2013/04/05

Enabling DNSSEC for farnz.org.uk using BIND 9.9

DNSSEC with BIND 9.9

I've been pleasantly surprised by this; BIND 9.9 has made enabling DNSSEC for a zone really easy. The only problem I hit along the way is that the defaults for dnssec-keygen aren't as secure as I'd like.

Note that this is not a howto - it's a guide to the steps I took.

Prerequisites

  • Access to the BIND ARM for the version of BIND you're running. I followed the instructions in chapter 4 of the ARM to do this.
  • You need a recent BIND 9 - I'm using 9.9, although the functionality has been present since 9.7.
  • Your zones must be working fine without DNSSEC; all that this process does is teach BIND to sign your zone for you.
  • You need access to your nameserver's configuration files, and space on disk to store DNSSEC keys.

Getting going

First, teach BIND to automatically sign your zone for you, by changing the zone configuration. I started with:

    zone "farnz.org.uk."
    {
    type master;
    file "/var/named/forward/farnz.org.uk";
    };
  

and added three lines to get:

    zone "farnz.org.uk."
    {
    type master;
    file "/var/named/forward/farnz.org.uk";
    key-directory "/var/named/dnssec/farnz.org.uk";
    auto-dnssec maintain;
    inline-signing yes;
    };
  

Reload the configuration rndc reconfig.

Create the key directory - in my case /var/named/dnssec/farnz.org.uk, and make it accessible to named. You will put keys in here, which will cause BIND to take your existing unsigned zone and maintain a signed copy for you.

Create your key signing keys (KSKs). I created two - one currently in use with dnssec-keygen -a 8 -b 2048 -fk -K /var/named/dnssec/farnz.org.uk farnz.org.uk, and one that's published but not in use created with dnssec-keygen -a 8 -b 2048 -fk -K -A none /var/named/dnssec/farnz.org.uk farnz.org.uk. The idea here is that the one that's published but not in use is signed with the KSK that's in use; when I roll over my KSK, anyone who's cached the old KSK will be able to verify the new KSK. There's thus no need to delay when rolling over the KSK - cached old versions are not a problem.

Create a zone signing key dnssec-keygen -a 8 -b 1024 -K /var/named/dnssec/farnz.org.uk farnz.org.uk.

Tell BIND to sign the zone rndc sign farnz.org.uk.

If you get this far, you should have BIND automatically signing your zone. You now need to obtain a DS record for your active KSK dnssec-dsfromkey -2 Kfarnz.org.uk.+008+52165.key changing the key name accordingly. Send this DS record to your parent zone - in my case, as the domain is hosted by AAISP, I added the DS record to their DNS management interface, and had them send it to Nominet.

At this point, your domain is signed and traceable to the root key - you can test it via DNSViz and DNSSEC Analyzer.

Rolling over the ZSK

Rolling over the ZSK should be a quick and simple process, as you don't need to communicate with other server operators. There are three steps:

  1. Create a new ZSK: dnssec-keygen -a 8 -b 1024 -K /var/named/dnssec/farnz.org.uk farnz.org.uk
  2. Mark the old ZSK for inactivation and deletion in the future: dnssec-settime -I+1d -D+7d Kfarnz.org.uk.+008+12156.key
  3. Tell BIND to catch up: rndc sign farnz.org.uk

The marks on the old ZSK do not tell BIND to delete it from disk; instead, when the old ZSK becomes inactive, it will no longer be used to sign RRSETs being returned to clients (so the time to inactivation should be longer than the ZSK's TTL), and when it's deleted, it will no longer be published in DNS at all.

Rolling over the KSK

This is more involved, because it needs co-operation with your parent zone:

  1. Make your not-in-use KSK active: dnssec-settime -A now /var/named/dnssec/Kfarnz.org.uk.+008+43885.key
  2. Tell BIND to catch up: rndc sign farnz.org.uk
  3. Get the DS record for your newly activated KSK, and send it to your parent zone: dnssec-dsfromkey -2 /var/named/dnssec/Kfarnz.org.uk.+008+43885.key
  4. Wait for your parent zone to be publishing the new DS record.
  5. Inactivate and delete the old KSK: dnssec-settime -I+7d -D+28d Kfarnz.org.uk.+008+52165.key
  6. Tell BIND to catch up: rndc sign farnz.org.uk

Scheduling a ZSK roll over

It's also possible to schedule a ZSK roll over in advance:

  1. Set an inactivation and deletion date well in the future for the key you're rolling over: dnssec-settime -I+30d -D+40d Kfarnz.org.uk.+008+12156.key
  2. Create a successor key with a sensible prepublication interval: dnssec-keygen -i7d -S Kfarnz.org.uk.+008+12156.key
  3. Tell BIND to catch up: rndc sign farnz.org.uk

Note that you can do this with multiple keys, including keys that aren't yet in use - you can thus schedule a year's worth of monthly key changes at a time if you so desire.