27 Bře
2017
27 Bře
'17
14:56
Hi,
I'm in the process of changing the key algorithm from the former Knot
default of RSASHA256 to the newer default ecdsap256sha256. For this I
have just updated the DNSSEC policy and reloaded Knot. This created a
new ZSK and signed the zone with this new ZSK, but also with the old
one. Now the zone is signed with two ZSKs. How can I get rid of the old ZSK?
I already tried to set "retire" and "remove" on the old ZSK with
keymgr
to a value in the near future, but that just lead to the error message
"keys validation failed (missing active KSK or ZSK)" when issuing a
zone-sign to this particular zone. So I'm stuck now.
Additionally: How can I do a KSK rollover to also change the algorithm
from RSASHA256 to ecdsap256sha256? I couldn't find a documentation
explaining this step. I know that I need to have two KSKs until the DS
record on the parent is updated pointing to the new key, but I don't
know how to create a new KSK with Knot.
Thanks in advance for explaining the process.
Cheers,
Tobias
27 Bře
27 Bře
15:32
Hi Tobias,
Please keep in mind these limitations
https://www.knot-dns.cz/docs/2.4/singlehtml/index.html#limitations
I would recommend you to stay with the old algorithm for next
two months until Knot 2.5.0 is released. This version will introduce
a better interface for DNSSEC administration, including KSK rollover!
Daniel
On 03/27/2017 02:56 PM, Tobias Brunner wrote:
Hi,
I'm in the process of changing the key algorithm from the former Knot
default of RSASHA256 to the newer default ecdsap256sha256. For this I
have just updated the DNSSEC policy and reloaded Knot. This created a
new ZSK and signed the zone with this new ZSK, but also with the old
one. Now the zone is signed with two ZSKs. How can I get rid of the old ZSK?
I already tried to set "retire" and "remove" on the old ZSK with
keymgr
to a value in the near future, but that just lead to the error message
"keys validation failed (missing active KSK or ZSK)" when issuing a
zone-sign to this particular zone. So I'm stuck now.
Additionally: How can I do a KSK rollover to also change the algorithm
from RSASHA256 to ecdsap256sha256? I couldn't find a documentation
explaining this step. I know that I need to have two KSKs until the DS
record on the parent is updated pointing to the new key, but I don't
know how to create a new KSK with Knot.
Thanks in advance for explaining the process.
Cheers,
Tobias
_______________________________________________
knot-dns-users mailing list
knot-dns-users(a)lists.nic.cz
https://lists.nic.cz/cgi-bin/mailman/listinfo/knot-dns-users
15:52
Hey Tobias,
have you tried setting "retire" and "remove" to the exact same value?
Each record has to be signed by every algorithm in DNSKEY set. That's
the reason for the error you see. But you can have extra signatures
with algorithm that is not in the DNSKEY set. This is used in
algorithm rollover. You can do that manually with Knot. The process is
described in RFC 6781
(https://tools.ietf.org/html/rfc6781#section-4.1.4). In short: You
need to pre-publish new signatures, publish new DNSKEY, remove old
DNSKEY, remove old signatures. Pre-publishing signatures mean that the
key is active but not published in Knot terminology.
Jan
On Mon, Mar 27, 2017 at 2:56 PM, Tobias Brunner <tobias(a)tobru.ch> wrote:
Hi,
I'm in the process of changing the key algorithm from the former Knot
default of RSASHA256 to the newer default ecdsap256sha256. For this I
have just updated the DNSSEC policy and reloaded Knot. This created a
new ZSK and signed the zone with this new ZSK, but also with the old
one. Now the zone is signed with two ZSKs. How can I get rid of the old ZSK?
I already tried to set "retire" and "remove" on the old ZSK with
keymgr
to a value in the near future, but that just lead to the error message
"keys validation failed (missing active KSK or ZSK)" when issuing a
zone-sign to this particular zone. So I'm stuck now.
Additionally: How can I do a KSK rollover to also change the algorithm
from RSASHA256 to ecdsap256sha256? I couldn't find a documentation
explaining this step. I know that I need to have two KSKs until the DS
record on the parent is updated pointing to the new key, but I don't
know how to create a new KSK with Knot.
Thanks in advance for explaining the process.
Cheers,
Tobias
_______________________________________________
knot-dns-users mailing list
knot-dns-users(a)lists.nic.cz
https://lists.nic.cz/cgi-bin/mailman/listinfo/knot-dns-users
15:56
Hi Tobias,
Now the zone is signed with two ZSKs. How can I get rid
of the old ZSK?
In simple DNSSEC terms, the idea of a rollover, regardless if it was
for ZSK, KSK or even an algorithm rollover, is that old settings appear
in the same zone that will have new settings. This is to help validating
resolvers to still use old (cached) RRSigs or DS records and respond to
them, as well as caching new ones, until old ones expire. If you remove
old RRSigs without giving time for resolvers to cache new details, then
resolvers will fail to accept new zone details, even if they are being
signed by the intended zone master signer. This is more properly
explained in RFC7583 <https://tools.ietf.org/html/rfc7583>.
Now, how long it takes for a 'rolled over' item to remain in your zone,
this is what you should be able to define in your policy settings. I
can't comment on how Knot does it because we don't use it do DNSSEC
management, but it's a slave to our master signer so all our zones
served by Knot are DNSSEC secured.
HTH,
Kareem.
--
Abdulkareem H. Ali
Network Operations Engineer
CentralNic Group PLC
London Stock Exchange Symbol: CNIC
+44 20 3388 0600
www.CentralNic.com
CentralNic Group PLC is a company registered in England and Wales with
company number 8576358. Registered Offices: 35-39 Moorgate, London, EC2R
6AR.
2798
days inactive
2798
days old
3 comments
4 participants
participants (4)
-
Abdulkareem H. Ali -
Daniel Salzman -
Jan Včelák -
Tobias Brunner