DNSSEC Automatic Zone Signing in Bind
In-depth details on the tools and "Smart Sign" functionality in Bind 9.7.0
The last article discussed the basics of the BIND 9.7.0 "Smart Sign" feature. In this article, we expose additional functionality that has been incorporated into the software to make it much simpler to sign, operate, and maintain DNSSEC signed zones. This article will help tie in some of the information provided in the previous article, Bind 9.7.0 - Part 2, New DNSSEC key metadata. Bind 9.7.0 takes an interesting approach to automating DNSSEC key lifecycle maintenance, leveraging local Dynamic DNS enabled zones in conjunction with the embedded timing metadata in DNSSEC keys. Other DNSSEC frameworks use a dedicated service or script to perform DNSSEC key rollovers.
In this article we'll focus on the following directives to achieve automated "Smart Signing" operations:
Directive | Grammar Context | Description |
---|---|---|
auto-dnssec | zone statement |
Configuring zones with this directive enables varying levels of automatic DNSSEC key management. There are currently four (4) possible settings: allow - permits keys to be updated and the zone to be re-signed whenever the user issues the rndc sign zonename command. maintain - includes the functionality above, but will also automatically adjust the zone's DNSSEC keys according to DNSSEC key timing metadata that is supplied. create - includes the above, but signals named to create new DNSSEC keys when needed. (NOTE: this option is not yet implemented; the syntax has been reserved for future use.) off - which disables automatic DNSSEC functionality Usage: [ auto-dnssec off | allow | maintain | create; ] |
dnssec-secure-to-insecure | zone statement |
This directive provides the ability to "convert" a DNSSEC signed (secure) zone to an unsigned (insecure) zone. This directive takes a boolean yes | no value. Usage: [ dnssec-secure-to-insecure yes | no; ] |
update-policy | zone statement |
Sets the policy for enabling or disabling DDNS updates. When set to local, updates to the zone will be permitted for a special key "local-ddns" which gets generated by named automatically at startup. Usage: [ update-policy local | { update_policy_rule [...] }; ] |
key-directory | zone statement |
This directive sets the path to the zone's DNSSEC keys. Bind 9.7.0 auto-dnssec relies on this directive to "find" the associated keys for a given zone. Usage: [ key-directory "/path/to/dnssec/zone/keys"; ] |
Example 1 - Semi-automatic "Smart Signing"
In this first example, we demonstrate semi-automatic "Smart Signing". To implement this, we'll need to "inform" the name server the following bits of information:
- enable automatic "Smart Signing" feature on our zone(s)
- the location of where to locate the zone's ZSK and KSK files
- enable local Dynamic DNS on our zone(s)
- optionally, enable the ability to "migrate" our zone(s) from being DNSSEC signed secured zone(s) to unsigned unsecured zone(s)
In this example, we'll configure example.com for semi-automatic signing using zone statements. The named.conf zone block for this zone should look like the following:
zone "example.com" { auto-dnssec allow; type master; update-policy local; file "dynamic/example.com/example.com"; key-directory "dynamic/example.com"; };
Create the Zone Signing Key(s) or ZSK. In this example, two ZSKs are built so that a pre-published ZSK rollover scheme can be implemented. In this scheme, one key is marked "active" and immediately used in zone signing operations, while the other is marked "published", and simply embedded in the zone for future use. Eventually, the "published" key becomes the active key, and the former "active" key is retired. This scheme is widely used for ZSK maintenance to ensure that the chain of trust is properly maintained. According to the NIST Secure Domain Name System (DNS) Deployment Guide, the ZSK is recommended to be 1024 Bits in length and rolled every month. Build the ZSKs as shown below:
-bash-4.0$ dnssec-keygen -r /dev/urandom example.com Generating key pair............++++++ .................................++++++ Kexample.com.+005+16296 -bash-4.0$ dnssec-keygen -r /dev/urandom -P now -A +3024000 example.com Generating key pair...................................++++++ ................
........................++++++ Kexample.com.+005+65475
The first command generates the current and active ZSK, and the second command generates the second ZSK that will be published now, but become active in 3,024,000 (seconds) or 5 weeks. This example shows how the new timing metadata is set using dnssec-keygen.
; This is a zone-signing key, keyid 16296, for example.com. ; Created: Tue Feb 23 22:42:03 2010 ; Publish: Tue Feb 23 22:42:03 2010 ; Activate: Tue Feb 23 22:42:03 2010 example.com. IN DNSKEY 256 3 5 AwEAAc/zR+EVRV9HHwPCVIA4JPg+WinKZAAYDL5z/sFFL8OgN 6UR6anB 349k8SR++17Okl8GLG6EeMqBUaY+M6MIp/yZeU+h0w9t5hLqbsZ/Iuga xQhu0JMG3R+4DwM 3jPuHAnpJSJY6BJf00/tPXDYLkgA//kcvQBlHxvRZ f2Ipquz9
Private-key-format: v1.3 Algorithm: 5 (RSASHA1) Modulus: z/NH4RVFX0cfA8JUgDgk+D5aKcpkABgMvnP+wUUvw6A3pRHpqcHfj2TxJH77Xs6SXwYsboR4yoFRpj4zowin/Jl5T6HTD23mEupuxn8i6BrFCG7QkwbdH7gPAzeM+4cCeklIljoEl/TT+09cNguSAD/+Ry9AGUfG9Fl/Yimq7P0= PublicExponent: AQAB PrivateExponent: j4wouj+su7CkwDuNiVU4cATayK5liYsQgQghe9j+t9QJlXFgE0c5xAqyS7c8Xp3KfL4OPdxEZcYPTurxSkHXc1AYbKl+/E1XyKy3a9EqUhrsrPOsYRVzgDdwa35xZt2rgtIwzdAI5CuDmNf7P+Nvfz4FCLosA+dBdx5tIw/magE= Prime1: +YVwNunBVvqaBtajhYn2Zipr1II3vBJZ0Z6cAnvcTTAXRpLQUc114J0F7BG5hBDjBflxcAXYDofJTcMyLGnrkQ== Prime2: 1VmFgE2ilWFSBa6KxmhxHCSA/H0MSUWxgx0iuICXVOEv6gR/PIPL0LgLAaqYPeY7QSW1M9xUwvjUCcOxnPT8rQ== Exponent1: PG0bOsErKCQyLtvF5+38NMurJ2CNnMcY51Gw2E0kkbDGwjmFp3nJRSbhq0Szl477W5QH66gOpZ4umt1dhjH0cQ== Exponent2: lsO0O36hLb6gH7PADYUwqRqCq+oSDJVbY7PrHUaBqlGXcl/LKhBYrx3faUYMX3Ga3eavrf49R6pe7KeFk8zr4Q== Coefficient: XpT5SguN1q6cDds4RIiGmLAWu/l/nX6W/UMFoHuhlhIkSJalOdHR6AhYEt3U35wKDI6EZ5Vc0V1NMlpwMIBdaA== Created: 20100224054203 Publish: 20100224054203 Activate: 20100224054203
Kexample.com.+005+16296.private
; This is a zone-signing key, keyid 65475, for example.com. ; Created: Tue Feb 23 22:42:21 2010 ; Publish: Tue Feb 23 22:42:21 2010 ; Activate: Tue Mar 30 23:42:21 2010 example.com. IN DNSKEY 256 3 5 AwEAAZmwk+tNBPHOtnGOEstAIec212BB8ocsaDu2ZCQy8VOTK 6L/mWJE oAriM6qEbLlyYBJJwX23kW2sbSvQ4l0GgglLjn2E5v/AnuL8usrfav+6 LFUb+gaIbwx1ilu rDL2khTjp7uNWtY7UPZcnxymunyO/S8B34aHNstAV NYdZ09at
Private-key-format: v1.3 Algorithm: 5 (RSASHA1) Modulus: mbCT600E8c62cY4Sy0Ah5zbXYEHyhyxoO7ZkJDLxU5Mrov+ZYkSgCuIzqoRsuXJgEknBfbe RbaxtK9DiXQaCCUuOfYTm/8Ce4vy6yt9q/7osVRv6BohvDHWKW6sMvaSFOOnu41a1jtQ9lyfHKa6fI79 LwHfhoc2y0BU1h1nT1q0= PublicExponent: AQAB PrivateExponent: SyhX3dzHSzzsaXGx7SVKrxhZkOAPK11jB7h1FmK3M0ioMUjPiIfIwCnIXF3wEWx GYQsijUkk3D5TEPdQi29wTTtd1bWv+xKl2KjWbxPsiiq/mocBGrMbvLE73agKymeAax/TuQycp6nElLw VeL4h//2pNaUD3OVjeDt9Lz3XqV0= Prime1: xx7dT7Al1arx+dqGIJy/q7EU4/kdYqNNofcjivKfbVhZMMZw4t2cSvhtTayTlUXxqhELTq3o fqCTCZTZy2YuQw== Prime2: xZd78nymeLZkqy12h7208oCLZxxBVsHl6S1yrS2tL68mQNjyIFd+cEhQjCIzNq565ObXdWjH glV1ZDd3GHUwTw== Exponent1: W2OIEa33/3Qg8RrhmpA2zFdPDj7kxMPMurySHJC0qVv2O5OodgdeV25jxFWjusxKWVLPT MI2xf9u3OPrfhYcvw== Exponent2: EDxPQfB+GUMbaHlW2PZ8jMSFL9bBg6hxBMToPFSZe2aP5RouYvvtdrpqa+lPffm+PVq+b 3ZJlmsBN1fbYFYYvw== Coefficient: lFwSpG3CPyywZBbqloaamoYsD2Tn6/WaG72zneUzWtMNEeUT6KQnwCnt+PJfg9wUx5+ iIJYpk2P6u8l4euGzFw== Created: 20100224054221 Publish: 20100224054221 Activate: 20100331054221
Kexample.com.+005+65475.private
Next, a KSK needs to be generated so the zone and it's ZSKs can be signed. This is done similar to our ZSK generation but it's suggested that a stronger key be generated. NIST recommends KSKs be generated 2048 bits in length:
-bash-4.0$ dnssec-keygen -r /dev/urandom -f KSK -b 2048 example.com Generating key pair..........+++ .............+++ Kexample.com.+005+16528
NOTE: that the -b 2048 is not required, this is now the default used when the -f flag is set to KSK
The above command will generate our KSK key pair with the following content:
; This is a key-signing key, keyid 16528, for example.com. ; Created: Thu Feb 25 11:07:54 2010 ; Publish: Thu Feb 25 11:07:54 2010 ; Activate: Thu Feb 25 11:07:54 2010 example.com. IN DNSKEY 257 3 5 AwEAAaRnD68SVROkvuQ5Qez1LMGqciUJ5aVnzmrVLjtYUXg1X VT7HQKw KR77YDE+TxaKDJH32kn8cfwPSb6k/iPynKnmcH02ynBUqMxYj+x0RyaP lKrC7GBjC2x56bp leJFEqcq5YVUBaVPsPk8Gge9wf5vdLhmBzOH6DuDd LGB6VrcdTQdBHInVlAuXjQ31OObAkEbuMyfpGU oU0TGoD/nhYoALLMzj WkBAkFCXnKsgT51hPBSG4SzmHSOSqkp4JvpawYRWL7BIVTZQ84Tb8m0F umFr bzzJXR8IT6O0sHS3d5nw75m5OQaZ22WtHV0qfuLtKCAQP4P992jA b6YdVbwFg8U=
Private-key-format: v1.3 Algorithm: 5 (RSASHA1) Modulus: pGcPrxJVE6S+5DlB7PUswapyJQnlpWfOatUuO1hReDVdVPsdArApHvtgMT5PFooMkffaSfx x/A9JvqT+I/KcqeZwfTbKcFSozFiP7HRHJo+UqsLsYGMLbHnpumV4kUSpyrlhVQFpU+w+TwaB73B/m90 uGYHM4foO4N0sYHpWtx1NB0EcidWUC5eNDfU45sCQRu4zJ+kZShTRMagP+eFigAsszONaQECQUJecqyB PnWE8FIbhLOYdI5KqSngm+lrBhFYvsEhVNlDzhNvybQW6YWtvPMldHwhPo7SwdLd3mfDvmbk5BpnbZa0 dXSp+4u0oIBA/g/33aMBvph1VvAWDxQ== PublicExponent: AQAB PrivateExponent: UIlwZHpdlR7qqNDn29YLk+AUxNJBXrMoqqs+V7IfTv0NeLj/cDauHlBUwirdAZS lLci2dfImQK2Ymb0oBqIuXwjVaHGz4C2I93oXH2WjCV/jG3gb5ef/S6e5eSeGVdvGNdp0tPjZCVS8/We ZtZtt2AQVNkeg/77JFR0kRSsJWfBGichskG69Rb/2XMtgtJgzEnQs3d63jYu78P3FEiCn3OGWh9GMqQh 8w9LjQUHOf/r3DbG6R5TKZ5QIM0NGEPGd8YEHVMl0T8KSacW8qOeirVy86d5Q7RidQIS+5zAEBH8tLFV xF8WvuCo3n9jd0qE6TG4AsiC0oDvGCfI2X5F0LQ== Prime1: 1UqgdBMXvb0cP3ee8vk/xHLTJFgdvYPPlPPAJcO2torkEPUB5wHVciSzeJIlHMeKQTBVaqZd OgCqiJFC21VNMnY77eKaJPsmT//HXDVSVI1Vi7nsoCudr1ydka1XEQTI3MdDUM4Y7GotLwqxXPN7VbMt lqpGIivT8enqXsVM1Es= Prime2: xVJgYtyCWsvBuBiBBFPEsCd0SFOc+KhZry/Vm0FnbKgzn9jOE/GhFBL3vXUL8hDHVcmwnzi1 ovO20LkPlaf5UnYAepxKzT4BlICbHCQZRlsSPhK7exmA0o06asMUTgTme77pa7ENyZQOP+jxikTeL92P rs5N6RXZS8Pug8aFXi8= Exponent1: HSGXLqNY78I/dG+rFvZx/ivMqL8cOMEi/e4YxU+oyd/IbIR6IQoAFBntJT+YsAiU2nh2g h18yCpFIGfuoLRS2dyKLOBxOzHONsjxeqeRuhifoXjgV7P9UnEs2DO7m4hywqy4hfXQM6IAz9b/CHn80 2SoilZxQ8OGrBjNuOnrp2c= Exponent2: JZNKR4k2SZQDj8saxngtPF5HBn7lpXRpn7K8OpR53XcqXYYruCCLTAdQpgNkAvSvAOcne yqRbDZ82cJj9VvHXqyZ6r9Yfz0Pj/ftka5OIde14Zwvl4GDxpSeSzZa54CHY4k3agqNVZWcIQ9675mtt e+7LM6ch4Zhmsv036MuQoE= Coefficient: M9xTJuWxyanPu5rq5YOnT3XqlgJHLxLuBUCgYEuH9yJq9c/1nc3d+rGZol+4Bbf4QIJ 3mU+QIgScXBEea3GnTajToWqDJtAslW+8/3B4pDR3SWuNChFThUXpEc4QzENJk1RnigpHJ6KGkNYeJaC qg4Sz63OjBtECTGrknzKL0oI= Created: 20100225180754 Publish: 20100225180754 Activate: 20100225180754
Kexample.com.+005+16528.private
Assume that our zone file for example.com is aptly named "example.com" and is located in the /var/named/dynamic/example.com directory path on our server. It's very important to ensure that file permissions are properly set and maintained on zone file(s) and/or key file(s). For example, if you run your name server as the user "named", then you must ensure that the file ownership and permissions are set appropriately to that user or else signing operations will fail. Here is a copy of the unsigned zone file:
example.com
$TTL 86400 $ORIGIN example.com. @ IN SOA dns1.example.com. hostmaster.example.com. ( 2001062501 ; serial 21600 ; refresh after 6 hours 3600 ; retry after 1 hour 604800 ; expire after 1 week 86400 ) ; minimum TTL of 1 day IN NS dns1.example.com. IN NS dns2.example.com. IN MX 10 mail.example.com. IN MX 20 mail2.example.com. IN A 10.0.1.5 server1 IN A 10.0.1.5 server2 IN A 10.0.1.7 dns1 IN A 10.0.1.2 dns2 IN A 10.0.1.3 ftp IN CNAME server1 mail IN CNAME server1 mail2 IN CNAME server2 www IN CNAME server2
Provided the name server is running with the unsigned zone, you can now sign this zone using the rndc command as follows:
rndc sign example.com
Upon running this command, the name service will attempt to read in our newly created keys and use them to sign the zone. Since our zone is configured for local Dynamic DNS updates (update-policy local), any updates can be done dynamically to the zone. A DDNS journal or .jnl file will be created, and it will contain all the RRs that were dynamically added during the signing process. This file is not human readable, but can be parsed with the bind-provided utility, named-journalprint. The syntax for this is:
named-journalprint <jnlfile>
If you run that command on the example.com.jnl file, you should see all the dynamic updates that were injected to example.com during the signing. Our zone example.com has been fully signed automatically through local dynamic DNS updates. Here is a copy of the signed zone file:
example.com.signed
; File written on Thu Feb 18 18:00:24 2010 ; dnssec_signzone version 9.7.0 example.com. 86400 IN SOA dns1.example.com. hostmaster.example.com. ( 2001062501 ; serial 21600 ; refresh (6 hours) 3600 ; retry (1 hour) 604800 ; expire (1 week) 86400 ; minimum (1 day) ) 86400 RRSIG SOA 5 2 86400 20100321000024 ( 20100219000024 42423 example.com. LZwIE1g0QrETz4hzi+JBfzVEF95Q21KA3UEK MQDe1fnl8ifsvtck5RNLHJjFXyWLf4C/JD8K CU+bj3phXs8miMZ+vqUZhhyXgKwvnGW9lR9T ilrdbovvOROSzXndImIx79IT0DbjhqgVxdmb ETSBm8alCYROqUnC64G5qW0dGUQ= ) 86400 NS dns1.example.com. 86400 NS dns2.example.com. 86400 RRSIG NS 5 2 86400 20100321000024 ( 20100219000024 42423 example.com. ndVpip6QHKtQ25YxBucSomtuGc96Y2u1RLua RjiT7gq/P8dI/NiNf/rGCz36IN5uXgib50Xy sB+F6hjpAm2zId4K+QRfcMfebn7rAsv7Qm1h 0frmeDKlPWMpY0EEFBLPOTcOa5AvimR4UWOB mEaf8Kj8wXRxZxVhj8sH41nEqBg= ) 86400 A 10.0.1.5 86400 RRSIG A 5 2 86400 20100321000024 ( 20100219000024 42423 example.com. fpJiV2HisQiCgGlC1C3vGYDjJHsP5yKSj50x 3w/LaDqCmrAXUPTSITLCQbSnqs8Bw+Dcwez+ 3Uyib75Nwfokta2BnUZezIN0rANZjxBZfIPF fKh261oHz4ET9mAYGidAQJYT/53Ob6TWC0JA iuznANEd3fNO6zGTJPVVeM2y/E8= ) 86400 MX 10 mail.example.com. 86400 MX 20 mail2.example.com. 86400 RRSIG MX 5 2 86400 20100321000024 ( 20100219000024 42423 example.com. a9YUMpKz443D9ilMz1zZttxDbHE14tmo92a3 NobnFtCChptw01YKqPbyawhDHzeSrDMAMxT0 JrX8GgzWzx913JJj5cY0cPk6t47aglXgicdf xsTotEEa/rQPfDFWCI+afdVqsIjNzl2DPMUq jTzaGYyX+qoKG3tbmqRyNnarweY= ) 86400 NSEC dns1.example.com. A NS SOA MX RRSIG NSEC DNSKEY 86400 RRSIG NSEC 5 2 86400 20100321000024 ( 20100219000024 42423 example.com. W7iA7Foe5bItestFr2xZL5DLddn0zxvlLFxm CEb6JHnme9kOj64j4uNtFneLNSU4/2Im8TOH D+A0z6yxAfcG5NkF/yXCL9TYdNSni4GHF+4n mhoFXFDjOaleklcPZu7IMuMnQpQnjRz/KLM0 cmE+pVikzoMDyqmBsqI16ehZ6WI= ) 86400 DNSKEY 256 3 5 ( AwEAAbtI3Z35x8ITxyQvJeKR9n/RHux9qgQv uOEAcK9nCUGAnrFNvmYKXyM5wrRkcKISXXOX FCKi+gXcFD8xqQIjV4pNOiVV2dExA1PAGHQ9 Fhq94EBR2+E6pGjUNLuMpEVRw2i827+t25xx zHRciXu1BHpR3CmO2742FDh1SPAbHRVn ) ; key id = 42423 86400 DNSKEY 257 3 5 ( AwEAAdGspfp/owPm884YyM2pI23NMYSjBIFL CdjscwRjHgWqJsmn97FDugp2ktHT6S31v+7t 5jADegYx0/PKW5TPvogEhCFxpa2fh/jDnskw 1iqNvFkiCc9FQ4OhdYQ2GMDHYiU/C0tDgfv3 JWMdAfxcc+Iu6zkKgVFo5TMactHYsG4kUsYu Omjaj3XjBtVZYfx1yqzcfZgUj7Lqg63zP4Mo nnLsoQyb7QmQy0De50P2n82lsDybozUtBZJL +96jJOlXok8i+kL4MQsGRhaBd/YJpABgbwsr QAwJpfIuOJ2atEUxe5BdHGf+2h+Cv4Tj8Ebi 52iUW7sVa0kWfAayoNHD3BU= ) ; key id = 50902 86400 RRSIG DNSKEY 5 2 86400 20100321000024 ( 20100219000024 42423 example.com. k/B1QV/1sNeHb9SyGTYKnS0xTu5fJLsNR1bv U8cL9x9EE9uTxAtGMiCA7m6aCt6AUv1/yKiW L8niQZk+/x/oTgjKi0YTyttySu/d6lwKrU0i gsaP41JJyXWRNFvJ7DSK9mJ+ZcOScsIG0vGR 2phf0LOF4tBx1WUzahOjE7K6/gQ= ) 86400 RRSIG DNSKEY 5 2 86400 20100321000024 ( 20100219000024 50902 example.com. NyA5VgoIQOpJGyQREOPi+yhmUKZojLpkhBRE 0Ey+5qOru3xyH7H7KH7NSGDsqu6lV922/2bP aoR6S2HoYHngbWLkQ8rzbChIhMgx/MG6G8Nh Su++aIdlKbyh36ovDSuWOjTJdKfV8sXDF6TY NfLvaeAEGaJkMU1hwMO+BDIP4kDhdABVj2S5 m4sfcwsabXsEy4Fa8WFG6awPQWlvSH/YnFks lERagOKcWzjF8XhD3dc2QDN3TdVtKB4pzSq3 v4qDs3E+ckEXILfViGSoouM99mx/FD9yrHtb 67oflx1gsS621XT5kin9GZ4sSLLlIYyJ4tzi OSjW4EByuuSyXpo9eA== ) dns1.example.com. 86400 IN A 10.0.1.2 86400 RRSIG A 5 3 86400 20100321000024 ( 20100219000024 42423 example.com. eyNkf6ms+WQO69I73UZRG/42HG26Ub+YHyc9 MLO50Uhca48C61+zHLUUoZ2J3bndtwak1AaE HtA39mxdMIbMwpxzLhfLERnIFxVHPy8fv9fh OeJrgAM5xgdbmfx6mX2lcsmICc8Honnjpykh CAJ4Q9U8mtTfoUjOgZr0kgDYxng= ) 86400 NSEC dns2.example.com. A RRSIG NSEC 86400 RRSIG NSEC 5 3 86400 20100321000024 ( 20100219000024 42423 example.com. Qi/nkYVWtzrGJB7hrfgSEiKf5xAh/wlky63k tiWM6hKQn3KdRhpItkE90jdk3G7yxb2WnwbN QkpEt9PWPdVA4rgXjwP3IyQMACNp6dptgw+r puTTpCVi9oVxhYf8qBl0FAHZ0uKqpCnsHD9g Vh+AwiN4lZ7Ilc/v8tV8LeVB37Y= ) dns2.example.com. 86400 IN A 10.0.1.3 86400 RRSIG A 5 3 86400 20100321000024 ( 20100219000024 42423 example.com. ToToN/WrDUrxR0flEdWuEIdb5UB+EVDeBesm SeoVs4qcui15NZR541GQiTn/UiO0h202dZgv ldikkpXznrnOEbRvArYUr78adwm5D1Y23eG/ 5lNhGZ6pexp9gHdT/nK+1dUYhtN+vwckTqS0 XJosXAIp4VzjCXJYDOsB4OmLm0o= ) 86400 NSEC ftp.example.com. A RRSIG NSEC 86400 RRSIG NSEC 5 3 86400 20100321000024 ( 20100219000024 42423 example.com. nRySPk7tp54M3LxDbwWZXXs85RUBgLt6biGc mZJhVd+hvpLwEr58viUPQYtz87vLQVrcRycQ MZ4B+dT/FMYz1MQCfz4mr+TTNDaiyJu4CHpF OBofdmaU8546IwpbnY43cok/YM0fPbdkGuUE b4ecWZ6UFGiiz7MWBN0J8gbkCW4= ) ftp.example.com. 86400 IN CNAME server1.example.com. 86400 RRSIG CNAME 5 3 86400 20100321000024 ( 20100219000024 42423 example.com. Ly4DzMo6IWleSSSG1KGLqOPEUKpD5OjSOGeg sVO2lCRil0tHJX8+q8iudWjQn1crFyizBgUg VTIedNc1ciDiKHbD/EKxWKyvUPkJGlMRC+k7 OM5Ky4fKOWWl8Us6+qoQ+4r8mMZvb6q2Y4IW YVO1uq4CGo7BqfRGNTDGD5RHgqE= ) 86400 NSEC mail.example.com. CNAME RRSIG NSEC 86400 RRSIG NSEC 5 3 86400 20100321000024 ( 20100219000024 42423 example.com. lqSRczctTIsGAug9U6i44zCKarAawak5pq78 EWphc+CAf4G4Ge0hmfgcJIrjOKbwhhUb/gyR U7rVm4c5r5kiv3FxYsSdjs+iT7NI3jNCtebB rKkga6hwDq80y8lLlvbdJCLQNh0GOHOvGPiE rQdKgvc9oSS1yi579+sK3K9ZEOM= ) mail.example.com. 86400 IN CNAME server1.example.com. 86400 RRSIG CNAME 5 3 86400 20100321000024 ( 20100219000024 42423 example.com. tDk335Prbd32ey6o9yK7bgawXBaIplnjhxbY XwSaI2jwNXfhSx2KCjFTH2G5f3jnsLZjGEv5 qCTq+l9It+AhQ3A/N4aYGd+HqSDe8Q8h26I8 ZCiIF8pdqxw87Os0YfhYT6Yt7eiSwAnSatPp Fiqh33IUkY1zPRr2RpB+Q3NZLAk= ) 86400 NSEC mail2.example.com. CNAME RRSIG NSEC 86400 RRSIG NSEC 5 3 86400 20100321000024 ( 20100219000024 42423 example.com. DNdfXurv1iY1WcrEelg692AfIvKToPVF84cx WVqoe0x1stwDXau/VY9p7epkmh/O9XmWZtvS yx4Cfsdsg5lam3kz5wSvH9tiDliOrWNx0nVQ zmO4vLqmjidV9IUJA154+cmWS4b4EkylIyPx YUfZ4tGimz5tGal9Rt9hBRVkEDY= ) mail2.example.com. 86400 IN CNAME server2.example.com. 86400 RRSIG CNAME 5 3 86400 20100321000024 ( 20100219000024 42423 example.com. GadhrIlp+VPgquVC/I2CHC54fG9UUUT3hBOu rfIUMWotltF+VqPhKY5mrpJNgBSrnSkFCeR1 v5DB+UGoUlBgF4tKOHINnT/HuQ8JswbsYge3 xuhQYOowsXeVKXNYFJXnxLNij4uGiVOzu6PE qMj4wglUiDMa6VV6eKGigaZE15Y= ) 86400 NSEC server1.example.com. CNAME RRSIG NSEC 86400 RRSIG NSEC 5 3 86400 20100321000024 ( 20100219000024 42423 example.com. Ns6WkHNHt5PxpAvZbK0ObpqnorAtGOINeAlR P8xgvBzbYvQ2m1mS4U8KNDwxmww6/h0RgQ4F dL0x7vpBnARMwbEuoIyhnkm6RC1lVDyCrU3H B89Lo2qV9XBlbpherrNOyK1fKw2qW0tKC896 vC2rWNKjhs2NCVY8b12Rv8FoMkY= ) server1.example.com. 86400 IN A 10.0.1.5 86400 RRSIG A 5 3 86400 20100321000024 ( 20100219000024 42423 example.com. grJaDiokDBV/AAANTgrYJDJ9A70NUmmg8WTY juyirbwaFPK/FVDNAcntIOZd1gp+7/YKvLXz kZsQBgheT7wT5QZEVydSBzZveDVS1m745ymR JveeTBhv9nThYwSN9F2AB2hqsjC1PFOT573t TpYN+aXE17ZVxHWnQyS1KUSK1DQ= ) 86400 NSEC server2.example.com. A RRSIG NSEC 86400 RRSIG NSEC 5 3 86400 20100321000024 ( 20100219000024 42423 example.com. eGpy89iMu5pNB5jOi81MXIM2BtW3IfrGico3 OhsfTsKcWMtDYnUfAugIYDru1QYwAxf2xawA TmgTpA1fsB2OIlZFe8GMfJmOQvFb11FUO5ru +j4+dq1nmgeB4Bq/qOgoTm2xmtOppjwjNx/l pb/kQTr5cWMEExCqWu/oyleiD8A= ) server2.example.com. 86400 IN A 10.0.1.7 86400 RRSIG A 5 3 86400 20100321000024 ( 20100219000024 42423 example.com. Z0/RlmpT85ODQnc4iJU7TGzF1s7F/d3s8O7E eZtSgfXquAvi/bkUVVrokgkFOULy1ftl/w0F dNsGAIE6x3sbe3XExPG3gHf7FMVUYQKY6E9D gt54Yn4bzSuRLCFemOWyJ2c70kZLirXCg5QY Q1YLV2ZODvujO9CWx8LC++09UDE= ) 86400 NSEC www.example.com. A RRSIG NSEC 86400 RRSIG NSEC 5 3 86400 20100321000024 ( 20100219000024 42423 example.com. UzDwEI0Abznj2/4R77ljsd3L2lBbnQiMtJBd 0lVQytjlbHiQ/mYODOG8weQ1wdkoRFfHdu2R uEvwvukl2s7C4Ok4e3emj2ThIE/yLDkzHMiY DV3HAyZhE5IC/bYlILiM2LbgjCEFjf0mjYKD JRtnxvW+VQr9eXoKsQHvsslqcrc= ) www.example.com. 86400 IN CNAME server2.example.com. 86400 RRSIG CNAME 5 3 86400 20100321000024 ( 20100219000024 42423 example.com. Ee5HMfeFKjecBCpUk3vQpzCgv3bRoW437AuE 7wQV40DYdQtC0KBoyTtV3kZJIoCt+8baMTu8 960AQuAdzxTiW5ZKat2al8AWEJ2EJynY0q/Z r/1t55XCneX18pUqeMDk1W3sMbSocPMiPxVG qI275pKF5iqzigtpgwncVIB5fVk= ) 86400 NSEC example.com. CNAME RRSIG NSEC 86400 RRSIG NSEC 5 3 86400 20100321000024 ( 20100219000024 42423 example.com. isI/fdpyZ8TfV7oPDmEM5UXa3p0T4Fn8hzwG E6ro3xoeKk8CzrjmLdC2r3G45jFpX3sUUrsz a22XITWhGNCupEFs/wFlMJ09ILd401UY8IwE iZp3o2m2prV8171MFJcgpwKXxBmzgjHRM7VD PFTGQrvZaZFsx77PAz5iJkyObQ0= )
To this point, we've shown how to perform "semi-automatic" DNSSEC Smart Signing operations on a zone. Next, we'll demonstrate how to perform "fully-automatic" DNSSEC Smart Signing on the same zone. First, let's unsign the zone. If we add the dnssec-secure-to-insecure directive to the zone block for example.com and set that value to "yes", we can unsign the zone easily with local DDNS updates by removing the DNSKEY records. NOTE: if you are using NSEC3, you will need to also remove the NSEC3PARAM record as well. This is done as follows:
nsupdate -l > update delete example.com. DNSKEY > send > quit
Assuming no errors and $? evaluates to 0 after that command, the example.com zone should now be unsigned and returned to its original state. A dig lookup with the +dnssec flag set should not have any DNSSEC related records in the response from our server. To demonstrate "fully-automatic" Smart Signing, first stop the name server. Then edit the named.conf so that the auto-dnssec is set to maintain. The zone block of the named.conf should look like this:
zone "example.com" { auto-dnssec maintain; type master; update-policy local;
dnssec-secure-to-insecure yes; file "dynamic/example.com/example.com"; key-directory "dynamic/example.com"; };
When the name server is started, named will automatically search the key-directory path for valid DNSSEC ZSK and KSKs to sign the zone example.com. If the keys are valid, it will sign the zone at startup. This can be confirmed using the +dnssec flag using dig to query for the SOA of example.com. as an example. If the server has responded with DNSSEC RRSIG records, our zone was DNSSEC signed. When operating the name service with auto-dnssec set to maintain, the name server will periodically check or set internal timers according to the metadata that is set in the keys that were generated.
At this point, it SHOULD be noted that in BIND 9.7.0, the name server will NOT automatically generate new keys. That code to do this has apparently been stubbed out for a future release. So, at this point, named will ONLY age out DNSSEC keys according to the -R (revoke), -I (inactive), and -D (delete) metadata embedded in the keys.
In conclusion, while BIND 9.7.0 doesn't fully support ZSK and KSK rollovers, there has been a tremendous amount of work and enhancements that have been made to BIND to ease the burden of configuring and maintaining DNSSEC to a DNS operator. It will be exciting to see key rollover support and additional functionality make its way into future releases of BIND.
Resources
NIST Secure Domain Name System (DNS) Deployment Guide Special Publication 800-81r1
Bind 9.7.0 Administrator Reference Manual - Internet Software Consortium (contained in BIND 9.7.0 package)