DNSSEC key rollover

John john at klam.ca
Thu Jan 22 00:09:14 CET 2015

On 1/21/2015 3:43 AM, Carsten Strotmann wrote:
> Hello John,
> Example:
> the initial key generation:
> # dnssec-keygen -a RSASHA256 -b 2048 -n ZONE -P +1d -A +4d example.com
> publication: now + 1 day
> activation: now + 4 days
> retirement: unset
> deletion: unset
> # dnssec-settime -p all Kexample.com.+008+50340
> Created: Wed Jan 21 09:32:35 2015
> Publish: Thu Jan 22 09:32:35 2015
> Activate: Sun Jan 25 09:32:35 2015
> Revoke: UNSET
> Inactive: UNSET
> Delete: UNSET
> 28 days after activation, the rollover process starts by setting the
> inactivation time and creating the successor key:
> # dnssec-settime -I +2d -D +8d Kexample.com.+008+50340
> ./Kexample.com.+008+50340.key
> ./Kexample.com.+008+50340.private
> # dnssec-settime -p all Kexample.com.+008+50340
> Created: Wed Jan 21 09:32:35 2015
> Publish: Thu Jan 22 09:32:35 2015
> Activate: Sun Jan 25 09:32:35 2015
> Revoke: UNSET
> Inactive: Sun Feb 22 09:37:28 2015
> Delete: Sat Feb 28 09:37:28 2015
> # dnssec-keygen -i 2d -S Kexample.com.+008+50340.key
> example.com
> # dnssec-settime -p all
> Kexample.com.+008+40260 Created: Wed Jan 21 09:38:04 2015
> Publish: Fri Feb 20 09:37:28 2015
> Activate: Sun Feb 22 09:37:28 2015
> Revoke: UNSET
> Inactive: UNSET
> Delete: UNSET
> By setting the inactivation time not at the creation of the key, but
> when the rollover starts, the process is more robust against failures
> of the script/process and the rollover can be postponed if needed (by
> disabling the script).
> But please send a feature request to the BIND 9 people (email
> <bind9-bugs at isc.org>) if you feel relative dates for a successor key
> would be useful.
> Best regards
> Carsten
Our processes are very similar . The initial key was generated in much 
the same way as yours. Except I did not set any dates and so the very 
first key as created with Create, Publication and Active all set to NOW 

/*dnssec-keygen  -a RSASHA256 -b 2048 -3 klam.ca.*/,  I then did a 
settime with -I+60d -D+90d. The usual house-keeping was performed adding 
the NSEC3 chain etc.
which gave me:

/root at bilbo:/etc/bind/keys# dnssec-settime -p all Kklam.ca.+008+00849.
Created: Fri Jan 16 20:22:55 2015
Publish: Fri Jan 16 20:22:55 2015
Activate: Fri Jan 16 20:22:55 2015
Revoke: UNSET
Inactive: Sun Feb 15 21:12:51 2015
Delete: Mon Mar  2 21:12:51 2015/

I then created a second key using my proposed rollover procedure, which 
goes something like this:

1 ) manually extracted the key activation date and use it as a base for 
running keygen., which in this case Feb 15, 2015 (20150215). In the 
example below I am using a 30 day active-life and 15 day retirement, in 
practice I would probably use 90 and 120.

2) /*dnssec-keygen -i7d -S Kklam.ca.+008+00849 -I *//*20150215*//*+_30d_ 
-D *//*20150215*//**//*+_45d_ klam.ca.*/ followed by the usual house 
-S param takes care of getting the right date for publishing and 

I did a ran a test of the above which gives me:

/root at bilbo:/etc/bind/keys# dnssec-settime -p all Kklam.ca.+008+26709.
Created: Fri Jan 16 21:15:23 2015
Publish: Sun Feb  8 21:12:51 2015
Activate: Sun Feb 15 21:12:51 2015
Revoke: UNSET
Inactive: Tue Mar 17 22:15:23 2015
Delete: Wed Apr  1 22:15:23 2015/

Currently to keep rollovers up to date I have to manually intervene 
perform steps 1 & 2 each time. I am trying to work out how to find the 
current valid ZSK and extract the various, dates from it in order to 
automate this process. The attached script is an early attempt of mine 
at automating this process, but I am not happy with it, as it using the 
key files and I am not sure this is the best approach or if I should be 
getting the info directly from Bind.

my second biggest problem is that its 10 years plus since I wrote any 
code so more than half the time is spent reading the bloody book!!!

My 2 cents worth.

John Allen
How do you tell when you're out of invisible ink?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.sys4.de/cgi-bin/mailman/private/dane-users/attachments/20150121/b337be1a/attachment.html>
-------------- next part --------------
# Why this script, the ISC has do created a number of tools to manage and generate DNSSEC keys etc.
# The dnssec-keygen tool works very nicely in that it can use the inactivate date of one key to generate a new key with an appropriate activate date.
# The problems that I have are it does not automagically
#   1. select either the current key, or the key with an Inactive date furthest in the future as the roll base.
#   2. nor does it set the inactive or delete dates for the new key, based either on the new keysetys active date or on the selected keyset inactive date 
# This script is intended to automatically generate new DNSSEC keysets based upon the inactive date furthest in the future.
# The idea being that it would be run as a cron or anacron job every n days, where n is equal to the key life. 

autoDelete=0				# The automatic deletion of keysets where the Delete date has passed - default Off
keyLife=90				# how often you roll the ZSK in days
keyDeleteInterval=30			# interval; between inactivation and deletion
keyDirectory=.				# Where the Keys live, if we are not told otherwise
inactiveDate=20010101000000		# date a ZSK goes Inactive 
today=$(date -u +%Y%m%d%H%M%S)		# todays date UTC based to determine if ZSKs marked for deletion can be removed
domainName=""				# which domain are we interested in
rollTime=040000				# what time of day do you want to roll, may not be important 

function display_help() {
echo ""
echo "     klam-autoroll [-h] [-X] [-l nnn] [-d nnn] [-r hh[mm[ss]] [-K] /etc/bind/keys domain-name"
echo ""
echo "		-h Display this help information"
echo ""
echo "		-X automatically remove keysets whose delete date has passed."
echo ""
echo "		-l the life of the keyset, this is the time in days from active to inactive."
echo "		   It is added to the new keysets activation date to set its inactive date."
echo ""
echo "		-d the delete delay, the length time in days between a keyset becoming inactive and being eligible for deletion."
echo "		   It is added to the new keysets inactive date to set its delete date."
echo ""
echo "		-r roll time of day, when during the day you would prefer rollover to occur."
echo "		   In most case not needed, but some people may prefer rollover to occur at a specific time of day."
echo ""
echo "		-K Directory where your DNSSEC keys are stored."
echo ""
echo "		domain-name the domain used as the basis for key generation."
echo ""

if [ $# -ne 0 ]; then
    while getopts "d:l:r:hK:X" option; do
        case $option in
            d )	if [[ $OPTARG == ?([0-9]*) ]] && [[ $OPTARG -lt 730 ]]; then
                    echo "The interval between a key becoming inactive and being eligable for removal has been set to $keyDeleteInterval days."
            l ) if [[ $OPTARG == ?([0-9]*) ]] && [[ $OPTARG -lt 730 ]]; then
                    echo "Key life set to $keyLife days."
            r ) if [[ $OPTARG == ?([0-9]*) ]] && [[ $OPTARG -lt 235959 ]]; then
                    echo "Roll TOD set to $keyLife \(HHMMSS\)."
            h ) display_help
            K ) if [[ -d $OPTARG ]]; then
            X ) autoDelete=1
                echo "Auto Delete enabled"
            * ) echo "An unknown paramter was found. OPERATION TERMINATED"
    shift $((OPTIND-1))
    echo "ERROR - A domain name must be provided"
    exit 1


for file in $( find "$keyDirectory" -maxdepth 1 -type f -name "K$domainName.*.key" )
        if [ "$file" ]; then
            temp=$(sed -n -e 's/.*\([I|D]\).*\([0-9]\{14\}\).*/\2/ p' $file )


            if [ $tempD ] && [ $tempD -lt $today ]; then				# do we have a delete date and is it in the past
                if [ $autoDelete -eq 1 ]; then						# are we in auto delete mode
                    dname=$(basename $file .key)					# clean up the file name so we can wildcard delete all elements
                    echo "auto remove $dname keyset with Delete date = $tempD"		# tell people whats happen(ing|ed)
                    rm $dname.*								# delete the keyset
            elif [ $tempI ] && [ $tempI -ge $inactiveDate ]; then			# do we have a inactive date and is it greater then any seen so far
                    inactiveDate=$tempI							# save this date for further comparison
                    fileName=$(basename $file .key)					# together with the relavaent file name

if [ $fileName ]; then
    echo "A search of the Bind key store has result in $fileName being considered a suitable candidate as a predessor for -S keygen"


    dnssec-keygen -i14d -K$keyDirectory -S$fileName  -I$inactiveDate$rollTime+$keyLife -D$inactiveDate$rollTime+$keyDeleteInterval 
    echo "No DNSSEC records available for for rollover base"
exit 0
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4268 bytes
Desc: S/MIME Cryptographic Signature
URL: <https://mail.sys4.de/cgi-bin/mailman/private/dane-users/attachments/20150121/b337be1a/attachment.bin>

More information about the dane-users mailing list