Re: Updating a DNSSEC config to use a different algorithm

2021-02-01 Thread Mal via bind-users 

On 02/02/2021 12:10 am, @lbutlr wrote:
> I've been using alg-7 for DNS, but that is no longer recommended. How 
> difficult is it to change the signing algorithm and what is the process (Bind 
> 9.16.11)?


I migrated recently from Alg8 to Alg13, no drama..  My registry does not
have a user portal for passing the new DS records, so the only risk was
making sure the operation took place when the registry had their DNS
support troops on deck.

My simple notes, including updating TLSA (DANE) AND DKIM keys at the end
of the process.  Hope it helps..




I have all of my zone files (db.*domain*) in /etc/bind.  Reflect your
path used when including the keys in your zone.

1.  Generate new ZSK & KSK, Alg 13
==

dnssec-keygen -f KSK -3 -a ECDSAP256SHA256 -r /dev/random yourdomain.com

dnssec-keygen -3 -a ECDSAP256SHA256 -r /dev/random yourdomain.com


Check for your 4 new key files:

ls -lt k*

-rw-r--r-- 1  bind    345 Jan 15 10:10 Kyourdomain.com.+013+34567.key
-rw--- 1  bind    186 Jan 15 10:10
Kyourdomain.com.+013+34567.private
-rw-r--r-- 1  bind    344 Jan 15 10:10 Kyourdomain.com.+013+42793.key
-rw--- 1  bind    186 Jan 15 10:10
Kyourdomain.com.+013+42793.private



2.  Include the new public keys in the Zone file & Increment zone serial


; yourdomain.com
$TTL 1200
yourdomain.com. IN  SOA   host01.yourdomain.com.
postmaster.yourdomain.com. (
    2021020101    ; Serial.
    12000 ; refresh
    120   ; retry
    14D   ; expire
    24H   ; TTL
    )

    IN TXT "v=spf1 a mx ip4:77.123.45.67
ip6:2424:ae00:123:6::/64"
   
    ; Name Servers
    IN  NS  host01.yourdomain.com.  ; ns
    IN  NS  host02.yourdomain.com.  ; ns
    IN  NS  host03.yourdomain.com.  ; ns

    ; Mail Exchanger
    IN  MX  10 bigmx.yourdomain.com.    ; mail

yourdomain.com. IN      2424:ae00:123:6::7
yourdomain.com. IN  A   77.123.45.67

_25._tcp.host01.yourdomain.com. IN  TLSA 3 1 1 
53xx..33f1b8cf81e37c2e212b
_443._tcp.host01.yourdomain.com.    IN  TLSA 3 1 1 
53xx..33f1b8cf81e37c2e212b

mail._domainkey IN  TXT ( "v=DKIM1; h=sha256; k=rsa; s=email; "
    "p=MII...xxdu"
    "axAB" )

$INCLUDE    Kyourdomain.com.+013+34567.key
$INCLUDE    Kyourdomain.com.+013+42793.key

; EOF


save it right :)



3.  Sign your Zone
==

dnssec-signzone -S -K /etc/bind/ -g -a -r /dev/random -o yourdomain.com
db.yourdomain-com


@host01:/etc/bind# dnssec-signzone -S -K /etc/bind/ -g -a -r
/dev/random -o yourdomain.com db.yourdomain-com
Verifying the zone using the following algorithms: ECDSAP256SHA256.
Zone fully signed:
Algorithm: ECDSAP256SHA256: KSKs: 1 active, 0 stand-by, 0 revoked
    ZSKs: 1 active, 0 stand-by, 0 revoked
db.yourdomain-com.signed

@host01:/etc/bind#



4.  Collect your DS record HASH for the domain registry
===

Depending if you use a domain registry that you pass the DS record data
to OR a customer portal you enter this hash data yourself.  Essentially,
remove existing entries (IF you have a previous Alg8 etc in place) and
install the new DS HASH Alg13.
You will need to provide the Alg type (13) & Digest (SHA256) either
way.  "Algorithm 13, ECDSAP256SHA256" usually does the trick.

@host01:/etc/bind# ls -lt dsset*

-rw-r--r-- 1  bind    172 Jan 15 dsset-yourdomain.com.

@host01:/etc/bind# more dsset-yourdomain.com.
yourdomain.com. IN DS 42793 13 1
42YC45643B1EF30E42A9D73BDD4EBD8B0
yourdomain.com. IN DS 42793 13 2
7A5A1408995DBBA92E8B575B30DC9BDD10992F90C48C21B9A3 9A348929


Now get this record data to the registry via your registry method. 
Kettle on.



5.  Wait for Registry to complete entry & TXFR
==

Check DNSVIZ for new key key ID and Alg displayed..  we all love DNSVIZ !


OR simply pass a query via DIG directly and review output:

@host01:/etc/bind# dig yourdomain.com dnskey +noall +answer +multiline

; <<>> DiG 9.9.5-9+debxxx <<>> yourdomain.com dnskey +noall +answer
+multiline
;; global options: +cmd
yourdomain.com. 1200 IN DNSKEY 257 3 13 (
    ur4UnMMi4bDNfUEbJfRMlVQ/mxLSMF4quoPrCUopUp94
    R9HEG6Sl9gIU9Nl73uRktnUxJspUjqrmOaWsUBcNXA==
    ) ; KSK; alg =

Re: Options for named startup docker

2021-02-01 Thread Felipe Agnelli Barbosa 
Hi,

I think it is better to build your own image.

So then, in the build(bind.dockerfile) you can pass the arguments, like:

RUN:
ENTRYPOINT:
etc.

OR(maybe), you can put explicitly in the conf file(named.conf):

listen-on { none; };
listen-on-v6 { any; };


[]s
Felipe

Em seg., 1 de fev. de 2021 às 12:29, Christian Link <
chris.link3...@gmail.com> escreveu:

> Hello everyone,
>
> I am using the BIND Docker image in a Docker Compose setup. In this setup
> I would like to disable ipv4 and start the named daemon with the option
> "-4".
>
> Normally you can do this via the file /etc/default/named (In the options
> variable). Unfortunately, this file is ignored. I also tried it with the
> "Environment" parameter in docker-compose.yml, but this does not work
> either.
>
> What possibility do I have to give options to the named daemon without
> redefining the start command completely (e.g. via "command")?
>
> This is my docker-compose.yml
>
>
> version: '3.8'
> services:
>   bind:
> image: internetsystemsconsortium/bind9:9.16
> container_name: bind
> volumes:
>   - ./etc/bind:/etc/bind
>   - ./etc/default/named:/etc/default/named
>   - ./var/cache/bind:/var/cache/bind
>   - ./var/lib/bind:/var/lib/bind
>   - ./var/log:/var/log
> ports:
>   - 53:53/udp
>   - 53:53/tcp
>   - 127.0.0.1:953:953/tcp
> restart: always
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> ISC funds the development of this software with paid support
> subscriptions. Contact us at https://www.isc.org/contact/ for more
> information.
>
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>


-- 
" A dúvida é o principio da sabedoria "
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Updating a DNSSEC config to use a different algorithm

2021-02-01 Thread @lbutlr 
On 01 Feb 2021, at 07:14, Matthijs Mekking  wrote:
> Depends on what your DNSSEC configuration is. Are you using 
> dnssec-signzone/named? auto-dnssec maintain? inline-signing? dnssec-policy? 
> dnssec-keymgr?

These are all good questions, and when I set this up I could have answered with 
some degree of confidence.

What I have in named.conf is simply dnssec-validation auto; and domains have 
auto-dnssec maintain, so I guess that answers that question.

> Yes there are a lot of ways to maintain DNSSEC in BIND. The recommended way 
> forward is to use dnssec-policy. Migrating to it may still be a bit tricky*, 
> but once you use it, changing a new signing algorithm is pretty simple:
> 
> 1. Update your dnssec-policy, reload config.

Assuming there is no dnssec-policy (there is not) what would I update it to?

This did give me enough to DDG on, does this link look reasonable?



#v+
dnssec-policy alg13-ksk-unlimited-zsk-60day {
 keys {
 ksk key-directory lifetime unlimited algorithm ECDSAP256SHA256;
 zsk key-directory lifetime P60D algorithm ECDSAP256SHA256;
 };
};
#v-

If so, what are the possible values for the algorithm? And for the actual 
policy (alg13-…)? I also see mention of a dissed-policy default but that is out 
of context so I don't know if that is simply telling the domain to use the 
policy defined separately in the the named.conf as above. Alg13-ksk gives two 
hits on DDG, and the second one is in Japanese.

> 2. Wait a little bit.
> 3. When the new DS is in the parent, run "rndc dnssec -checkds published
>   on the right key id."
> 4. Also run "rndc dnssec -checkds withdrawn" on the id of the key that
>   has its DS removed from the parent.
> 5. Have a celebratory drink.

Way ahead of you there! 弄

> *In principal you can just switch to dnssec-policy with your existing key 
> files and BIND will initialize key state files for those keys. But there is 
> at least one known bug that deleted keys may be used again for signing (those 
> deleted keys still have their key files in the key directory). [GL #2406]

Hopefully that will not be an issue as there are no old key files. Or rather 
they are all about the same age of Jan-Feb of 2019,

-- 
'I don't see why everyone depends on me. I'm not dependable. Even I
don't depend on me, and I'm me.'

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Options for named startup docker

2021-02-01 Thread Christian Link 
Hello everyone,

I am using the BIND Docker image in a Docker Compose setup. In this setup I
would like to disable ipv4 and start the named daemon with the option "-4".

Normally you can do this via the file /etc/default/named (In the options
variable). Unfortunately, this file is ignored. I also tried it with the
"Environment" parameter in docker-compose.yml, but this does not work
either.

What possibility do I have to give options to the named daemon without
redefining the start command completely (e.g. via "command")?

This is my docker-compose.yml


version: '3.8'
services:
  bind:
image: internetsystemsconsortium/bind9:9.16
container_name: bind
volumes:
  - ./etc/bind:/etc/bind
  - ./etc/default/named:/etc/default/named
  - ./var/cache/bind:/var/cache/bind
  - ./var/lib/bind:/var/lib/bind
  - ./var/log:/var/log
ports:
  - 53:53/udp
  - 53:53/tcp
  - 127.0.0.1:953:953/tcp
restart: always
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Updating a DNSSEC config to use a different algorithm

2021-02-01 Thread Matthijs Mekking 

Hi,

Depends on what your DNSSEC configuration is. Are you using 
dnssec-signzone/named? auto-dnssec maintain? inline-signing? 
dnssec-policy? dnssec-keymgr?


Yes there are a lot of ways to maintain DNSSEC in BIND. The recommended 
way forward is to use dnssec-policy. Migrating to it may still be a bit 
tricky*, but once you use it, changing a new signing algorithm is pretty 
simple:


1. Update your dnssec-policy, reload config.
2. Wait a little bit.
3. When the new DS is in the parent, run "rndc dnssec -checkds published
   on the right key id."
4. Also run "rndc dnssec -checkds withdrawn" on the id of the key that
   has its DS removed from the parent.
5. Have a celebratory drink.

Algorithm rollover with dnssec-policy will gracefully transition to the 
keys with the new algorithms, so during the rollover period you should 
see your zone being signed with two algorithms.


Best regards,

Matthijs


*In principal you can just switch to dnssec-policy with your existing 
key files and BIND will initialize key state files for those keys. But 
there is at least one known bug that deleted keys may be used again for 
signing (those deleted keys still have their key files in the key 
directory). [GL #2406]



On 01-02-2021 14:40, @lbutlr wrote:

I've been using alg-7 for DNS, but that is no longer recommended. How difficult 
is it to change the signing algorithm and what is the process (Bind 9.16.11)?



___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Updating a DNSSEC config to use a different algorithm

2021-02-01 Thread @lbutlr 
I've been using alg-7 for DNS, but that is no longer recommended. How difficult 
is it to change the signing algorithm and what is the process (Bind 9.16.11)?


-- 
"He raised his hammer defiantly and opened his mouth to say, "Oh,
yeah?" but stopped, because just by his ear he heard a growl. It
was quite low and soft, but it had a complex little waveform
which went straight down into a little knobbly bit in his spinal
column where it pressed an ancient button marked Primal Terror."

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users