[Skip to end for some notes on this process and why it was difficult for me.]
Just want to double check this before I set off on the next steps in this
process, now that the test domain is all setup and everyone is happy and I know
where things fell apart in the testing. Hopefully this helps someone in the
future. Or future me.
Given:
#v+
named.conf:
dnssec-policy alg13-ksk-unlimited-zsk-60day {
keys {
ksk key-directory lifetime unlimited algorithm 7 2048;
zsk key-directory lifetime P60D algorithm 7 1024 ;
};
};
zone "example.com" {
type primary;
file "example.com";
dnssec-policy alg13-ksk-unlimited-zsk-60day;
allow-update { key "rndc-key";
};
};
#v-
I tell bind to sign the zone (or restart bind) and then run
# dnssec-dsfromkey -a SHA256 /path/to/alg-13.key
# dsnssec-verify -zI text -o example.com /path/to/signed/zone-file
Add the new key ID and digest to the registrar's DS and sit back until the
alg-7 keys are no longer attached to the zone.
If example.com currently is using alg-7 this configuration will, as I
understand it
1) add alg-13 keys to the domain
2) rolloff the alg-7 keys in (less than?) 60 days
3) after 61+ days I can remove the kay and private files
for the alg-7 files
If that is correct, once all the zones have moved to alg-13 can I then
eliminate the dnssec-policy block in the named.conf and set each zone to
'dnssec-policy default;'?
Notes:
The main thing that caused my problems was not verifying against the SIGNED
zone file, which led to a lot of wasted effort. This was the biggest cause of
delays and pain, as it turns out, since it appears my first forays were
entirely successful, and the verify errors were all based on this mistake.
When I first setup DNNSEC years ago the zone files remained untouched other
than adding the keys as $INCLUDE statements and new zone.signed files were
created using the key files that were on the $INCLUDE lines in the zone files.
Second, though rather minor,
<https://bind9.readthedocs.io/en/latest/dnssec-guide.html> suggested running
`rndc signing -list` but that returns an error "zone uses dnssec-policy, use
rndc dnssec command instead". This was not in itself a problem, but it sent me
off trying to find out why the command was failing, assuming I was doing
something wrong since it follows in the above link from setting up dnssec.
And, of course, searching for information on bind and dnssec returns a lot of
things that are very old and out of date. A lot of them revolving around bind
9.7.x.
Third, I needed to go kick the secondary DNS server.
--
I hear hurricanes a-blowing, I know the end is coming soon. I fear
rivers over-flowing. I hear the voice of rage and ruin.
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
