Automatic Key Management

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

Automatic Key Management

Mark Elkins
With BIND version 9.12  coming out - I'm wondering if I've missed any
announcements on some form of Automatic (DNS)Key Management?
Something that will create and retire keys according to some sort of policy.

Does anyone have nice and up-to-date cheat sheets of the easiest way to
do DNSSEC with BIND?  That is, using the latest features of BIND. I'd
assume that to be something along the lines of
https://kb.isc.org/article/AA-00711/205/In-line-Signing-With-NSEC3-in-BIND-9.9-A-Walk-through.html
but newer.


--
Mark James ELKINS  -  Posix Systems - (South) Africa
[hidden email]       Tel: +27.128070590  Cell: +27.826010496
For fast, reliable, low cost Internet in ZA: https://ftth.posix.co.za

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: Automatic Key Management

Tony Finch
Mark Elkins <[hidden email]> wrote:

> With BIND version 9.12  coming out - I'm wondering if I've missed any
> announcements on some form of Automatic (DNS)Key Management?
> Something that will create and retire keys according to some sort of policy.

See dnssec-keymgr (new in 9.11) which will automate ZSK management.

KSKs are still difficult. I don't know of any nice software for pushing
delegation updates through registrars. It's a fairly tedious business
because in many cases you'll need to talk to several different parents so
you have to write the same code in several different ways. Even the good
APIs (Gandi, RIPE) have murky corners (EPP itself is a movable feast), and
sometimes you may be stuck without an API and reduced to scripting
PhantomJS or something similarly horrible.

Tony.
--
f.anthony.n.finch  <[hidden email]>  http://dotat.at/  -  I xn--zr8h punycode
Portland, Plymouth: Northwest 5 or 6, occasionally 7 at first, then decreasing
4 at times. Very rough at first in southwest Plymouth, otherwise moderate or
rough becoming slight or moderate. Thundery showers. Good.
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: Automatic Key Management

Mark Elkins
On 14/09/2017 16:55, Tony Finch wrote:

> Mark Elkins <[hidden email]> wrote:
>
>> With BIND version 9.12  coming out - I'm wondering if I've missed any
>> announcements on some form of Automatic (DNS)Key Management?
>> Something that will create and retire keys according to some sort of policy.
> See dnssec-keymgr (new in 9.11) which will automate ZSK management.
>
> KSKs are still difficult. I don't know of any nice software for pushing
> delegation updates through registrars. It's a fairly tedious business
> because in many cases you'll need to talk to several different parents so
> you have to write the same code in several different ways. Even the good
> APIs (Gandi, RIPE) have murky corners (EPP itself is a movable feast), and
> sometimes you may be stuck without an API and reduced to scripting
> PhantomJS or something similarly horrible.
>
> Tony.

Thanks Tony.

I've been experimenting. I'm also a Registrar for South African domains,
running EPP including DNSSEC extensions.

Couldn't find a full example /etc/dnssec-policy.conf
so came up with:-

policy default-dnssec {
    algorithm ECDSAP256SHA256;
    pre-publist zsk 1w;
    pre-publist ksk 1w;
    post-publish zsk 1w;
    post-publish ksk 1w;
    roll-period zsk 4w;
    roll-period ksk 52w;
    coverage 190d;
};

zone smtp.co.za {
    policy default-dnssec;
    directory "/etc/bind/smtp.co.za";
};

Not completely sure if what is above is completely sane. :-)
I'm playing with a zone called "smtp.co.za". This is on a stand-alone
test machine. The test entry in my named.conf looks like...

zone "smtp.co.za" {
        type master;
        file "smtp.co.za/db.smtp.co.za";
        key-directory "smtp.co.za";
        inline-signing yes;
        auto-dnssec maintain;
        update-policy { grant ddns-key zonesub ANY; };
};

When run, dnssec-keymgr completely ignores ECDSAP256SHA256 and uses RSASHA256 (the default if no algorithm specified).
I created ECDSAP256SHA256 signatures by hand and reran dnssec-keymgr. It simply creates two more RSASHA256 as if there were no Keys.

I'm not a python programmer and was somewhat lost when looking inside dnssec-keymgr. Stumbled into /usr/lib/python3.4/site-packages/isc/keymgr.py, found mention of ECDSAP256SHA256 in policy.py and stopped looking.

I also like to organise my "zones" as one per directory - so all the cruft for one zone is stored together in one place. Looks like I'll need a "zone" entry per zone in dnssec-policy.conf to manage this. Pity it doesn't simply look inside named.conf for that information (for where the keys live).
 
Maybe someone else on this list has looked further?

On my side, I can 'import' the KSK from the properly signed zone, Generate the DS record and EPP it up to the Registry. That all works fine, currently with the push of one (web) button. Will change/add this to something RESTful. Then, for full automation (KSK Rollover's) - I'd need dnssec-keymgr to call an external script when its time to trigger some sort of "Sync" action.

Didn't spot anything to auto-generate CDS records although BIND 9.11 is apparently capable.

--
Mark James ELKINS  -  Posix Systems - (South) Africa
[hidden email]       Tel: +27.128070590  Cell: +27.826010496
For fast, reliable, low cost Internet in ZA: https://ftth.posix.co.za

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: Automatic Key Management

Tony Finch
Mark Elkins <[hidden email]> wrote:
>
> On my side, I can 'import' the KSK from the properly signed zone,
> Generate the DS record and EPP it up to the Registry. That all works
> fine, currently with the push of one (web) button. Will change/add this
> to something RESTful. Then, for full automation (KSK Rollover's) - I'd
> need dnssec-keymgr to call an external script when its time to trigger
> some sort of "Sync" action.

Sounds nice! Yes, there's definitely a missing hook or two in
dnssec-keymgr: as you say, it needs to be able to call a script to update
the parent, and also, it is crucial that it checks that the parent has
actually deployed the new DS records because that's often asynchronous,
sometimes with long delays. Any KSK roll must stop at the DS update point
until the update has been confirmed, otherwise you have a footgun.

In its current state I don't think dnssec-keymgr is safe for KSK rolls
unless you wrap it in lots of protective scripting.

> Didn't spot anything to auto-generate CDS records although BIND 9.11 is
> apparently capable.

This is still a work in progress.

dnssec-settime has -P sync and -D sync options to specify when CDS and
CDNSKEY records are added and removed. CDS/CDNSKEY publication is
implemented by named's built-in signer but not by dnssec-signzone.

dnssec-keymgr does not yet know about -P sync or -D sync, as its man page
mentions.

Tony.
--
f.anthony.n.finch  <[hidden email]>  http://dotat.at/  -  I xn--zr8h punycode
Bailey: South 4 or 5, increasing 6 at times. Moderate. Rain. Moderate or good,
occasionally poor.
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users