On 02/02/2021 12:10 am, @lbutlr wrote: > I've been using alg-7 for DNS, but that is no longer recommended. How > difficult is it to change the signing algorithm and what is the process (Bind > 9.16.11)?
I migrated recently from Alg8 to Alg13, no drama.. My registry does not have a user portal for passing the new DS records, so the only risk was making sure the operation took place when the registry had their DNS support troops on deck. My simple notes, including updating TLSA (DANE) AND DKIM keys at the end of the process. Hope it helps.. I have all of my zone files (db.*domain*) in /etc/bind. Reflect your path used when including the keys in your zone. 1. Generate new ZSK & KSK, Alg 13 ================================== dnssec-keygen -f KSK -3 -a ECDSAP256SHA256 -r /dev/random yourdomain.com dnssec-keygen -3 -a ECDSAP256SHA256 -r /dev/random yourdomain.com Check for your 4 new key files: ls -lt k* -rw-r--r-- 1 xxxx bind 345 Jan 15 10:10 Kyourdomain.com.+013+34567.key -rw------- 1 xxxx bind 186 Jan 15 10:10 Kyourdomain.com.+013+34567.private -rw-r--r-- 1 xxxx bind 344 Jan 15 10:10 Kyourdomain.com.+013+42793.key -rw------- 1 xxxx bind 186 Jan 15 10:10 Kyourdomain.com.+013+42793.private 2. Include the new public keys in the Zone file & Increment zone serial ======================================================================== ; yourdomain.com $TTL 1200 yourdomain.com. IN SOA host01.yourdomain.com. postmaster.yourdomain.com. ( 2021020101 ; Serial. 12000 ; refresh 120 ; retry 14D ; expire 24H ; TTL ) IN TXT "v=spf1 a mx ip4:77.123.45.67 ip6:2424:ae00:123:6::/64" ; Name Servers IN NS host01.yourdomain.com. ; ns IN NS host02.yourdomain.com. ; ns IN NS host03.yourdomain.com. ; ns ; Mail Exchanger IN MX 10 bigmx.yourdomain.com. ; mail yourdomain.com. IN AAAA 2424:ae00:123:6::7 yourdomain.com. IN A 77.123.45.67 _25._tcp.host01.yourdomain.com. IN TLSA 3 1 1 53xxxxxx..xxxx33f1b8cf81e37c2e212b _443._tcp.host01.yourdomain.com. IN TLSA 3 1 1 53xxxxxx..xxxx33f1b8cf81e37c2e212b mail._domainkey IN TXT ( "v=DKIM1; h=sha256; k=rsa; s=email; " "p=MIIxxxxxxxxxxxxxxxx...xxxxxxdu" "axxxxxxxxxxxxxxxxxxxx....xxxxxAB" ) $INCLUDE Kyourdomain.com.+013+34567.key $INCLUDE Kyourdomain.com.+013+42793.key ; EOF save it right :) 3. Sign your Zone ================== dnssec-signzone -S -K /etc/bind/ -g -a -r /dev/random -o yourdomain.com db.yourdomain-com xxxx@host01:/etc/bind# dnssec-signzone -S -K /etc/bind/ -g -a -r /dev/random -o yourdomain.com db.yourdomain-com Verifying the zone using the following algorithms: ECDSAP256SHA256. Zone fully signed: Algorithm: ECDSAP256SHA256: KSKs: 1 active, 0 stand-by, 0 revoked ZSKs: 1 active, 0 stand-by, 0 revoked db.yourdomain-com.signed xxxx@host01:/etc/bind# 4. Collect your DS record HASH for the domain registry ======================================================= Depending if you use a domain registry that you pass the DS record data to OR a customer portal you enter this hash data yourself. Essentially, remove existing entries (IF you have a previous Alg8 etc in place) and install the new DS HASH Alg13. You will need to provide the Alg type (13) & Digest (SHA256) either way. "Algorithm 13, ECDSAP256SHA256" usually does the trick. xxxx@host01:/etc/bind# ls -lt dsset* -rw-r--r-- 1 xxxx bind 172 Jan 15 dsset-yourdomain.com. xxxx@host01:/etc/bind# more dsset-yourdomain.com. yourdomain.com. IN DS 42793 13 1 42YC45643B1EF30E42BBBBA9D73BDD4EBD8B02222 yourdomain.com. IN DS 42793 13 2 7A5A1408995DBBBBBBA92E8B575B30DC9BDD109999992F90C48C21B9A3 9A348929 Now get this record data to the registry via your registry method. Kettle on. 5. Wait for Registry to complete entry & TXFR ============================================== Check DNSVIZ for new key key ID and Alg displayed.. we all love DNSVIZ ! OR simply pass a query via DIG directly and review output: xxxx@host01:/etc/bind# dig yourdomain.com dnskey +noall +answer +multiline ; <<>> DiG 9.9.5-9+debxxx <<>> yourdomain.com dnskey +noall +answer +multiline ;; global options: +cmd yourdomain.com. 1200 IN DNSKEY 257 3 13 ( ur4UnMMi4bDNfUEbJfRMlVQ/mxLSMF4quoPrCUopUp94 R9HEG6Sl9gIU9Nl73uRktnUxJspUjqrmOaWsUBcNXA== ) ; KSK; alg = ECDSAP256SHA256; key id = 42793 yourdomain.com. 1200 IN DNSKEY 256 3 13 ( w4SA1p/BBBrfs3216YNkQ6+xyoPkttXQNCHhoaNbPl4lI l0PDL9REtOhjo54p943UNFWXg/ZHUqzZzzu321Ztgw== ) ; ZSK; alg = ECDSAP256SHA256; key id = 34567 xxxx@host01:/etc/bind# 6. Update your TLSA & DKIM records ================================== Hopefully you are using DANE with Postfix, update your host TLSA entry for your zone: Update TLSA: tlsa --create --selector 1 --certificate host01.yourdomain.com.pem host01.yourdomain.com xxxx@host01:/xx/xxxx# tlsa --create --selector 1 --certificate host01.yourdomain.com.pem host01.yourdomain.com Got a certificate with Subject: /CN=host01.yourdomain.com _443._tcp.host01.yourdomain.com. IN TLSA 3 1 1 FF774433KK5cdbccb18f278fccfdb833f1b8cf81e37c2e212b147D88vBBns632 Update DKIM: cd /etc/opendkim/keys/yourdomain.com opendkim-genkey -r -h sha256 -d yourdomain.com -s mail -b 2048 root@host01:/etc/opendkim/keys/yourdomain.com# ls -lt -rw------- 1 opendkim opendkim 1456 Jan 5 11:05 mail.private -rw------- 1 opendkim opendkim 502 Jan 5 11:05 mail.txt xxxx@host01:/etc/opendkim/keys/yourdomain.com# more mail.txt mail._domainkey IN TXT ( "v=DKIM1; h=sha256; k=rsa; s=email; " "p=MIIxxxxxxxxxxxxxxxx...etc.. xxxxxxw22" "89uADXXUC/5BugylW8327dDQA18m1X...etc..F893P99xaAB ) ; ----- DKIM key mail for yourdomain.com Place the new TLSA and DKIM records in your zone, inc Serial, re-sign. Job done. Mal _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
