DNSSEC Improved Smart Signing
DNSSEC keys are now automatically imported directly into the zone using the new Smart Signing feature introduced in BIND 9.7.0
In our previous article, we covered how BIND 9.7.0 embeds timing metadata directly in DNSSEC keys as its method for DNSSEC key lifecycle management. In this article, we discuss the new BIND 9.7.0 Smart Signing feature and how it improves and simplifies the process of signing a single zone.
With all the DNSSEC related changes in BIND 9.7.0, it should come as no surprise that many of the BIND-provided utilities have been updated, and a few new ones have been added to the distribution. First two (2) new utilities have been added:
dnssec-settime
- used to either get OR set DNSSEC key metadata timers of KSKsdnssec-revoke
- used to set the REVOKED bit on a DNSSEC key
Major changes to existing tools include:
rndc sign
- this option is new to Bind 9.7.0 to support "Smart Signing" and one-touch signing of a zonednssec-keygen -K
- this option will inform dnssec-keygen where to write out DNSSEC keysdnssec-keygen -C
- Compatibility Mode for suppressing metadata in the DNSSEC keysdnssec-keygen -P, -A, -R, -I, -D date/[+-]offset
- These options are used to set DNSSEC key lifecycle metadatadnssec-signzone -S
- this option is used for performing "Smart Signing"
One of the first improvements that was made to BIND 9.7.0 over its predecessors is the fact that it is now much easier to sign zones. There are fewer steps, and reduced risk of human mishap. The following is the list of steps now required to sign a zone:
- generate Zone Signing Key(s) or ZSK(s)
- generate Key Signing Key(s) or KSK(s)
- sign the zone with the "active" KSK using smart sign
In previous versions of BIND you had to ensure that the keys were embedded in the zone by either pasting the key material directly into the zone, or you had to perform a $include at the bottom of the zone to "pull" in the keys. This is one of the improvements to BIND 9.7.0 Smart Singing feature set.
To sign our fictitious zone example.com, we first generate our ZSK as follows:
-bash-4.0$ dnssec-keygen -r /dev/urandom example.com Generating key pair.................++++++ ............++++++ Kexample.com.+005+42423
In most cases you will need to pass the -r <random_device> for entropy. After running that command, two output files are produced with a base file name like Kexample.com.+005+42423. Our private key ends with the .private extension and the public key has the .key extension.
Next, we generate our KSK as follows:
-bash-4.0$ dnssec-keygen -r /dev/urandom -f KEY example.com Generating key pair........................................+++ ...................+++ Kexample.com.+005+50902
By passing the -f KEY argument, we've generated the KSK for signing the zone material. Two (2) additional key files are generated, a public key and a private key.
Using "Smart Sign", we sign the zone as follows:
-bash-4.0$ dnssec-signzone -r /dev/urandom -S example.com Fetching ZSK 42423/RSASHA1 from key repository. Fetching KSK 50902/RSASHA1 from key repository. Verifying the zone using the following algorithms: RSASHA1. Zone signing complete: Algorithm: RSASHA1: KSKs: 1 active, 0 stand-by, 0 revoked ZSKs: 1 active, 0 stand-by, 0 revoked example.com.signed
In this example, we only signed using only one active ZSK and KSK. You should end up with the following set of files:
-bash-4.0$ ls -lt total 60 -rw-r--r-- 1 named named 8847 2010-02-18 18:00 example.com.signed -rw-r--r-- 1 named named 167 2010-02-18 18:00 dsset-example.com. -rw-r--r-- 1 named named 855 2010-02-18 18:00 example.com -rw-r--r-- 1 named named 554 2010-02-18 17:56 Kexample.com.+005+50902.key -rw------- 1 named named 1774 2010-02-18 17:56 Kexample.com.+005+50902.private -rw-r--r-- 1 named named 380 2010-02-18 17:49 Kexample.com.+005+42423.key -rw------- 1 named named 1010 2010-02-18 17:49 Kexample.com.+005+42423.private
Our signed zone file, example.com.signed, should contain RRSIG, NSEC, and DNSKEY records. Click the links below to see the unsigned zone example.com prior to signing, and compare this to the DNSSEC signed zone example.com.signed:
example.com
$TTL 86400 $ORIGIN example.com. @ IN SOA dns1.example.com. hostmaster.example.com. ( 2001062501 ; serial 21600 ; refresh after 6 hours 3600 ; retry after 1 hour 604800 ; expire after 1 week 86400 ) ; minimum TTL of 1 day IN NS dns1.example.com. IN NS dns2.example.com. IN MX 10 mail.example.com. IN MX 20 mail2.example.com. IN A 10.0.1.5 server1 IN A 10.0.1.5 server2 IN A 10.0.1.7 dns1 IN A 10.0.1.2 dns2 IN A 10.0.1.3 ftp IN CNAME server1 mail IN CNAME server1 mail2 IN CNAME server2 www IN CNAME server2
example.com.signed
; File written on Thu Feb 18 18:00:24 2010 ; dnssec_signzone version 9.7.0 example.com. 86400 IN SOA dns1.example.com. hostmaster.example.com. ( 2001062501 ; serial 21600 ; refresh (6 hours) 3600 ; retry (1 hour) 604800 ; expire (1 week) 86400 ; minimum (1 day) ) 86400 RRSIG SOA 5 2 86400 20100321000024 ( 20100219000024 42423 example.com. LZwIE1g0QrETz4hzi+JBfzVEF95Q21KA3UEK MQDe1fnl8ifsvtck5RNLHJjFXyWLf4C/JD8K CU+bj3phXs8miMZ+vqUZhhyXgKwvnGW9lR9T ilrdbovvOROSzXndImIx79IT0DbjhqgVxdmb ETSBm8alCYROqUnC64G5qW0dGUQ= ) 86400 NS dns1.example.com. 86400 NS dns2.example.com. 86400 RRSIG NS 5 2 86400 20100321000024 ( 20100219000024 42423 example.com. ndVpip6QHKtQ25YxBucSomtuGc96Y2u1RLua RjiT7gq/P8dI/NiNf/rGCz36IN5uXgib50Xy sB+F6hjpAm2zId4K+QRfcMfebn7rAsv7Qm1h 0frmeDKlPWMpY0EEFBLPOTcOa5AvimR4UWOB mEaf8Kj8wXRxZxVhj8sH41nEqBg= ) 86400 A 10.0.1.5 86400 RRSIG A 5 2 86400 20100321000024 ( 20100219000024 42423 example.com. fpJiV2HisQiCgGlC1C3vGYDjJHsP5yKSj50x 3w/LaDqCmrAXUPTSITLCQbSnqs8Bw+Dcwez+ 3Uyib75Nwfokta2BnUZezIN0rANZjxBZfIPF fKh261oHz4ET9mAYGidAQJYT/53Ob6TWC0JA iuznANEd3fNO6zGTJPVVeM2y/E8= ) 86400 MX 10 mail.example.com. 86400 MX 20 mail2.example.com. 86400 RRSIG MX 5 2 86400 20100321000024 ( 20100219000024 42423 example.com. a9YUMpKz443D9ilMz1zZttxDbHE14tmo92a3 NobnFtCChptw01YKqPbyawhDHzeSrDMAMxT0 JrX8GgzWzx913JJj5cY0cPk6t47aglXgicdf xsTotEEa/rQPfDFWCI+afdVqsIjNzl2DPMUq jTzaGYyX+qoKG3tbmqRyNnarweY= ) 86400 NSEC dns1.example.com. A NS SOA MX RRSIG NSEC DNSKEY 86400 RRSIG NSEC 5 2 86400 20100321000024 ( 20100219000024 42423 example.com. W7iA7Foe5bItestFr2xZL5DLddn0zxvlLFxm CEb6JHnme9kOj64j4uNtFneLNSU4/2Im8TOH D+A0z6yxAfcG5NkF/yXCL9TYdNSni4GHF+4n mhoFXFDjOaleklcPZu7IMuMnQpQnjRz/KLM0 cmE+pVikzoMDyqmBsqI16ehZ6WI= ) 86400 DNSKEY 256 3 5 ( AwEAAbtI3Z35x8ITxyQvJeKR9n/RHux9qgQv uOEAcK9nCUGAnrFNvmYKXyM5wrRkcKISXXOX FCKi+gXcFD8xqQIjV4pNOiVV2dExA1PAGHQ9 Fhq94EBR2+E6pGjUNLuMpEVRw2i827+t25xx zHRciXu1BHpR3CmO2742FDh1SPAbHRVn ) ; key id = 42423 86400 DNSKEY 257 3 5 ( AwEAAdGspfp/owPm884YyM2pI23NMYSjBIFL CdjscwRjHgWqJsmn97FDugp2ktHT6S31v+7t 5jADegYx0/PKW5TPvogEhCFxpa2fh/jDnskw 1iqNvFkiCc9FQ4OhdYQ2GMDHYiU/C0tDgfv3 JWMdAfxcc+Iu6zkKgVFo5TMactHYsG4kUsYu Omjaj3XjBtVZYfx1yqzcfZgUj7Lqg63zP4Mo nnLsoQyb7QmQy0De50P2n82lsDybozUtBZJL +96jJOlXok8i+kL4MQsGRhaBd/YJpABgbwsr QAwJpfIuOJ2atEUxe5BdHGf+2h+Cv4Tj8Ebi 52iUW7sVa0kWfAayoNHD3BU= ) ; key id = 50902 86400 RRSIG DNSKEY 5 2 86400 20100321000024 ( 20100219000024 42423 example.com. k/B1QV/1sNeHb9SyGTYKnS0xTu5fJLsNR1bv U8cL9x9EE9uTxAtGMiCA7m6aCt6AUv1/yKiW L8niQZk+/x/oTgjKi0YTyttySu/d6lwKrU0i gsaP41JJyXWRNFvJ7DSK9mJ+ZcOScsIG0vGR 2phf0LOF4tBx1WUzahOjE7K6/gQ= ) 86400 RRSIG DNSKEY 5 2 86400 20100321000024 ( 20100219000024 50902 example.com. NyA5VgoIQOpJGyQREOPi+yhmUKZojLpkhBRE 0Ey+5qOru3xyH7H7KH7NSGDsqu6lV922/2bP aoR6S2HoYHngbWLkQ8rzbChIhMgx/MG6G8Nh Su++aIdlKbyh36ovDSuWOjTJdKfV8sXDF6TY NfLvaeAEGaJkMU1hwMO+BDIP4kDhdABVj2S5 m4sfcwsabXsEy4Fa8WFG6awPQWlvSH/YnFks lERagOKcWzjF8XhD3dc2QDN3TdVtKB4pzSq3 v4qDs3E+ckEXILfViGSoouM99mx/FD9yrHtb 67oflx1gsS621XT5kin9GZ4sSLLlIYyJ4tzi OSjW4EByuuSyXpo9eA== ) dns1.example.com. 86400 IN A 10.0.1.2 86400 RRSIG A 5 3 86400 20100321000024 ( 20100219000024 42423 example.com. eyNkf6ms+WQO69I73UZRG/42HG26Ub+YHyc9 MLO50Uhca48C61+zHLUUoZ2J3bndtwak1AaE HtA39mxdMIbMwpxzLhfLERnIFxVHPy8fv9fh OeJrgAM5xgdbmfx6mX2lcsmICc8Honnjpykh CAJ4Q9U8mtTfoUjOgZr0kgDYxng= ) 86400 NSEC dns2.example.com. A RRSIG NSEC 86400 RRSIG NSEC 5 3 86400 20100321000024 ( 20100219000024 42423 example.com. Qi/nkYVWtzrGJB7hrfgSEiKf5xAh/wlky63k tiWM6hKQn3KdRhpItkE90jdk3G7yxb2WnwbN QkpEt9PWPdVA4rgXjwP3IyQMACNp6dptgw+r puTTpCVi9oVxhYf8qBl0FAHZ0uKqpCnsHD9g Vh+AwiN4lZ7Ilc/v8tV8LeVB37Y= ) dns2.example.com. 86400 IN A 10.0.1.3 86400 RRSIG A 5 3 86400 20100321000024 ( 20100219000024 42423 example.com. ToToN/WrDUrxR0flEdWuEIdb5UB+EVDeBesm SeoVs4qcui15NZR541GQiTn/UiO0h202dZgv ldikkpXznrnOEbRvArYUr78adwm5D1Y23eG/ 5lNhGZ6pexp9gHdT/nK+1dUYhtN+vwckTqS0 XJosXAIp4VzjCXJYDOsB4OmLm0o= ) 86400 NSEC ftp.example.com. A RRSIG NSEC 86400 RRSIG NSEC 5 3 86400 20100321000024 ( 20100219000024 42423 example.com. nRySPk7tp54M3LxDbwWZXXs85RUBgLt6biGc mZJhVd+hvpLwEr58viUPQYtz87vLQVrcRycQ MZ4B+dT/FMYz1MQCfz4mr+TTNDaiyJu4CHpF OBofdmaU8546IwpbnY43cok/YM0fPbdkGuUE b4ecWZ6UFGiiz7MWBN0J8gbkCW4= ) ftp.example.com. 86400 IN CNAME server1.example.com. 86400 RRSIG CNAME 5 3 86400 20100321000024 ( 20100219000024 42423 example.com. Ly4DzMo6IWleSSSG1KGLqOPEUKpD5OjSOGeg sVO2lCRil0tHJX8+q8iudWjQn1crFyizBgUg VTIedNc1ciDiKHbD/EKxWKyvUPkJGlMRC+k7 OM5Ky4fKOWWl8Us6+qoQ+4r8mMZvb6q2Y4IW YVO1uq4CGo7BqfRGNTDGD5RHgqE= ) 86400 NSEC mail.example.com. CNAME RRSIG NSEC 86400 RRSIG NSEC 5 3 86400 20100321000024 ( 20100219000024 42423 example.com. lqSRczctTIsGAug9U6i44zCKarAawak5pq78 EWphc+CAf4G4Ge0hmfgcJIrjOKbwhhUb/gyR U7rVm4c5r5kiv3FxYsSdjs+iT7NI3jNCtebB rKkga6hwDq80y8lLlvbdJCLQNh0GOHOvGPiE rQdKgvc9oSS1yi579+sK3K9ZEOM= ) mail.example.com. 86400 IN CNAME server1.example.com. 86400 RRSIG CNAME 5 3 86400 20100321000024 ( 20100219000024 42423 example.com. tDk335Prbd32ey6o9yK7bgawXBaIplnjhxbY XwSaI2jwNXfhSx2KCjFTH2G5f3jnsLZjGEv5 qCTq+l9It+AhQ3A/N4aYGd+HqSDe8Q8h26I8 ZCiIF8pdqxw87Os0YfhYT6Yt7eiSwAnSatPp Fiqh33IUkY1zPRr2RpB+Q3NZLAk= ) 86400 NSEC mail2.example.com. CNAME RRSIG NSEC 86400 RRSIG NSEC 5 3 86400 20100321000024 ( 20100219000024 42423 example.com. DNdfXurv1iY1WcrEelg692AfIvKToPVF84cx WVqoe0x1stwDXau/VY9p7epkmh/O9XmWZtvS yx4Cfsdsg5lam3kz5wSvH9tiDliOrWNx0nVQ zmO4vLqmjidV9IUJA154+cmWS4b4EkylIyPx YUfZ4tGimz5tGal9Rt9hBRVkEDY= ) mail2.example.com. 86400 IN CNAME server2.example.com. 86400 RRSIG CNAME 5 3 86400 20100321000024 ( 20100219000024 42423 example.com. GadhrIlp+VPgquVC/I2CHC54fG9UUUT3hBOu rfIUMWotltF+VqPhKY5mrpJNgBSrnSkFCeR1 v5DB+UGoUlBgF4tKOHINnT/HuQ8JswbsYge3 xuhQYOowsXeVKXNYFJXnxLNij4uGiVOzu6PE qMj4wglUiDMa6VV6eKGigaZE15Y= ) 86400 NSEC server1.example.com. CNAME RRSIG NSEC 86400 RRSIG NSEC 5 3 86400 20100321000024 ( 20100219000024 42423 example.com. Ns6WkHNHt5PxpAvZbK0ObpqnorAtGOINeAlR P8xgvBzbYvQ2m1mS4U8KNDwxmww6/h0RgQ4F dL0x7vpBnARMwbEuoIyhnkm6RC1lVDyCrU3H B89Lo2qV9XBlbpherrNOyK1fKw2qW0tKC896 vC2rWNKjhs2NCVY8b12Rv8FoMkY= ) server1.example.com. 86400 IN A 10.0.1.5 86400 RRSIG A 5 3 86400 20100321000024 ( 20100219000024 42423 example.com. grJaDiokDBV/AAANTgrYJDJ9A70NUmmg8WTY juyirbwaFPK/FVDNAcntIOZd1gp+7/YKvLXz kZsQBgheT7wT5QZEVydSBzZveDVS1m745ymR JveeTBhv9nThYwSN9F2AB2hqsjC1PFOT573t TpYN+aXE17ZVxHWnQyS1KUSK1DQ= ) 86400 NSEC server2.example.com. A RRSIG NSEC 86400 RRSIG NSEC 5 3 86400 20100321000024 ( 20100219000024 42423 example.com. eGpy89iMu5pNB5jOi81MXIM2BtW3IfrGico3 OhsfTsKcWMtDYnUfAugIYDru1QYwAxf2xawA TmgTpA1fsB2OIlZFe8GMfJmOQvFb11FUO5ru +j4+dq1nmgeB4Bq/qOgoTm2xmtOppjwjNx/l pb/kQTr5cWMEExCqWu/oyleiD8A= ) server2.example.com. 86400 IN A 10.0.1.7 86400 RRSIG A 5 3 86400 20100321000024 ( 20100219000024 42423 example.com. Z0/RlmpT85ODQnc4iJU7TGzF1s7F/d3s8O7E eZtSgfXquAvi/bkUVVrokgkFOULy1ftl/w0F dNsGAIE6x3sbe3XExPG3gHf7FMVUYQKY6E9D gt54Yn4bzSuRLCFemOWyJ2c70kZLirXCg5QY Q1YLV2ZODvujO9CWx8LC++09UDE= ) 86400 NSEC www.example.com. A RRSIG NSEC 86400 RRSIG NSEC 5 3 86400 20100321000024 ( 20100219000024 42423 example.com. UzDwEI0Abznj2/4R77ljsd3L2lBbnQiMtJBd 0lVQytjlbHiQ/mYODOG8weQ1wdkoRFfHdu2R uEvwvukl2s7C4Ok4e3emj2ThIE/yLDkzHMiY DV3HAyZhE5IC/bYlILiM2LbgjCEFjf0mjYKD JRtnxvW+VQr9eXoKsQHvsslqcrc= ) www.example.com. 86400 IN CNAME server2.example.com. 86400 RRSIG CNAME 5 3 86400 20100321000024 ( 20100219000024 42423 example.com. Ee5HMfeFKjecBCpUk3vQpzCgv3bRoW437AuE 7wQV40DYdQtC0KBoyTtV3kZJIoCt+8baMTu8 960AQuAdzxTiW5ZKat2al8AWEJ2EJynY0q/Z r/1t55XCneX18pUqeMDk1W3sMbSocPMiPxVG qI275pKF5iqzigtpgwncVIB5fVk= ) 86400 NSEC example.com. CNAME RRSIG NSEC 86400 RRSIG NSEC 5 3 86400 20100321000024 ( 20100219000024 42423 example.com. isI/fdpyZ8TfV7oPDmEM5UXa3p0T4Fn8hzwG E6ro3xoeKk8CzrjmLdC2r3G45jFpX3sUUrsz a22XITWhGNCupEFs/wFlMJ09ILd401UY8IwE iZp3o2m2prV8171MFJcgpwKXxBmzgjHRM7VD PFTGQrvZaZFsx77PAz5iJkyObQ0= )
There should also be a file generated with the name dsset-example.com this file is called the SEP or Secure Entry Point file. It contains the DS records that are populated in its parent zone as a key component to constructing the "Chain of trust". The owner(s) of the .com zone would embed the contents of the dsset-example.com files or DS records in the .com zone and in turn sign the .com zone. When the roots and TLD zones are all signed, we will have the opportunity to achieve a single "Chain of trust" from the top of the DNS hiearchy to any DNSSEC signed zone(s). The dsset-example.com file contains the following:
-bash-4.0$ more dsset-example.com. example.com. IN DS 50902 5 1 A8F9DA087506D0B60439FC244196CC17234C6A5B example.com. IN DS 50902 5 2 D76CF328705DD7AF5D5B22E3EEE74CDF6CE088BD BA0862E311BCBF81 CE88DB78