository.
Fetching KSK 50902/RSASHA1 from key repository.
Verifying the zone using the following algorithms: RSASHA1.
Zone signing complete:
Algorithm: RSASHA1: KSKs: 1 active, 0 stand-by, 0 revoked
ZSKs: 1 active, 0 stand-by, 0 revoked
example.com.signed
In this example, we only signed using only one active ZSK and KSK. You should end up with the following set of files:
-bash-4.0$ ls -lt total 60 -rw-r--r-- 1 named named 8847 2010-02-18 18:00 example.com.signed -rw-r--r-- 1 named named 167 2010-02-18 18:00 dsset-example.com. -rw-r--r-- 1 named named 855 2010-02-18 18:00 example.com -rw-r--r-- 1 named named 554 2010-02-18 17:56 Kexample.com.+005+50902.key -rw------- 1 named named 1774 2010-02-18 17:56 Kexample.com.+005+50902.private -rw-r--r-- 1 named named 380 2010-02-18 17:49 Kexample.com.+005+42423.key -rw------- 1 named named 1010 2010-02-18 17:49 Kexample.com.+005+42423.private
Our signed zone file, example.com.signed, should contain RRSIG, NSEC, and DNSKEY records. Click the links below to see the unsigned zone example.com prior to signing, and compare this to the DNSSEC signed zone example.com.signed:
example.com
$TTL 86400
$ORIGIN example.com.
@ IN SOA dns1.example.com. hostmaster.example.com. (
2001062501 ; serial
21600 ; refresh after 6 hours
3600 ; retry after 1 hour
604800 ; expire after 1 week
86400 ) ; minimum TTL of 1 day
IN NS dns1.example.com.
IN NS dns2.example.com.
IN MX 10 mail.example.com.
IN MX 20 mail2.example.com.
IN A 10.0.1.5
server1 IN A 10.0.1.5
server2 IN A 10.0.1.7
dns1 IN A 10.0.1.2
dns2 IN A 10.0.1.3
ftp IN CNAME server1
mail IN CNAME server1
mail2 IN CNAME server2
www IN CNAME server2
example.com.signed
; File written on Thu Feb 18 18:00:24 2010
; dnssec_signzone version 9.7.0
example.com. 86400 IN SOA dns1.example.com. hostmaster.example.com. (
2001062501 ; serial
21600 ; refresh (6 hours)
3600 ; retry (1 hour)
604800 ; expire (1 week)
86400 ; minimum (1 day)
)
86400 RRSIG SOA 5 2 86400 20100321000024 (
20100219000024 42423 example.com.
LZwIE1g0QrETz4hzi+JBfzVEF95Q21KA3UEK
MQDe1fnl8ifsvtck5RNLHJjFXyWLf4C/JD8K
CU+bj3phXs8miMZ+vqUZhhyXgKwvnGW9lR9T
ilrdbovvOROSzXndImIx79IT0DbjhqgVxdmb
ETSBm8alCYROqUnC64G5qW0dGUQ= )
86400 NS dns1.example.com.
86400 NS dns2.example.com.
86400 RRSIG NS 5 2 86400 20100321000024 (
20100219000024 42423 example.com.
ndVpip6QHKtQ25YxBucSomtuGc96Y2u1RLua
RjiT7gq/P8dI/NiNf/rGCz36IN5uXgib50Xy
sB+F6hjpAm2zId4K+QRfcMfebn7rAsv7Qm1h
0frmeDKlPWMpY0EEFBLPOTcOa5AvimR4UWOB
mEaf8Kj8wXRxZxVhj8sH41nEqBg= )
86400 A 10.0.1.5
86400 RRSIG A 5 2 86400 20100321000024 (
20100219000024 42423 example.com.
fpJiV2HisQiCgGlC1C3vGYDjJHsP5yKSj50x
3w/LaDqCmrAXUPTSITLCQbSnqs8Bw+Dcwez+
3Uyib75Nwfokta2BnUZezIN0rANZjxBZfIPF
fKh261oHz4ET9mAYGidAQJYT/53Ob6TWC0JA
iuznANEd3fNO6zGTJPVVeM2y/E8= )
86400 MX 10 mail.example.com.
86400 MX 20 mail2.example.com.
86400 RRSIG MX 5 2 86400 20100321000024 (
20100219000024 42423 example.com.
a9YUMpKz443D9ilMz1zZttxDbHE14tmo92a3
NobnFtCChptw01YKqPbyawhDHzeSrDMAMxT0
JrX8GgzWzx913JJj5cY0cPk6t47aglXgicdf
xsTotEEa/rQPfDFWCI+afdVqsIjNzl2DPMUq
jTzaGYyX+qoKG3tbmqRyNnarweY= )
86400 NSEC dns1.example.com. A NS SOA MX RRSIG NSEC DNSKEY
86400 RRSIG NSEC 5 2 86400 20100321000024 (
20100219000024 42423 example.com.
W7iA7Foe5bItestFr2xZL5DLddn0zxvlLFxm
CEb6JHnme9kOj64j4uNtFneLNSU4/2Im8TOH
D+A0z6yxAfcG5NkF/yXCL9TYdNSni4GHF+4n
mhoFXFDjOaleklcPZu7IMuMnQpQnjRz/KLM0
cmE+pVikzoMDyqmBsqI16ehZ6WI= )
86400 DNSKEY 256 3 5 (
AwEAAbtI3Z35x8ITxyQvJeKR9n/RHux9qgQv
uOEAcK9nCUGAnrFNvmYKXyM5wrRkcKISXXOX
FCKi+gXcFD8xqQIjV4pNOiVV2dExA1PAGHQ9
Fhq94EBR2+E6pGjUNLuMpEVRw2i827+t25xx
zHRciXu1BHpR3CmO2742FDh1SPAbHRVn
) ; key id = 42423
86400 DNSKEY 257 3 5 (
AwEAAdGspfp/owPm884YyM2pI23NMYSjBIFL
CdjscwRjHgWqJsmn97FDugp2ktHT6S31v+7t
5jADegYx0/PKW5TPvogEhCFxpa2fh/jDnskw
1iqNvFkiCc9FQ4OhdYQ2GMDHYiU/C0tDgfv3
JWMdAfxcc+Iu6zkKgVFo5TMactHYsG4kUsYu
Omjaj3XjBtVZYfx1yqzcfZgUj7Lqg63zP4Mo
nnLsoQyb7QmQy0De50P2n82lsDybozUtBZJL
+96jJOlXok8i+kL4MQsGRhaBd/YJpABgbwsr
QAwJpfIuOJ2atEUxe5BdHGf+2h+Cv4Tj8Ebi
52iUW7sVa0kWfAayoNHD3BU=
) ; key id = 50902
86400 RRSIG DNSKEY 5 2 86400 20100321000024 (
20100219000024 42423 example.com.
k/B1QV/1sNeHb9SyGTYKnS0xTu5fJLsNR1bv
U8cL9x9EE9uTxAtGMiCA7m6aCt6AUv1/yKiW
L8niQZk+/x/oTgjKi0YTyttySu/d6lwKrU0i
gsaP41JJyXWRNFvJ7DSK9mJ+ZcOScsIG0vGR
2phf0LOF4tBx1WUzahOjE7K6/gQ= )
86400 RRSIG DNSKEY 5 2 86400 20100321000024 (
20100219000024 50902 example.com.
NyA5VgoIQOpJGyQREOPi+yhmUKZojLpkhBRE
0Ey+5qOru3xyH7H7KH7NSGDsqu6lV922/2bP
aoR6S2HoYHngbWLkQ8rzbChIhMgx/MG6G8Nh
Su++aIdlKbyh36ovDSuWOjTJdKfV8sXDF6TY
NfLvaeAEGaJkMU1hwMO+BDIP4kDhdABVj2S5
m4sfcwsabXsEy4Fa8WFG6awPQWlvSH/YnFks
lERagOKcWzjF8XhD3dc2QDN3TdVtKB4pzSq3
v4qDs3E+ckEXILfViGSoouM99mx/FD9yrHtb
67oflx1gsS621XT5kin9GZ4sSLLlIYyJ4tzi
OSjW4EByuuSyXpo9eA== )
dns1.example.com. 86400 IN A 10.0.1.2
86400 RRSIG A 5 3 86400 20100321000024 (
20100219000024 42423 example.com.
eyNkf6ms+WQO69I73UZRG/42HG26Ub+YHyc9
MLO50Uhca48C61+zHLUUoZ2J3bndtwak1AaE
HtA39mxdMIbMwpxzLhfLERnIFxVHPy8fv9fh
OeJrgAM5xgdbmfx6mX2lcsmICc8Honnjpykh
CAJ4Q9U8mtTfoUjOgZr0kgDYxng= )
86400 NSEC dns2.example.com. A RRSIG NSEC
86400 RRSIG NSEC 5 3 86400 20100321000024 (
20100219000024 42423 example.com.
Qi/nkYVWtzrGJB7hrfgSEiKf5xAh/wlky63k
tiWM6hKQn3KdRhpItkE90jdk3G7yxb2WnwbN
QkpEt9PWPdVA4rgXjwP3IyQMACNp6dptgw+r
puTTpCVi9oVxhYf8qBl0FAHZ0uKqpCnsHD9g
Vh+AwiN4lZ7Ilc/v8tV8LeVB37Y= )
dns2.example.com. 86400 IN A 10.0.1.3
86400 RRSIG A 5 3 86400 20100321000024 (
20100219000024 42423 example.com.
ToToN/WrDUrxR0flEdWuEIdb5UB+EVDeBesm
SeoVs4qcui15NZR541GQiTn/UiO0h202dZgv
ldikkpXznrnOEbRvArYUr78adwm5D1Y23eG/
5lNhGZ6pexp9gHdT/nK+1dUYhtN+vwckTqS0
XJosXAIp4VzjCXJYDOsB4OmLm0o= )
86400 NSEC ftp.example.com. A RRSIG NSEC
86400 RRSIG NSEC 5 3 86400 20100321000024 (
20100219000024 42423 example.com.
nRySPk7tp54M3LxDbwWZXXs85RUBgLt6biGc
mZJhVd+hvpLwEr58viUPQYtz87vLQVrcRycQ
MZ4B+dT/FMYz1MQCfz4mr+TTNDaiyJu4CHpF
OBofdmaU8546IwpbnY43cok/YM0fPbdkGuUE
b4ecWZ6UFGiiz7MWBN0J8gbkCW4= )
ftp.example.com. 86400 IN CNAME server1.example.com.
86400 RRSIG CNAME 5 3 86400 20100321000024 (
20100219000024 42423 example.com.
Ly4DzMo6IWleSSSG1KGLqOPEUKpD5OjSOGeg
sVO2lCRil0tHJX8+q8iudWjQn1crFyizBgUg
VTIedNc1ciDiKHbD/EKxWKyvUPkJGlMRC+k7
OM5Ky4fKOWWl8Us6+qoQ+4r8mMZvb6q2Y4IW
YVO1uq4CGo7BqfRGNTDGD5RHgqE= )
86400 NSEC mail.example.com. CNAME RRSIG NSEC
86400 RRSIG NSEC 5 3 86400 20100321000024 (
20100219000024 42423 example.com.
lqSRczctTIsGAug9U6i44zCKarAawak5pq78
EWphc+CAf4G4Ge0hmfgcJIrjOKbwhhUb/gyR
U7rVm4c5r5kiv3FxYsSdjs+iT7NI3jNCtebB
rKkga6hwDq80y8lLlvbdJCLQNh0GOHOvGPiE
rQdKgvc9oSS1yi579+sK3K9ZEOM= )
mail.example.com. 86400 IN CNAME server1.example.com.
86400 RRSIG CNAME 5 3 86400 20100321000024 (
20100219000024 42423 example.com.
tDk335Prbd32ey6o9yK7bgawXBaIplnjhxbY
XwSaI2jwNXfhSx2KCjFTH2G5f3jnsLZjGEv5
qCTq+l9It+AhQ3A/N4aYGd+HqSDe8Q8h26I8
ZCiIF8pdqxw87Os0YfhYT6Yt7eiSwAnSatPp
Fiqh33IUkY1zPRr2RpB+Q3NZLAk= )
86400 NSEC mail2.example.com. CNAME RRSIG NSEC
86400 RRSIG NSEC 5 3 86400 20100321000024 (
20100219000024 42423 example.com.
DNdfXurv1iY1WcrEelg692AfIvKToPVF84cx
WVqoe0x1stwDXau/VY9p7epkmh/O9XmWZtvS
yx4Cfsdsg5lam3kz5wSvH9tiDliOrWNx0nVQ
zmO4vLqmjidV9IUJA154+cmWS4b4EkylIyPx
YUfZ4tGimz5tGal9Rt9hBRVkEDY= )
mail2.example.com. 86400 IN CNAME server2.example.com.
86400 RRSIG CNAME 5 3 86400 20100321000024 (
20100219000024 42423 example.com.
GadhrIlp+VPgquVC/I2CHC54fG9UUUT3hBOu
rfIUMWotltF+VqPhKY5mrpJNgBSrnSkFCeR1
v5DB+UGoUlBgF4tKOHINnT/HuQ8JswbsYge3
xuhQYOowsXeVKXNYFJXnxLNij4uGiVOzu6PE
qMj4wglUiDMa6VV6eKGigaZE15Y= )
86400 NSEC server1.example.com. CNAME RRSIG NSEC
86400 RRSIG NSEC 5 3 86400 20100321000024 (
20100219000024 42423 example.com.
Ns6WkHNHt5PxpAvZbK0ObpqnorAtGOINeAlR
P8xgvBzbYvQ2m1mS4U8KNDwxmww6/h0RgQ4F
dL0x7vpBnARMwbEuoIyhnkm6RC1lVDyCrU3H
B89Lo2qV9XBlbpherrNOyK1fKw2qW0tKC896
vC2rWNKjhs2NCVY8b12Rv8FoMkY= )
server1.example.com. 86400 IN A 10.0.1.5
86400 RRSIG A 5 3 86400 20100321000024 (
20100219000024 42423 example.com.
grJaDiokDBV/AAANTgrYJDJ9A70NUmmg8WTY
juyirbwaFPK/FVDNAcntIOZd1gp+7/YKvLXz
kZsQBgheT7wT5QZEVydSBzZveDVS1m745ymR
JveeTBhv9nThYwSN9F2AB2hqsjC1PFOT573t
TpYN+aXE17ZVxHWnQyS1KUSK1DQ= )
86400 NSEC server2.example.com. A RRSIG NSEC
86400 RRSIG NSEC 5 3 86400 20100321000024 (
20100219000024 42423 example.com.
eGpy89iMu5pNB5jOi81MXIM2BtW3IfrGico3
OhsfTsKcWMtDYnUfAugIYDru1QYwAxf2xawA
TmgTpA1fsB2OIlZFe8GMfJmOQvFb11FUO5ru
+j4+dq1nmgeB4Bq/qOgoTm2xmtOppjwjNx/l
pb/kQTr5cWMEExCqWu/oyleiD8A= )
server2.example.com. 86400 IN A 10.0.1.7
86400 RRSIG A 5 3 86400 20100321000024 (
20100219000024 42423 example.com.
Z0/RlmpT85ODQnc4iJU7TGzF1s7F/d3s8O7E
eZtSgfXquAvi/bkUVVrokgkFOULy1ftl/w0F
dNsGAIE6x3sbe3XExPG3gHf7FMVUYQKY6E9D
gt54Yn4bzSuRLCFemOWyJ2c70kZLirXCg5QY
Q1YLV2ZODvujO9CWx8LC++09UDE= )
86400 NSEC www.example.com. A RRSIG NSEC
86400 RRSIG NSEC 5 3 86400 20100321000024 (
20100219000024 42423 example.com.
UzDwEI0Abznj2/4R77ljsd3L2lBbnQiMtJBd
0lVQytjlbHiQ/mYODOG8weQ1wdkoRFfHdu2R
uEvwvukl2s7C4Ok4e3emj2ThIE/yLDkzHMiY
DV3HAyZhE5IC/bYlILiM2LbgjCEFjf0mjYKD
JRtnxvW+VQr9eXoKsQHvsslqcrc= )
www.example.com. 86400 IN CNAME server2.example.com.
86400 RRSIG CNAME 5 3 86400 20100321000024 (
20100219000024 42423 example.com.
Ee5HMfeFKjecBCpUk3vQpzCgv3bRoW437AuE
7wQV40DYdQtC0KBoyTtV3kZJIoCt+8baMTu8
960AQuAdzxTiW5ZKat2al8AWEJ2EJynY0q/Z
r/1t55XCneX18pUqeMDk1W3sMbSocPMiPxVG
qI275pKF5iqzigtpgwncVIB5fVk= )
86400 NSEC example.com. CNAME RRSIG NSEC
86400 RRSIG NSEC 5 3 86400 20100321000024 (
20100219000024 42423 example.com.
isI/fdpyZ8TfV7oPDmEM5UXa3p0T4Fn8hzwG
E6ro3xoeKk8CzrjmLdC2r3G45jFpX3sUUrsz
a22XITWhGNCupEFs/wFlMJ09ILd401UY8IwE
iZp3o2m2prV8171MFJcgpwKXxBmzgjHRM7VD
PFTGQrvZaZFsx77PAz5iJkyObQ0= )
There should also be a file generated with the name dsset-example.com this file is called the SEP or Secure Entry Point file. It contains the DS records that are populated in its parent zone as a key component to constructing the "Chain of trust". The owner(s) of the .com zone would embed the contents of the dsset-example.com files or DS records in the .com zone and in turn sign the .com zone. When the roots and TLD zones are all signed, we will have the opportunity to achieve a single "Chain of trust" from the top of the DNS hiearchy to any DNSSEC signed zone(s). The dsset-example.com file contains the following:
-bash-4.0$ more dsset-example.com. example.com. IN DS 50902 5 1 A8F9DA087506D0B60439FC244196CC17234C6A5B example.com. IN DS 50902 5 2 D76CF328705DD7AF5D5B22E3EEE74CDF6CE088BD BA0862E311BCBF81 CE88DB78