How to migrate dnssec algorithm smoothly from auto-dnssec to dnssec-policy?

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

How to migrate dnssec algorithm smoothly from auto-dnssec to dnssec-policy?

von Dein, Thomas
Howdy,

I have a domain which is being signed automatically using auto-dnssec on an older bind9, it uses RSASHA1 keys. Now the registry requires us to move to a more secure algorithm. Therefore I updated bind to bind9.16.6. Now I could switch to dnssec-policy, however if I change the algorithm, it immediately drops the old keys instead of retiring them. I didn't find any hint in the docs or on the net how to do this.

So this was the old config:

zone "customer.bank" in {
  type master;
  file "zone/master/customer.bank";  
  key-directory "/usr/local/etc/namedb/zone/keys";
  auto-dnssec maintain;
  inline-signing yes;
  dnssec-dnskey-kskonly yes;
};

Now after upgrading I changed it to:

dnssec-policy "eval" {
    keys {
        ksk lifetime 2d algorithm rsasha1;
        zsk lifetime 2d algorithm rsasha1;
        ksk lifetime 365d algorithm ecdsap256sha256;
        zsk lifetime 60d algorithm ecdsap256sha256;
    };
};

zone "helaba.bank" in {
  type master;
  file "zone/master/helaba.bank";  
  key-directory "/usr/local/etc/namedb/zone/keys";
  dnssec-policy "eval";
};

My idea was to retire the rsasha1 keys after 2 days and then replace them with the newly generated ones. However, this is what bind actually did:

15-Jan-2021 11:20:46.036 zoneload: zone customer.bank/IN (unsigned): loaded serial 2020100500
15-Jan-2021 11:20:46.042 zoneload: zone customer.bank/IN (signed): loaded serial 2020100551 (DNSSEC signed)
15-Jan-2021 11:20:46.049 general: zone customer.bank/IN (signed): receive_secure_serial: unchanged
15-Jan-2021 11:20:46.297 notify: zone customer.bank/IN (signed): sending notifies (serial 2020100551)
15-Jan-2021 11:20:46.297 dnssec: zone customer.bank/IN (signed): reconfiguring zone keys
15-Jan-2021 11:20:46.311 dnssec: keymgr: retire DNSKEY customer.bank/RSASHA256/31284 (ZSK)
15-Jan-2021 11:20:46.311 dnssec: keymgr: retire DNSKEY customer.bank/RSASHA256/39364 (KSK)
15-Jan-2021 11:20:46.664 dnssec: keymgr: DNSKEY customer.bank/RSASHA1/14477 (KSK) created for policy eval
15-Jan-2021 11:20:46.868 dnssec: keymgr: DNSKEY customer.bank/RSASHA1/61258 (ZSK) created for policy eval
15-Jan-2021 11:20:46.868 dnssec: keymgr: DNSKEY customer.bank/ECDSAP256SHA256/41200 (KSK) created for policy eval
15-Jan-2021 11:20:46.868 dnssec: keymgr: DNSKEY customer.bank/ECDSAP256SHA256/55282 (ZSK) created for policy eval
15-Jan-2021 11:20:46.938 dnssec: DNSKEY customer.bank/RSASHA256/31284 (ZSK) is now deleted
15-Jan-2021 11:20:46.938 dnssec: DNSKEY customer.bank/RSASHA256/39364 (KSK) is now deleted
15-Jan-2021 11:20:46.939 dnssec: Fetching customer.bank/RSASHA1/14477 (KSK) from key repository.
15-Jan-2021 11:20:46.939 dnssec: DNSKEY customer.bank/RSASHA1/14477 (KSK) is now published
15-Jan-2021 11:20:46.939 dnssec: DNSKEY customer.bank/RSASHA1/14477 (KSK) is now active
15-Jan-2021 11:20:46.939 dnssec: Fetching customer.bank/RSASHA1/61258 (ZSK) from key repository.
15-Jan-2021 11:20:46.939 dnssec: DNSKEY customer.bank/RSASHA1/61258 (ZSK) is now published
15-Jan-2021 11:20:46.939 dnssec: DNSKEY customer.bank/RSASHA1/61258 (ZSK) is now active
15-Jan-2021 11:20:46.939 dnssec: Fetching customer.bank/ECDSAP256SHA256/41200 (KSK) from key repository.
15-Jan-2021 11:20:46.939 dnssec: DNSKEY customer.bank/ECDSAP256SHA256/41200 (KSK) is now published
15-Jan-2021 11:20:46.939 dnssec: DNSKEY customer.bank/ECDSAP256SHA256/41200 (KSK) is now active
15-Jan-2021 11:20:46.939 dnssec: Fetching customer.bank/ECDSAP256SHA256/55282 (ZSK) from key repository.
15-Jan-2021 11:20:46.939 dnssec: DNSKEY customer.bank/ECDSAP256SHA256/55282 (ZSK) is now published
15-Jan-2021 11:20:46.939 dnssec: DNSKEY customer.bank/ECDSAP256SHA256/55282 (ZSK) is now active
15-Jan-2021 11:20:46.985 dnssec: zone customer.bank/IN (signed): next key event: 15-Jan-2021 13:20:46.297
15-Jan-2021 11:20:51.305 notify: zone customer.bank/IN (signed): sending notifies (serial 2020100558)

In fact it created 2 new key pairs, one for rsasha1 and one for ecdsap256sha256.

I am pretty sure my setup is invalid somehow.

So how could I configure bind so that it keeps the existing rsasha1 keys for a while and use the new ones only afterwards?


Best regards,
Tom
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: How to migrate dnssec algorithm smoothly from auto-dnssec to dnssec-policy?

Matthijs Mekking
Hi Thomas,

Your policy requests four keys in two algorithms: rsasha1 and
ecdsap256sha256. The keys that are being retired are of algorithm
rsasha256. Because the existing algorithms don't match the policy, they
are being retired.

In other words, it doesn't look like the existing keys were of algorithm
rsasha1.

Also keep in mind that if the configured length of the keys in
dnssec-policy don't match the existing keys, the existing keys will also
be retired.

Best regards,

Matthijs



On 15-01-2021 11:49, von Dein, Thomas wrote:

> Howdy,
>
> I have a domain which is being signed automatically using auto-dnssec on an older bind9, it uses RSASHA1 keys. Now the registry requires us to move to a more secure algorithm. Therefore I updated bind to bind9.16.6. Now I could switch to dnssec-policy, however if I change the algorithm, it immediately drops the old keys instead of retiring them. I didn't find any hint in the docs or on the net how to do this.
>
> So this was the old config:
>
> zone "customer.bank" in {
>    type master;
>    file "zone/master/customer.bank";
>    key-directory "/usr/local/etc/namedb/zone/keys";
>    auto-dnssec maintain;
>    inline-signing yes;
>    dnssec-dnskey-kskonly yes;
> };
>
> Now after upgrading I changed it to:
>
> dnssec-policy "eval" {
>      keys {
>          ksk lifetime 2d algorithm rsasha1;
>          zsk lifetime 2d algorithm rsasha1;
>          ksk lifetime 365d algorithm ecdsap256sha256;
>          zsk lifetime 60d algorithm ecdsap256sha256;
>      };
> };
>
> zone "helaba.bank" in {
>    type master;
>    file "zone/master/helaba.bank";
>    key-directory "/usr/local/etc/namedb/zone/keys";
>    dnssec-policy "eval";
> };
>
> My idea was to retire the rsasha1 keys after 2 days and then replace them with the newly generated ones. However, this is what bind actually did:
>
> 15-Jan-2021 11:20:46.036 zoneload: zone customer.bank/IN (unsigned): loaded serial 2020100500
> 15-Jan-2021 11:20:46.042 zoneload: zone customer.bank/IN (signed): loaded serial 2020100551 (DNSSEC signed)
> 15-Jan-2021 11:20:46.049 general: zone customer.bank/IN (signed): receive_secure_serial: unchanged
> 15-Jan-2021 11:20:46.297 notify: zone customer.bank/IN (signed): sending notifies (serial 2020100551)
> 15-Jan-2021 11:20:46.297 dnssec: zone customer.bank/IN (signed): reconfiguring zone keys
> 15-Jan-2021 11:20:46.311 dnssec: keymgr: retire DNSKEY customer.bank/RSASHA256/31284 (ZSK)
> 15-Jan-2021 11:20:46.311 dnssec: keymgr: retire DNSKEY customer.bank/RSASHA256/39364 (KSK)
> 15-Jan-2021 11:20:46.664 dnssec: keymgr: DNSKEY customer.bank/RSASHA1/14477 (KSK) created for policy eval
> 15-Jan-2021 11:20:46.868 dnssec: keymgr: DNSKEY customer.bank/RSASHA1/61258 (ZSK) created for policy eval
> 15-Jan-2021 11:20:46.868 dnssec: keymgr: DNSKEY customer.bank/ECDSAP256SHA256/41200 (KSK) created for policy eval
> 15-Jan-2021 11:20:46.868 dnssec: keymgr: DNSKEY customer.bank/ECDSAP256SHA256/55282 (ZSK) created for policy eval
> 15-Jan-2021 11:20:46.938 dnssec: DNSKEY customer.bank/RSASHA256/31284 (ZSK) is now deleted
> 15-Jan-2021 11:20:46.938 dnssec: DNSKEY customer.bank/RSASHA256/39364 (KSK) is now deleted
> 15-Jan-2021 11:20:46.939 dnssec: Fetching customer.bank/RSASHA1/14477 (KSK) from key repository.
> 15-Jan-2021 11:20:46.939 dnssec: DNSKEY customer.bank/RSASHA1/14477 (KSK) is now published
> 15-Jan-2021 11:20:46.939 dnssec: DNSKEY customer.bank/RSASHA1/14477 (KSK) is now active
> 15-Jan-2021 11:20:46.939 dnssec: Fetching customer.bank/RSASHA1/61258 (ZSK) from key repository.
> 15-Jan-2021 11:20:46.939 dnssec: DNSKEY customer.bank/RSASHA1/61258 (ZSK) is now published
> 15-Jan-2021 11:20:46.939 dnssec: DNSKEY customer.bank/RSASHA1/61258 (ZSK) is now active
> 15-Jan-2021 11:20:46.939 dnssec: Fetching customer.bank/ECDSAP256SHA256/41200 (KSK) from key repository.
> 15-Jan-2021 11:20:46.939 dnssec: DNSKEY customer.bank/ECDSAP256SHA256/41200 (KSK) is now published
> 15-Jan-2021 11:20:46.939 dnssec: DNSKEY customer.bank/ECDSAP256SHA256/41200 (KSK) is now active
> 15-Jan-2021 11:20:46.939 dnssec: Fetching customer.bank/ECDSAP256SHA256/55282 (ZSK) from key repository.
> 15-Jan-2021 11:20:46.939 dnssec: DNSKEY customer.bank/ECDSAP256SHA256/55282 (ZSK) is now published
> 15-Jan-2021 11:20:46.939 dnssec: DNSKEY customer.bank/ECDSAP256SHA256/55282 (ZSK) is now active
> 15-Jan-2021 11:20:46.985 dnssec: zone customer.bank/IN (signed): next key event: 15-Jan-2021 13:20:46.297
> 15-Jan-2021 11:20:51.305 notify: zone customer.bank/IN (signed): sending notifies (serial 2020100558)
>
> In fact it created 2 new key pairs, one for rsasha1 and one for ecdsap256sha256.
>
> I am pretty sure my setup is invalid somehow.
>
> So how could I configure bind so that it keeps the existing rsasha1 keys for a while and use the new ones only afterwards?
>
>
> Best regards,
> Tom
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>
> ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.
>
>
> bind-users mailing list
> [hidden email]
> https://lists.isc.org/mailman/listinfo/bind-users
>
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users