$Id: dnssec-child-howto.html,v 1.9 2002/08/30 19:15:48 jakob Exp $

DNSSEC child howto

Table of contents

• Introduction
• Bootstrapping
• Zone management
• Key management
• Caveats

1. Introduction

Background

This text was produced at the DNSSEC/DS workshop hosted by USC/ISI. The workshop took place at USC/ISI East in Washington DC, US, between August 28-30, 2002.

Participants and authors:
Rob Austein, Matt Larson, Ólafur Guðmunsson, Sam Weiler, Russ Mundy, Brian Wellington, Daniel Massey, David Blacka, Ed Lewis, Jakob Schlyter, Johan Ihrén, Mark Kosters, Olaf Kolkman, Randy Bush, Roy Arends, Allison Mankin, Scott Rose and Wesley Griffin.

This document only covers use with ISC's BIND 9 software. If anyone can help with examples using other products that use the same standards, we would be delighted to include them. Send text <tm>.

Terminology

XXX please provide text XXX

Something about keys

We recommend that one key be used for signing the zone itself and we call this key the zone signing key or ZSK. Another key, which we call key signing key or KSK, is used for signing the zone signing key. With this setup, you can store the KSK offline while keeping the ZSK online for signing dynamic updates. This setup also gives you the possibility of changing ZSK without involving the parent.

2. Bootstrapping

1. Get and build a DS-aware nameserver, e.g. BIND 9.3.x or later

2. Synchronize your clock using NTP

3. Generate a KSK and a ZSK

4. Include ($INCLUDE) the keys in your zone

5. Sign the zone

6. Switch to the signed zone file, e.g. replace my.domain.name in named.conf with my.domain.name.signed

7. (Re-)start the new nameserver

8. Test

9. Notify your parent

3. Zone management

3.1. Zone signing

The dnssec-signzone program is used to sign a zone file. To sign the zone you need to specify the zone file, zero or more key signing keys and the zone signing keys.

$ dnssec-signzone \
    -o <zone name> \
    -k <key signing key> \
    <zone filename> \
    <zone signing keys>

Example:

$ dnssec-signzone \
    -o my.zone.name \
    -k Kmy.zone.name.+005+54098.private \
    my.zone.name.zonefile \
    Kmy.zone.name.+005+56712.private

4. Key management

4.1. Generate new key

The dnssec-keygen program is used to generate a new key. Multiple algorithms and key lengths are available, but we currently recommend that you use a 1024-bit RSA/SHA-1 key.

$ dnssec-keygen -a RSASHA1 -b 1024 -n ZONE <zone name>

4.2. Key signing key roll-over

1. Generate a new key and add it to the zone

2. Increment the SOA of zone

3. Sign your zone using both the old and the new key

4. Reload the zone

5. Notify the parent about the new key and remove the old key. Make sure the change as the parent has taken effect before continuing. You can check what DS-records are published by the parent using:

         $ dig @parent.name.server my.zone.name ds +norec
         

6. Wait for 2x(the time of the TTL of the DS at the parent)

7. Remove the old key from your own zone, increment SOA, resign and reload.

4.3. Zone signing key roll-over

1. Generate a new key and add it to the zone

2. Remove the old key from the zone

3. Increment the SOA of zone

4. Sign you zone

5. Reload the zone

5. Caveats

The clocks in the participating computers must be in sync, especially for signature verification. Use of NTP is strongly recommended.