DNSSEC key rollover
John
john at klam.ca
Thu Jan 22 00:09:14 CET 2015
On 1/21/2015 3:43 AM, Carsten Strotmann wrote:
> Hello John,
>
>
>
> Example:
>
> the initial key generation:
>
> # dnssec-keygen -a RSASHA256 -b 2048 -n ZONE -P +1d -A +4d example.com
>
> publication: now + 1 day
> activation: now + 4 days
> retirement: unset
> deletion: unset
>
> # dnssec-settime -p all Kexample.com.+008+50340
> Created: Wed Jan 21 09:32:35 2015
> Publish: Thu Jan 22 09:32:35 2015
> Activate: Sun Jan 25 09:32:35 2015
> Revoke: UNSET
> Inactive: UNSET
> Delete: UNSET
>
> 28 days after activation, the rollover process starts by setting the
> inactivation time and creating the successor key:
>
> # dnssec-settime -I +2d -D +8d Kexample.com.+008+50340
> ./Kexample.com.+008+50340.key
> ./Kexample.com.+008+50340.private
> # dnssec-settime -p all Kexample.com.+008+50340
> Created: Wed Jan 21 09:32:35 2015
> Publish: Thu Jan 22 09:32:35 2015
> Activate: Sun Jan 25 09:32:35 2015
> Revoke: UNSET
> Inactive: Sun Feb 22 09:37:28 2015
> Delete: Sat Feb 28 09:37:28 2015
>
> # dnssec-keygen -i 2d -S Kexample.com.+008+50340.key
> example.com
>
> # dnssec-settime -p all
> Kexample.com.+008+40260 Created: Wed Jan 21 09:38:04 2015
> Publish: Fri Feb 20 09:37:28 2015
> Activate: Sun Feb 22 09:37:28 2015
> Revoke: UNSET
> Inactive: UNSET
> Delete: UNSET
>
> By setting the inactivation time not at the creation of the key, but
> when the rollover starts, the process is more robust against failures
> of the script/process and the rollover can be postponed if needed (by
> disabling the script).
>
> But please send a feature request to the BIND 9 people (email
> <bind9-bugs at isc.org>) if you feel relative dates for a successor key
> would be useful.
>
> Best regards
>
> Carsten
>
Our processes are very similar . The initial key was generated in much
the same way as yours. Except I did not set any dates and so the very
first key as created with Create, Publication and Active all set to NOW
automagically.
/*dnssec-keygen -a RSASHA256 -b 2048 -3 klam.ca.*/, I then did a
settime with -I+60d -D+90d. The usual house-keeping was performed adding
the NSEC3 chain etc.
which gave me:
/root at bilbo:/etc/bind/keys# dnssec-settime -p all Kklam.ca.+008+00849.
Created: Fri Jan 16 20:22:55 2015
Publish: Fri Jan 16 20:22:55 2015
Activate: Fri Jan 16 20:22:55 2015
Revoke: UNSET
Inactive: Sun Feb 15 21:12:51 2015
Delete: Mon Mar 2 21:12:51 2015/
I then created a second key using my proposed rollover procedure, which
goes something like this:
1 ) manually extracted the key activation date and use it as a base for
running keygen., which in this case Feb 15, 2015 (20150215). In the
example below I am using a 30 day active-life and 15 day retirement, in
practice I would probably use 90 and 120.
2) /*dnssec-keygen -i7d -S Kklam.ca.+008+00849 -I *//*20150215*//*+_30d_
-D *//*20150215*//**//*+_45d_ klam.ca.*/ followed by the usual house
keeping.
-S param takes care of getting the right date for publishing and
activation..
I did a ran a test of the above which gives me:
/root at bilbo:/etc/bind/keys# dnssec-settime -p all Kklam.ca.+008+26709.
Created: Fri Jan 16 21:15:23 2015
Publish: Sun Feb 8 21:12:51 2015
Activate: Sun Feb 15 21:12:51 2015
Revoke: UNSET
Inactive: Tue Mar 17 22:15:23 2015
Delete: Wed Apr 1 22:15:23 2015/
Currently to keep rollovers up to date I have to manually intervene
perform steps 1 & 2 each time. I am trying to work out how to find the
current valid ZSK and extract the various, dates from it in order to
automate this process. The attached script is an early attempt of mine
at automating this process, but I am not happy with it, as it using the
key files and I am not sure this is the best approach or if I should be
getting the info directly from Bind.
my second biggest problem is that its 10 years plus since I wrote any
code so more than half the time is spent reading the bloody book!!!
My 2 cents worth.
--
John Allen
KLaM
------------------------------------------
How do you tell when you're out of invisible ink?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.sys4.de/cgi-bin/mailman/private/dane-users/attachments/20150121/b337be1a/attachment.html>
-------------- next part --------------
#!/bin/bash
#
# Why this script, the ISC has do created a number of tools to manage and generate DNSSEC keys etc.
# The dnssec-keygen tool works very nicely in that it can use the inactivate date of one key to generate a new key with an appropriate activate date.
# The problems that I have are it does not automagically
# 1. select either the current key, or the key with an Inactive date furthest in the future as the roll base.
# 2. nor does it set the inactive or delete dates for the new key, based either on the new keysetys active date or on the selected keyset inactive date
#
# This script is intended to automatically generate new DNSSEC keysets based upon the inactive date furthest in the future.
#
# The idea being that it would be run as a cron or anacron job every n days, where n is equal to the key life.
#
#=================================================
autoDelete=0 # The automatic deletion of keysets where the Delete date has passed - default Off
keyLife=90 # how often you roll the ZSK in days
keyDeleteInterval=30 # interval; between inactivation and deletion
keyDirectory=. # Where the Keys live, if we are not told otherwise
inactiveDate=20010101000000 # date a ZSK goes Inactive
today=$(date -u +%Y%m%d%H%M%S) # todays date UTC based to determine if ZSKs marked for deletion can be removed
domainName="" # which domain are we interested in
rollTime=040000 # what time of day do you want to roll, may not be important
function display_help() {
#===================================================================================================================================
echo ""
echo " klam-autoroll [-h] [-X] [-l nnn] [-d nnn] [-r hh[mm[ss]] [-K] /etc/bind/keys domain-name"
echo ""
echo " -h Display this help information"
echo ""
echo " -X automatically remove keysets whose delete date has passed."
echo ""
echo " -l the life of the keyset, this is the time in days from active to inactive."
echo " It is added to the new keysets activation date to set its inactive date."
echo ""
echo " -d the delete delay, the length time in days between a keyset becoming inactive and being eligible for deletion."
echo " It is added to the new keysets inactive date to set its delete date."
echo ""
echo " -r roll time of day, when during the day you would prefer rollover to occur."
echo " In most case not needed, but some people may prefer rollover to occur at a specific time of day."
echo ""
echo " -K Directory where your DNSSEC keys are stored."
echo ""
echo " domain-name the domain used as the basis for key generation."
echo ""
#===================================================================================================================================
}
temp=
tempI=$today
tempD=$today
if [ $# -ne 0 ]; then
while getopts "d:l:r:hK:X" option; do
case $option in
d ) if [[ $OPTARG == ?([0-9]*) ]] && [[ $OPTARG -lt 730 ]]; then
keyDeleteInterval=$OPTARG
echo "The interval between a key becoming inactive and being eligable for removal has been set to $keyDeleteInterval days."
fi
;;
l ) if [[ $OPTARG == ?([0-9]*) ]] && [[ $OPTARG -lt 730 ]]; then
keyLife=$OPTARG
echo "Key life set to $keyLife days."
fi
;;
r ) if [[ $OPTARG == ?([0-9]*) ]] && [[ $OPTARG -lt 235959 ]]; then
rollTime=$OPTARG
echo "Roll TOD set to $keyLife \(HHMMSS\)."
fi
;;
h ) display_help
exit
;;
K ) if [[ -d $OPTARG ]]; then
keyDirectory=$OPTARG
fi
;;
X ) autoDelete=1
echo "Auto Delete enabled"
;;
* ) echo "An unknown paramter was found. OPERATION TERMINATED"
;;
esac
done
shift $((OPTIND-1))
domainName=$@
else
echo "ERROR - A domain name must be provided"
exit 1
fi
keyDeleteInterval=$((keyLife+$keyDeleteInterval))d
keyLife="$keyLife"d
for file in $( find "$keyDirectory" -maxdepth 1 -type f -name "K$domainName.*.key" )
do
if [ "$file" ]; then
temp=$(sed -n -e 's/.*\([I|D]\).*\([0-9]\{14\}\).*/\2/ p' $file )
tempI=${temp:0:14}
tempD=${temp:15:14}
if [ $tempD ] && [ $tempD -lt $today ]; then # do we have a delete date and is it in the past
if [ $autoDelete -eq 1 ]; then # are we in auto delete mode
dname=$(basename $file .key) # clean up the file name so we can wildcard delete all elements
echo "auto remove $dname keyset with Delete date = $tempD" # tell people whats happen(ing|ed)
rm $dname.* # delete the keyset
fi
elif [ $tempI ] && [ $tempI -ge $inactiveDate ]; then # do we have a inactive date and is it greater then any seen so far
inactiveDate=$tempI # save this date for further comparison
fileName=$(basename $file .key) # together with the relavaent file name
fi
fi
done
if [ $fileName ]; then
echo "A search of the Bind key store has result in $fileName being considered a suitable candidate as a predessor for -S keygen"
inactiveDate=${inactiveDate:0:8}
dnssec-keygen -i14d -K$keyDirectory -S$fileName -I$inactiveDate$rollTime+$keyLife -D$inactiveDate$rollTime+$keyDeleteInterval
else
echo "No DNSSEC records available for for rollover base"
fi
exit 0
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4268 bytes
Desc: S/MIME Cryptographic Signature
URL: <https://mail.sys4.de/cgi-bin/mailman/private/dane-users/attachments/20150121/b337be1a/attachment.bin>
More information about the dane-users
mailing list