DNSSEC Automatic Zone Signing in Bind

/ DNS, DNSSEC, BIND, BIND 9.7

ISC Logo

In-depth details on the tools and "Smart Sign" functionality in Bind 9.7.0

The last article discussed the basics of the BIND 9.7.0 "Smart Sign" feature. In this article, we expose additional functionality that has been incorporated into the software to make it much simpler to sign, operate, and maintain DNSSEC signed zones.  This article will help tie in some of the information provided in the previous article, Bind 9.7.0 - Part 2, New DNSSEC key metadata.  Bind 9.7.0 takes an interesting approach to automating DNSSEC key lifecycle maintenance, leveraging local Dynamic DNS enabled zones in conjunction with the embedded timing metadata in DNSSEC keys.  Other DNSSEC frameworks use a dedicated service or script to perform DNSSEC key rollovers.

In this article we'll focus on the following directives to achieve automated "Smart Signing" operations:

Directive Grammar Context Description
auto-dnssec zone statement

Configuring zones with this directive enables varying levels of automatic DNSSEC key management. There are currently four (4) possible settings:

allow - permits keys to be updated and the zone to be re-signed whenever the user issues the rndc sign zonename command.

maintain - includes the functionality above, but will also automatically adjust the zone's DNSSEC keys according to DNSSEC key timing metadata that is supplied. 

create - includes the above, but signals named to create new DNSSEC keys when needed. (NOTE: this option is not yet implemented; the syntax has been reserved for future use.)

off - which disables automatic DNSSEC functionality

Usage:

[ auto-dnssec off | allow | maintain | create; ]

dnssec-secure-to-insecure zone statement

This directive provides the ability to "convert" a DNSSEC signed (secure) zone to an unsigned (insecure) zone.  This directive takes a boolean yes | no value.

Usage: 

[ dnssec-secure-to-insecure yes | no; ]

update-policy zone statement

Sets the policy for enabling or disabling DDNS updates.  When set to local, updates to the zone will be permitted for a special key "local-ddns" which gets generated by named automatically at startup.

Usage:

[ update-policy local | { update_policy_rule [...] }; ]

key-directory zone statement

This directive sets the path to the zone's DNSSEC keys.  Bind 9.7.0 auto-dnssec relies on this directive to "find" the associated keys for a given zone. 

Usage:

[ key-directory "/path/to/dnssec/zone/keys"; ]

Example 1 - Semi-automatic "Smart Signing"

In this first example, we demonstrate semi-automatic "Smart Signing". To implement this, we'll need to "inform" the name server the following bits of information:

  • enable automatic "Smart Signing" feature on our zone(s)
  • the location of where to locate the zone's ZSK and KSK files
  • enable local Dynamic DNS on our zone(s)
  • optionally, enable the ability to "migrate" our zone(s) from being DNSSEC signed secured zone(s) to unsigned unsecured zone(s)

In this example, we'll configure example.com for semi-automatic signing using zone statements. The named.conf zone block for this zone should look like the following:

zone "example.com" {
        auto-dnssec allow;
        type master;
        update-policy local;
        file "dynamic/example.com/example.com";
        key-directory "dynamic/example.com";
};

Create the Zone Signing Key(s) or ZSK.  In this example, two ZSKs are built so that a pre-published ZSK rollover scheme can be implemented.  In this scheme, one key is marked "active" and immediately used in zone signing operations, while the other is marked "published", and simply embedded in the zone for future use. Eventually, the "published" key becomes the active key, and the former "active" key is retired. This scheme is widely used for ZSK maintenance to ensure that the chain of trust is properly maintained.  According to the NIST Secure Domain Name System (DNS) Deployment Guide, the ZSK is recommended to be 1024 Bits in length and rolled every month. Build the ZSKs as shown below:

-bash-4.0$ dnssec-keygen -r /dev/urandom example.com
Generating key pair............++++++ .................................++++++
Kexample.com.+005+16296
-bash-4.0$ dnssec-keygen -r /dev/urandom -P now -A +3024000 example.com
Generating key pair...................................++++++ ................
........................++++++ Kexample.com.+005+65475

The first command generates the current and active ZSK, and the second command generates the second ZSK that will be published now, but become active in 3,024,000 (seconds) or 5 weeks.  This example shows how the new timing metadata is set using dnssec-keygen.

; This is a zone-signing key, keyid 16296, for example.com.
; Created: Tue Feb 23 22:42:03 2010
; Publish: Tue Feb 23 22:42:03 2010
; Activate: Tue Feb 23 22:42:03 2010
example.com. IN DNSKEY 256 3 5 AwEAAc/zR+EVRV9HHwPCVIA4JPg+WinKZAAYDL5z/sFFL8OgN
6UR6anB 349k8SR++17Okl8GLG6EeMqBUaY+M6MIp/yZeU+h0w9t5hLqbsZ/Iuga xQhu0JMG3R+4DwM
3jPuHAnpJSJY6BJf00/tPXDYLkgA//kcvQBlHxvRZ f2Ipquz9

Kexample.com.+005+16296.key

Private-key-format: v1.3
Algorithm: 5 (RSASHA1)
Modulus: z/NH4RVFX0cfA8JUgDgk+D5aKcpkABgMvnP+wUUvw6A3pRHpqcHfj2TxJH77Xs6SXwYsboR4yoFRpj4zowin/Jl5T6HTD23mEupuxn8i6BrFCG7QkwbdH7gPAzeM+4cCeklIljoEl/TT+09cNguSAD/+Ry9AGUfG9Fl/Yimq7P0=
PublicExponent: AQAB
PrivateExponent: j4wouj+su7CkwDuNiVU4cATayK5liYsQgQghe9j+t9QJlXFgE0c5xAqyS7c8Xp3KfL4OPdxEZcYPTurxSkHXc1AYbKl+/E1XyKy3a9EqUhrsrPOsYRVzgDdwa35xZt2rgtIwzdAI5CuDmNf7P+Nvfz4FCLosA+dBdx5tIw/magE=
Prime1: +YVwNunBVvqaBtajhYn2Zipr1II3vBJZ0Z6cAnvcTTAXRpLQUc114J0F7BG5hBDjBflxcAXYDofJTcMyLGnrkQ==
Prime2: 1VmFgE2ilWFSBa6KxmhxHCSA/H0MSUWxgx0iuICXVOEv6gR/PIPL0LgLAaqYPeY7QSW1M9xUwvjUCcOxnPT8rQ==
Exponent1: PG0bOsErKCQyLtvF5+38NMurJ2CNnMcY51Gw2E0kkbDGwjmFp3nJRSbhq0Szl477W5QH66gOpZ4umt1dhjH0cQ==
Exponent2: lsO0O36hLb6gH7PADYUwqRqCq+oSDJVbY7PrHUaBqlGXcl/LKhBYrx3faUYMX3Ga3eavrf49R6pe7KeFk8zr4Q==
Coefficient: XpT5SguN1q6cDds4RIiGmLAWu/l/nX6W/UMFoHuhlhIkSJalOdHR6AhYEt3U35wKDI6EZ5Vc0V1NMlpwMIBdaA==
Created: 20100224054203
Publish: 20100224054203
Activate: 20100224054203

Kexample.com.+005+16296.private

; This is a zone-signing key, keyid 65475, for example.com.
; Created: Tue Feb 23 22:42:21 2010
; Publish: Tue Feb 23 22:42:21 2010
; Activate: Tue Mar 30 23:42:21 2010
example.com. IN DNSKEY 256 3 5 AwEAAZmwk+tNBPHOtnGOEstAIec212BB8ocsaDu2ZCQy8VOTK
6L/mWJE oAriM6qEbLlyYBJJwX23kW2sbSvQ4l0GgglLjn2E5v/AnuL8usrfav+6 LFUb+gaIbwx1ilu
rDL2khTjp7uNWtY7UPZcnxymunyO/S8B34aHNstAV NYdZ09at

Kexample.com.+005+65475.key

Private-key-format: v1.3
Algorithm: 5 (RSASHA1)
Modulus: mbCT600E8c62cY4Sy0Ah5zbXYEHyhyxoO7ZkJDLxU5Mrov+ZYkSgCuIzqoRsuXJgEknBfbe
RbaxtK9DiXQaCCUuOfYTm/8Ce4vy6yt9q/7osVRv6BohvDHWKW6sMvaSFOOnu41a1jtQ9lyfHKa6fI79
LwHfhoc2y0BU1h1nT1q0=
PublicExponent: AQAB
PrivateExponent: SyhX3dzHSzzsaXGx7SVKrxhZkOAPK11jB7h1FmK3M0ioMUjPiIfIwCnIXF3wEWx
GYQsijUkk3D5TEPdQi29wTTtd1bWv+xKl2KjWbxPsiiq/mocBGrMbvLE73agKymeAax/TuQycp6nElLw
VeL4h//2pNaUD3OVjeDt9Lz3XqV0=
Prime1: xx7dT7Al1arx+dqGIJy/q7EU4/kdYqNNofcjivKfbVhZMMZw4t2cSvhtTayTlUXxqhELTq3o
fqCTCZTZy2YuQw==
Prime2: xZd78nymeLZkqy12h7208oCLZxxBVsHl6S1yrS2tL68mQNjyIFd+cEhQjCIzNq565ObXdWjH
glV1ZDd3GHUwTw==
Exponent1: W2OIEa33/3Qg8RrhmpA2zFdPDj7kxMPMurySHJC0qVv2O5OodgdeV25jxFWjusxKWVLPT
MI2xf9u3OPrfhYcvw==
Exponent2: EDxPQfB+GUMbaHlW2PZ8jMSFL9bBg6hxBMToPFSZe2aP5RouYvvtdrpqa+lPffm+PVq+b
3ZJlmsBN1fbYFYYvw==
Coefficient: lFwSpG3CPyywZBbqloaamoYsD2Tn6/WaG72zneUzWtMNEeUT6KQnwCnt+PJfg9wUx5+
iIJYpk2P6u8l4euGzFw==
Created: 20100224054221
Publish: 20100224054221
Activate: 20100331054221

Kexample.com.+005+65475.private

Next, a KSK needs to be generated so the zone and it's ZSKs can be signed.  This is done similar to our ZSK generation but it's suggested that a stronger key be generated.  NIST recommends KSKs be generated 2048 bits in length:

-bash-4.0$ dnssec-keygen -r /dev/urandom -f KSK -b 2048 example.com
Generating key pair..........+++ .............+++
Kexample.com.+005+16528

NOTE: that the -b 2048 is not required, this is now the default used when the -f flag is set to KSK

The above command will generate our KSK key pair with the following content:

; This is a key-signing key, keyid 16528, for example.com.
; Created: Thu Feb 25 11:07:54 2010
; Publish: Thu Feb 25 11:07:54 2010
; Activate: Thu Feb 25 11:07:54 2010
example.com. IN DNSKEY 257 3 5 AwEAAaRnD68SVROkvuQ5Qez1LMGqciUJ5aVnzmrVLjtYUXg1X
VT7HQKw KR77YDE+TxaKDJH32kn8cfwPSb6k/iPynKnmcH02ynBUqMxYj+x0RyaP lKrC7GBjC2x56bp
leJFEqcq5YVUBaVPsPk8Gge9wf5vdLhmBzOH6DuDd LGB6VrcdTQdBHInVlAuXjQ31OObAkEbuMyfpGU
oU0TGoD/nhYoALLMzj WkBAkFCXnKsgT51hPBSG4SzmHSOSqkp4JvpawYRWL7BIVTZQ84Tb8m0F umFr
bzzJXR8IT6O0sHS3d5nw75m5OQaZ22WtHV0qfuLtKCAQP4P992jA b6YdVbwFg8U=

Kexample.com.+005+16528.key

Private-key-format: v1.3
Algorithm: 5 (RSASHA1)
Modulus: pGcPrxJVE6S+5DlB7PUswapyJQnlpWfOatUuO1hReDVdVPsdArApHvtgMT5PFooMkffaSfx
x/A9JvqT+I/KcqeZwfTbKcFSozFiP7HRHJo+UqsLsYGMLbHnpumV4kUSpyrlhVQFpU+w+TwaB73B/m90
uGYHM4foO4N0sYHpWtx1NB0EcidWUC5eNDfU45sCQRu4zJ+kZShTRMagP+eFigAsszONaQECQUJecqyB
PnWE8FIbhLOYdI5KqSngm+lrBhFYvsEhVNlDzhNvybQW6YWtvPMldHwhPo7SwdLd3mfDvmbk5BpnbZa0
dXSp+4u0oIBA/g/33aMBvph1VvAWDxQ==
PublicExponent: AQAB
PrivateExponent: UIlwZHpdlR7qqNDn29YLk+AUxNJBXrMoqqs+V7IfTv0NeLj/cDauHlBUwirdAZS
lLci2dfImQK2Ymb0oBqIuXwjVaHGz4C2I93oXH2WjCV/jG3gb5ef/S6e5eSeGVdvGNdp0tPjZCVS8/We
ZtZtt2AQVNkeg/77JFR0kRSsJWfBGichskG69Rb/2XMtgtJgzEnQs3d63jYu78P3FEiCn3OGWh9GMqQh
8w9LjQUHOf/r3DbG6R5TKZ5QIM0NGEPGd8YEHVMl0T8KSacW8qOeirVy86d5Q7RidQIS+5zAEBH8tLFV
xF8WvuCo3n9jd0qE6TG4AsiC0oDvGCfI2X5F0LQ==
Prime1: 1UqgdBMXvb0cP3ee8vk/xHLTJFgdvYPPlPPAJcO2torkEPUB5wHVciSzeJIlHMeKQTBVaqZd
OgCqiJFC21VNMnY77eKaJPsmT//HXDVSVI1Vi7nsoCudr1ydka1XEQTI3MdDUM4Y7GotLwqxXPN7VbMt
lqpGIivT8enqXsVM1Es=
Prime2: xVJgYtyCWsvBuBiBBFPEsCd0SFOc+KhZry/Vm0FnbKgzn9jOE/GhFBL3vXUL8hDHVcmwnzi1
ovO20LkPlaf5UnYAepxKzT4BlICbHCQZRlsSPhK7exmA0o06asMUTgTme77pa7ENyZQOP+jxikTeL92P
rs5N6RXZS8Pug8aFXi8=
Exponent1: HSGXLqNY78I/dG+rFvZx/ivMqL8cOMEi/e4YxU+oyd/IbIR6IQoAFBntJT+YsAiU2nh2g
h18yCpFIGfuoLRS2dyKLOBxOzHONsjxeqeRuhifoXjgV7P9UnEs2DO7m4hywqy4hfXQM6IAz9b/CHn80
2SoilZxQ8OGrBjNuOnrp2c=
Exponent2: JZNKR4k2SZQDj8saxngtPF5HBn7lpXRpn7K8OpR53XcqXYYruCCLTAdQpgNkAvSvAOcne
yqRbDZ82cJj9VvHXqyZ6r9Yfz0Pj/ftka5OIde14Zwvl4GDxpSeSzZa54CHY4k3agqNVZWcIQ9675mtt
e+7LM6ch4Zhmsv036MuQoE=
Coefficient: M9xTJuWxyanPu5rq5YOnT3XqlgJHLxLuBUCgYEuH9yJq9c/1nc3d+rGZol+4Bbf4QIJ
3mU+QIgScXBEea3GnTajToWqDJtAslW+8/3B4pDR3SWuNChFThUXpEc4QzENJk1RnigpHJ6KGkNYeJaC
qg4Sz63OjBtECTGrknzKL0oI=
Created: 20100225180754
Publish: 20100225180754
Activate: 20100225180754

Kexample.com.+005+16528.private

Assume that our zone file for example.com is aptly named "example.com" and is located in the /var/named/dynamic/example.com directory path on our server. It's very important to ensure that file permissions are properly set and maintained on zone file(s) and/or key file(s). For example, if you run your name server as the user "named", then you must ensure that the file ownership and permissions are set appropriately to that user or else signing operations will fail. Here is a copy of the unsigned zone file:

example.com
$TTL 86400
$ORIGIN example.com.
@     IN     SOA    dns1.example.com.     hostmaster.example.com. (
                    2001062501 ; serial
                    21600      ; refresh after 6 hours
                    3600       ; retry after 1 hour
                    604800     ; expire after 1 week
                    86400 )    ; minimum TTL of 1 day

      IN     NS     dns1.example.com.
      IN     NS     dns2.example.com.

      IN     MX     10     mail.example.com.
      IN     MX     20     mail2.example.com.

             IN     A       10.0.1.5

server1      IN     A       10.0.1.5
server2      IN     A       10.0.1.7
dns1         IN     A       10.0.1.2
dns2         IN     A       10.0.1.3

ftp          IN     CNAME   server1
mail         IN     CNAME   server1
mail2        IN     CNAME   server2
www          IN     CNAME   server2


Provided the name server is running with the unsigned zone, you can now sign this zone using the rndc command as follows:

rndc sign example.com

Upon running this command, the name service will attempt to read in our newly created keys and use them to sign the zone. Since our zone is configured for local Dynamic DNS updates (update-policy local), any updates can be done dynamically to the zone.  A DDNS journal or .jnl file will be created, and it will contain all the RRs that were dynamically added during the signing process. This file is not human readable, but can be parsed with the bind-provided utility, named-journalprint.  The syntax for this is:

named-journalprint <jnlfile>

If you run that command on the example.com.jnl file, you should see all the dynamic updates that were injected to example.com during the signing. Our zone example.com has been fully signed automatically through local dynamic DNS updates.  Here is a copy of the signed zone file:

example.com.signed
; File written on Thu Feb 18 18:00:24 2010
; dnssec_signzone version 9.7.0
example.com.        86400    IN SOA    dns1.example.com. hostmaster.example.com. (
                    2001062501 ; serial
                    21600      ; refresh (6 hours)
                    3600       ; retry (1 hour)
                    604800     ; expire (1 week)
                    86400      ; minimum (1 day)
                    )
            86400    RRSIG    SOA 5 2 86400 20100321000024 (
                    20100219000024 42423 example.com.
                    LZwIE1g0QrETz4hzi+JBfzVEF95Q21KA3UEK
                    MQDe1fnl8ifsvtck5RNLHJjFXyWLf4C/JD8K
                    CU+bj3phXs8miMZ+vqUZhhyXgKwvnGW9lR9T
                    ilrdbovvOROSzXndImIx79IT0DbjhqgVxdmb
                    ETSBm8alCYROqUnC64G5qW0dGUQ= )
            86400    NS    dns1.example.com.
            86400    NS    dns2.example.com.
            86400    RRSIG    NS 5 2 86400 20100321000024 (
                    20100219000024 42423 example.com.
                    ndVpip6QHKtQ25YxBucSomtuGc96Y2u1RLua
                    RjiT7gq/P8dI/NiNf/rGCz36IN5uXgib50Xy
                    sB+F6hjpAm2zId4K+QRfcMfebn7rAsv7Qm1h
                    0frmeDKlPWMpY0EEFBLPOTcOa5AvimR4UWOB
                    mEaf8Kj8wXRxZxVhj8sH41nEqBg= )
            86400    A    10.0.1.5
            86400    RRSIG    A 5 2 86400 20100321000024 (
                    20100219000024 42423 example.com.
                    fpJiV2HisQiCgGlC1C3vGYDjJHsP5yKSj50x
                    3w/LaDqCmrAXUPTSITLCQbSnqs8Bw+Dcwez+
                    3Uyib75Nwfokta2BnUZezIN0rANZjxBZfIPF
                    fKh261oHz4ET9mAYGidAQJYT/53Ob6TWC0JA
                    iuznANEd3fNO6zGTJPVVeM2y/E8= )
            86400    MX    10 mail.example.com.
            86400    MX    20 mail2.example.com.
            86400    RRSIG    MX 5 2 86400 20100321000024 (
                    20100219000024 42423 example.com.
                    a9YUMpKz443D9ilMz1zZttxDbHE14tmo92a3
                    NobnFtCChptw01YKqPbyawhDHzeSrDMAMxT0
                    JrX8GgzWzx913JJj5cY0cPk6t47aglXgicdf
                    xsTotEEa/rQPfDFWCI+afdVqsIjNzl2DPMUq
                    jTzaGYyX+qoKG3tbmqRyNnarweY= )
            86400    NSEC    dns1.example.com. A NS SOA MX RRSIG NSEC DNSKEY
            86400    RRSIG    NSEC 5 2 86400 20100321000024 (
                    20100219000024 42423 example.com.
                    W7iA7Foe5bItestFr2xZL5DLddn0zxvlLFxm
                    CEb6JHnme9kOj64j4uNtFneLNSU4/2Im8TOH
                    D+A0z6yxAfcG5NkF/yXCL9TYdNSni4GHF+4n
                    mhoFXFDjOaleklcPZu7IMuMnQpQnjRz/KLM0
                    cmE+pVikzoMDyqmBsqI16ehZ6WI= )
            86400    DNSKEY    256 3 5 (
                    AwEAAbtI3Z35x8ITxyQvJeKR9n/RHux9qgQv
                    uOEAcK9nCUGAnrFNvmYKXyM5wrRkcKISXXOX
                    FCKi+gXcFD8xqQIjV4pNOiVV2dExA1PAGHQ9
                    Fhq94EBR2+E6pGjUNLuMpEVRw2i827+t25xx
                    zHRciXu1BHpR3CmO2742FDh1SPAbHRVn
                    ) ; key id = 42423
            86400    DNSKEY    257 3 5 (
                    AwEAAdGspfp/owPm884YyM2pI23NMYSjBIFL
                    CdjscwRjHgWqJsmn97FDugp2ktHT6S31v+7t
                    5jADegYx0/PKW5TPvogEhCFxpa2fh/jDnskw
                    1iqNvFkiCc9FQ4OhdYQ2GMDHYiU/C0tDgfv3
                    JWMdAfxcc+Iu6zkKgVFo5TMactHYsG4kUsYu
                    Omjaj3XjBtVZYfx1yqzcfZgUj7Lqg63zP4Mo
                    nnLsoQyb7QmQy0De50P2n82lsDybozUtBZJL
                    +96jJOlXok8i+kL4MQsGRhaBd/YJpABgbwsr
                    QAwJpfIuOJ2atEUxe5BdHGf+2h+Cv4Tj8Ebi
                    52iUW7sVa0kWfAayoNHD3BU=
                    ) ; key id = 50902
            86400    RRSIG    DNSKEY 5 2 86400 20100321000024 (
                    20100219000024 42423 example.com.
                    k/B1QV/1sNeHb9SyGTYKnS0xTu5fJLsNR1bv
                    U8cL9x9EE9uTxAtGMiCA7m6aCt6AUv1/yKiW
                    L8niQZk+/x/oTgjKi0YTyttySu/d6lwKrU0i
                    gsaP41JJyXWRNFvJ7DSK9mJ+ZcOScsIG0vGR
                    2phf0LOF4tBx1WUzahOjE7K6/gQ= )
            86400    RRSIG    DNSKEY 5 2 86400 20100321000024 (
                    20100219000024 50902 example.com.
                    NyA5VgoIQOpJGyQREOPi+yhmUKZojLpkhBRE
                    0Ey+5qOru3xyH7H7KH7NSGDsqu6lV922/2bP
                    aoR6S2HoYHngbWLkQ8rzbChIhMgx/MG6G8Nh
                    Su++aIdlKbyh36ovDSuWOjTJdKfV8sXDF6TY
                    NfLvaeAEGaJkMU1hwMO+BDIP4kDhdABVj2S5
                    m4sfcwsabXsEy4Fa8WFG6awPQWlvSH/YnFks
                    lERagOKcWzjF8XhD3dc2QDN3TdVtKB4pzSq3
                    v4qDs3E+ckEXILfViGSoouM99mx/FD9yrHtb
                    67oflx1gsS621XT5kin9GZ4sSLLlIYyJ4tzi
                    OSjW4EByuuSyXpo9eA== )
dns1.example.com.    86400    IN A    10.0.1.2
            86400    RRSIG    A 5 3 86400 20100321000024 (
                    20100219000024 42423 example.com.
                    eyNkf6ms+WQO69I73UZRG/42HG26Ub+YHyc9
                    MLO50Uhca48C61+zHLUUoZ2J3bndtwak1AaE
                    HtA39mxdMIbMwpxzLhfLERnIFxVHPy8fv9fh
                    OeJrgAM5xgdbmfx6mX2lcsmICc8Honnjpykh
                    CAJ4Q9U8mtTfoUjOgZr0kgDYxng= )
            86400    NSEC    dns2.example.com. A RRSIG NSEC
            86400    RRSIG    NSEC 5 3 86400 20100321000024 (
                    20100219000024 42423 example.com.
                    Qi/nkYVWtzrGJB7hrfgSEiKf5xAh/wlky63k
                    tiWM6hKQn3KdRhpItkE90jdk3G7yxb2WnwbN
                    QkpEt9PWPdVA4rgXjwP3IyQMACNp6dptgw+r
                    puTTpCVi9oVxhYf8qBl0FAHZ0uKqpCnsHD9g
                    Vh+AwiN4lZ7Ilc/v8tV8LeVB37Y= )
dns2.example.com.    86400    IN A    10.0.1.3
            86400    RRSIG    A 5 3 86400 20100321000024 (
                    20100219000024 42423 example.com.
                    ToToN/WrDUrxR0flEdWuEIdb5UB+EVDeBesm
                    SeoVs4qcui15NZR541GQiTn/UiO0h202dZgv
                    ldikkpXznrnOEbRvArYUr78adwm5D1Y23eG/
                    5lNhGZ6pexp9gHdT/nK+1dUYhtN+vwckTqS0
                    XJosXAIp4VzjCXJYDOsB4OmLm0o= )
            86400    NSEC    ftp.example.com. A RRSIG NSEC
            86400    RRSIG    NSEC 5 3 86400 20100321000024 (
                    20100219000024 42423 example.com.
                    nRySPk7tp54M3LxDbwWZXXs85RUBgLt6biGc
                    mZJhVd+hvpLwEr58viUPQYtz87vLQVrcRycQ
                    MZ4B+dT/FMYz1MQCfz4mr+TTNDaiyJu4CHpF
                    OBofdmaU8546IwpbnY43cok/YM0fPbdkGuUE
                    b4ecWZ6UFGiiz7MWBN0J8gbkCW4= )
ftp.example.com.    86400    IN CNAME server1.example.com.
            86400    RRSIG    CNAME 5 3 86400 20100321000024 (
                    20100219000024 42423 example.com.
                    Ly4DzMo6IWleSSSG1KGLqOPEUKpD5OjSOGeg
                    sVO2lCRil0tHJX8+q8iudWjQn1crFyizBgUg
                    VTIedNc1ciDiKHbD/EKxWKyvUPkJGlMRC+k7
                    OM5Ky4fKOWWl8Us6+qoQ+4r8mMZvb6q2Y4IW
                    YVO1uq4CGo7BqfRGNTDGD5RHgqE= )
            86400    NSEC    mail.example.com. CNAME RRSIG NSEC
            86400    RRSIG    NSEC 5 3 86400 20100321000024 (
                    20100219000024 42423 example.com.
                    lqSRczctTIsGAug9U6i44zCKarAawak5pq78
                    EWphc+CAf4G4Ge0hmfgcJIrjOKbwhhUb/gyR
                    U7rVm4c5r5kiv3FxYsSdjs+iT7NI3jNCtebB
                    rKkga6hwDq80y8lLlvbdJCLQNh0GOHOvGPiE
                    rQdKgvc9oSS1yi579+sK3K9ZEOM= )
mail.example.com.    86400    IN CNAME server1.example.com.
            86400    RRSIG    CNAME 5 3 86400 20100321000024 (
                    20100219000024 42423 example.com.
                    tDk335Prbd32ey6o9yK7bgawXBaIplnjhxbY
                    XwSaI2jwNXfhSx2KCjFTH2G5f3jnsLZjGEv5
                    qCTq+l9It+AhQ3A/N4aYGd+HqSDe8Q8h26I8
                    ZCiIF8pdqxw87Os0YfhYT6Yt7eiSwAnSatPp
                    Fiqh33IUkY1zPRr2RpB+Q3NZLAk= )
            86400    NSEC    mail2.example.com. CNAME RRSIG NSEC
            86400    RRSIG    NSEC 5 3 86400 20100321000024 (
                    20100219000024 42423 example.com.
                    DNdfXurv1iY1WcrEelg692AfIvKToPVF84cx
                    WVqoe0x1stwDXau/VY9p7epkmh/O9XmWZtvS
                    yx4Cfsdsg5lam3kz5wSvH9tiDliOrWNx0nVQ
                    zmO4vLqmjidV9IUJA154+cmWS4b4EkylIyPx
                    YUfZ4tGimz5tGal9Rt9hBRVkEDY= )
mail2.example.com.    86400    IN CNAME server2.example.com.
            86400    RRSIG    CNAME 5 3 86400 20100321000024 (
                    20100219000024 42423 example.com.
                    GadhrIlp+VPgquVC/I2CHC54fG9UUUT3hBOu
                    rfIUMWotltF+VqPhKY5mrpJNgBSrnSkFCeR1
                    v5DB+UGoUlBgF4tKOHINnT/HuQ8JswbsYge3
                    xuhQYOowsXeVKXNYFJXnxLNij4uGiVOzu6PE
                    qMj4wglUiDMa6VV6eKGigaZE15Y= )
            86400    NSEC    server1.example.com. CNAME RRSIG NSEC
            86400    RRSIG    NSEC 5 3 86400 20100321000024 (
                    20100219000024 42423 example.com.
                    Ns6WkHNHt5PxpAvZbK0ObpqnorAtGOINeAlR
                    P8xgvBzbYvQ2m1mS4U8KNDwxmww6/h0RgQ4F
                    dL0x7vpBnARMwbEuoIyhnkm6RC1lVDyCrU3H
                    B89Lo2qV9XBlbpherrNOyK1fKw2qW0tKC896
                    vC2rWNKjhs2NCVY8b12Rv8FoMkY= )
server1.example.com.    86400    IN A    10.0.1.5
            86400    RRSIG    A 5 3 86400 20100321000024 (
                    20100219000024 42423 example.com.
                    grJaDiokDBV/AAANTgrYJDJ9A70NUmmg8WTY
                    juyirbwaFPK/FVDNAcntIOZd1gp+7/YKvLXz
                    kZsQBgheT7wT5QZEVydSBzZveDVS1m745ymR
                    JveeTBhv9nThYwSN9F2AB2hqsjC1PFOT573t
                    TpYN+aXE17ZVxHWnQyS1KUSK1DQ= )
            86400    NSEC    server2.example.com. A RRSIG NSEC
            86400    RRSIG    NSEC 5 3 86400 20100321000024 (
                    20100219000024 42423 example.com.
                    eGpy89iMu5pNB5jOi81MXIM2BtW3IfrGico3
                    OhsfTsKcWMtDYnUfAugIYDru1QYwAxf2xawA
                    TmgTpA1fsB2OIlZFe8GMfJmOQvFb11FUO5ru
                    +j4+dq1nmgeB4Bq/qOgoTm2xmtOppjwjNx/l
                    pb/kQTr5cWMEExCqWu/oyleiD8A= )
server2.example.com.    86400    IN A    10.0.1.7
            86400    RRSIG    A 5 3 86400 20100321000024 (
                    20100219000024 42423 example.com.
                    Z0/RlmpT85ODQnc4iJU7TGzF1s7F/d3s8O7E
                    eZtSgfXquAvi/bkUVVrokgkFOULy1ftl/w0F
                    dNsGAIE6x3sbe3XExPG3gHf7FMVUYQKY6E9D
                    gt54Yn4bzSuRLCFemOWyJ2c70kZLirXCg5QY
                    Q1YLV2ZODvujO9CWx8LC++09UDE= )
            86400    NSEC    www.example.com. A RRSIG NSEC
            86400    RRSIG    NSEC 5 3 86400 20100321000024 (
                    20100219000024 42423 example.com.
                    UzDwEI0Abznj2/4R77ljsd3L2lBbnQiMtJBd
                    0lVQytjlbHiQ/mYODOG8weQ1wdkoRFfHdu2R
                    uEvwvukl2s7C4Ok4e3emj2ThIE/yLDkzHMiY
                    DV3HAyZhE5IC/bYlILiM2LbgjCEFjf0mjYKD
                    JRtnxvW+VQr9eXoKsQHvsslqcrc= )
www.example.com.    86400    IN CNAME server2.example.com.
            86400    RRSIG    CNAME 5 3 86400 20100321000024 (
                    20100219000024 42423 example.com.
                    Ee5HMfeFKjecBCpUk3vQpzCgv3bRoW437AuE
                    7wQV40DYdQtC0KBoyTtV3kZJIoCt+8baMTu8
                    960AQuAdzxTiW5ZKat2al8AWEJ2EJynY0q/Z
                    r/1t55XCneX18pUqeMDk1W3sMbSocPMiPxVG
                    qI275pKF5iqzigtpgwncVIB5fVk= )
            86400    NSEC    example.com. CNAME RRSIG NSEC
            86400    RRSIG    NSEC 5 3 86400 20100321000024 (
                    20100219000024 42423 example.com.
                    isI/fdpyZ8TfV7oPDmEM5UXa3p0T4Fn8hzwG
                    E6ro3xoeKk8CzrjmLdC2r3G45jFpX3sUUrsz
                    a22XITWhGNCupEFs/wFlMJ09ILd401UY8IwE
                    iZp3o2m2prV8171MFJcgpwKXxBmzgjHRM7VD
                    PFTGQrvZaZFsx77PAz5iJkyObQ0= )


To this point, we've shown how to perform "semi-automatic" DNSSEC Smart Signing operations on a zone. Next, we'll demonstrate how to perform "fully-automatic" DNSSEC Smart Signing on the same zone. First, let's unsign the zone.  If we add the dnssec-secure-to-insecure directive to the zone block for example.com and set that value to "yes", we can unsign the zone easily with local DDNS updates by removing the DNSKEY records. NOTE: if you are using NSEC3, you will need to also remove the NSEC3PARAM record as well. This is done as follows:

nsupdate -l
> update delete example.com. DNSKEY
> send
> quit

Assuming no errors and $? evaluates to 0 after that command, the example.com zone should now be unsigned and returned to its original state. A dig lookup with the +dnssec flag set should not have any DNSSEC related records in the response from our server. To demonstrate "fully-automatic" Smart Signing, first stop the name server.  Then edit the named.conf so that the auto-dnssec is set to maintain.  The zone block of the named.conf should look like this:

zone "example.com" {
        auto-dnssec maintain;
        type master;
        update-policy local;
dnssec-secure-to-insecure yes; file "dynamic/example.com/example.com"; key-directory "dynamic/example.com"; };

When the name server is started, named will automatically search the key-directory path for valid DNSSEC ZSK and KSKs to sign the zone example.com. If the keys are valid, it will sign the zone at startup. This can be confirmed using the +dnssec flag using dig to query for the SOA of example.com. as an example.  If the server has responded with DNSSEC RRSIG records, our zone was DNSSEC signed. When operating the name service with auto-dnssec set to maintain, the name server will periodically check or set internal timers according to the metadata that is set in the keys that were generated.

At this point, it SHOULD be noted that in BIND 9.7.0, the name server will NOT automatically generate new keys. That code to do this has apparently been stubbed out for a future release. So, at this point, named will ONLY age out DNSSEC keys according to the -R (revoke), -I (inactive), and -D (delete) metadata embedded in the keys.

In conclusion, while BIND 9.7.0 doesn't fully support ZSK and KSK rollovers, there has been a tremendous amount of work and enhancements that have been made to BIND to ease the burden of configuring and maintaining DNSSEC to a DNS operator. It will be exciting to see key rollover support and additional functionality make its way into future releases of BIND.

Resources

NIST Secure Domain Name System (DNS) Deployment Guide Special Publication 800-81r1

Bind 9.7.0 Administrator Reference Manual - Internet Software Consortium (contained in BIND 9.7.0 package)

Next Post Previous Post