How to migrate dnssec algorithm smoothly from auto-dnssec to dnssec-policy?

von Dein, Thomas Fri, 15 Jan 2021 02:50:18 -0800

Howdy,

I have a domain which is being signed automatically using auto-dnssec on an 
older bind9, it uses RSASHA1 keys. Now the registry requires us to move to a 
more secure algorithm. Therefore I updated bind to bind9.16.6. Now I could 
switch to dnssec-policy, however if I change the algorithm, it immediately 
drops the old keys instead of retiring them. I didn't find any hint in the docs 
or on the net how to do this.


So this was the old config:

zone "customer.bank" in {
  type master;
  file "zone/master/customer.bank";   
  key-directory "/usr/local/etc/namedb/zone/keys";
  auto-dnssec maintain;
  inline-signing yes;
  dnssec-dnskey-kskonly yes;
};

Now after upgrading I changed it to:

dnssec-policy "eval" {
    keys {
        ksk lifetime 2d algorithm rsasha1;
        zsk lifetime 2d algorithm rsasha1;
        ksk lifetime 365d algorithm ecdsap256sha256;
        zsk lifetime 60d algorithm ecdsap256sha256;
    };
};

zone "helaba.bank" in {
  type master;
  file "zone/master/helaba.bank";   
  key-directory "/usr/local/etc/namedb/zone/keys";
  dnssec-policy "eval";
};

My idea was to retire the rsasha1 keys after 2 days and then replace them with 
the newly generated ones. However, this is what bind actually did:

15-Jan-2021 11:20:46.036 zoneload: zone customer.bank/IN (unsigned): loaded 
serial 2020100500
15-Jan-2021 11:20:46.042 zoneload: zone customer.bank/IN (signed): loaded 
serial 2020100551 (DNSSEC signed)
15-Jan-2021 11:20:46.049 general: zone customer.bank/IN (signed): 
receive_secure_serial: unchanged
15-Jan-2021 11:20:46.297 notify: zone customer.bank/IN (signed): sending 
notifies (serial 2020100551)
15-Jan-2021 11:20:46.297 dnssec: zone customer.bank/IN (signed): reconfiguring 
zone keys
15-Jan-2021 11:20:46.311 dnssec: keymgr: retire DNSKEY 
customer.bank/RSASHA256/31284 (ZSK)
15-Jan-2021 11:20:46.311 dnssec: keymgr: retire DNSKEY 
customer.bank/RSASHA256/39364 (KSK)
15-Jan-2021 11:20:46.664 dnssec: keymgr: DNSKEY customer.bank/RSASHA1/14477 
(KSK) created for policy eval
15-Jan-2021 11:20:46.868 dnssec: keymgr: DNSKEY customer.bank/RSASHA1/61258 
(ZSK) created for policy eval
15-Jan-2021 11:20:46.868 dnssec: keymgr: DNSKEY 
customer.bank/ECDSAP256SHA256/41200 (KSK) created for policy eval
15-Jan-2021 11:20:46.868 dnssec: keymgr: DNSKEY 
customer.bank/ECDSAP256SHA256/55282 (ZSK) created for policy eval
15-Jan-2021 11:20:46.938 dnssec: DNSKEY customer.bank/RSASHA256/31284 (ZSK) is 
now deleted
15-Jan-2021 11:20:46.938 dnssec: DNSKEY customer.bank/RSASHA256/39364 (KSK) is 
now deleted
15-Jan-2021 11:20:46.939 dnssec: Fetching customer.bank/RSASHA1/14477 (KSK) 
from key repository.
15-Jan-2021 11:20:46.939 dnssec: DNSKEY customer.bank/RSASHA1/14477 (KSK) is 
now published
15-Jan-2021 11:20:46.939 dnssec: DNSKEY customer.bank/RSASHA1/14477 (KSK) is 
now active
15-Jan-2021 11:20:46.939 dnssec: Fetching customer.bank/RSASHA1/61258 (ZSK) 
from key repository.
15-Jan-2021 11:20:46.939 dnssec: DNSKEY customer.bank/RSASHA1/61258 (ZSK) is 
now published
15-Jan-2021 11:20:46.939 dnssec: DNSKEY customer.bank/RSASHA1/61258 (ZSK) is 
now active
15-Jan-2021 11:20:46.939 dnssec: Fetching customer.bank/ECDSAP256SHA256/41200 
(KSK) from key repository.
15-Jan-2021 11:20:46.939 dnssec: DNSKEY customer.bank/ECDSAP256SHA256/41200 
(KSK) is now published
15-Jan-2021 11:20:46.939 dnssec: DNSKEY customer.bank/ECDSAP256SHA256/41200 
(KSK) is now active
15-Jan-2021 11:20:46.939 dnssec: Fetching customer.bank/ECDSAP256SHA256/55282 
(ZSK) from key repository.
15-Jan-2021 11:20:46.939 dnssec: DNSKEY customer.bank/ECDSAP256SHA256/55282 
(ZSK) is now published
15-Jan-2021 11:20:46.939 dnssec: DNSKEY customer.bank/ECDSAP256SHA256/55282 
(ZSK) is now active
15-Jan-2021 11:20:46.985 dnssec: zone customer.bank/IN (signed): next key 
event: 15-Jan-2021 13:20:46.297
15-Jan-2021 11:20:51.305 notify: zone customer.bank/IN (signed): sending 
notifies (serial 2020100558)

In fact it created 2 new key pairs, one for rsasha1 and one for ecdsap256sha256.

I am pretty sure my setup is invalid somehow.

So how could I configure bind so that it keeps the existing rsasha1 keys for a 
while and use the new ones only afterwards?


Best regards,
Tom
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

How to migrate dnssec algorithm smoothly from auto-dnssec to dnssec-policy?

Reply via email to