Signing Easy Start Explained

Generate Keys Explained

In the section called “Generate Keys”, we generated two pairs of keys: a pair of Zone Signing Keys (ZSK) and a pair of Key Signing Keys (KSK). To quickly summarize, ZSKs sign the bulk of the zone, but KSKs only sign the DNSKEYs. This makes ZSKs easier to change (since you can do so without updating the parent). We generated keys by running these commands:

# cd /etc/bind/keys/example.com
# dnssec-keygen -a RSASHA256 -b 1024 example.com
Generating key pair...++++++ .............++++++ 
Kexample.com.+008+17694
# dnssec-keygen -a RSASHA256 -b 2048 -f KSK example.com
Generating key pair........................+++ ..................................+++ 
Kexample.com.+008+06817

With these commands, we generated NSEC3-compatible key pairs (see the section called “NSEC3” to learn more about NSEC3). In the end, four key files were created in /etc/bind/keys/example.com:

  • Kexample.com.+008+06817.key
  • Kexample.com.+008+06817.private
  • Kexample.com.+008+17694.key
  • Kexample.com.+008+17694.private

The two files ending in .private need to be kept, well, private. These are your private keys, guard them carefully. You should at the very least protect them via file permission settings. Please see the section called “Key Storage” for more information about how to store your keys.

The two files ending in .key are your public keys. One is the zone-signing key (ZSK), and one is the key-signing Key (KSK). We can tell which is which by looking at the actual file contents (actual keys shortened for display):

# cat Kexample.com.+008+06817.key
; This is a key-signing key, keyid 6817, for example.com.
; Created: 20141120094612 (Thu Nov 20 17:46:12 2014)
; Publish: 20141120094612 (Thu Nov 20 17:46:12 2014)
; Activate: 20141120094612 (Thu Nov 20 17:46:12 2014)
example.com. IN DNSKEY 257 3 8 AwEAAcWDps...lM3NRn/G/R
# cat Kexample.com.+008+17694.key
; This is a zone-signing key, keyid 17694, for example.com.
; Created: 20141120094536 (Thu Nov 20 17:45:36 2014)
; Publish: 20141120094536 (Thu Nov 20 17:45:36 2014)
; Activate: 20141120094536 (Thu Nov 20 17:45:36 2014)
example.com. IN DNSKEY 256 3 8 AwEAAcjGaU...zuu55If5

The first line of each file tell us what type of key it is. Also, by looking at the actual DNSKEY record, we could tell them apart: 256 is ZSK, and 257 is KSK.

So, this is a ZSK:

# cat Kexample.com.+008+17694.key
...
example.com. IN DNSKEY 256 3 8 AwEAAcjGaU...zuu55If5

And this is a KSK:

# cat Kexample.com.+008+06817.key
...
example.com. IN DNSKEY 257 3 8 AwEAAcWDps...lM3NRn/G/R

The parameters we showed in the example, algorithm of RSASHA256, key length of 1024 and 2048, and the use of NSEC3 are just suggestions, you need to evaluate what values work best for your environment. To learn more about key generation, different algorithm choices, and key sizes, see the section called “Key Generation”.

The table below summarizes the usage and frequency of use for each of the keys.

Table 4.1. ZSK KSK Comparison

KeyUsageFrequency of Use
ZSK PrivateUsed by authoritative server to create RRSIG for zone dataUsed somewhat frequently depending on the zone, whenever authoritative zone data changes or re-signing is needed
ZSK PublicUsed by recursive server to validate zone data RRsetUsed very frequently, whenever recursive server validates a response
KSK PrivateUsed by authoritative server to create RRSIG for ZSK and KSK Public (DNSKEY)Very infrequently, whenever ZSK's or KSK's change (every year or every five years in our examples)
KSK PublicUsed by recursive server to validate DNSKEY RRsetUsed very frequently, whenever recursive server validates a DNSKEY RRset


Reconfigure BIND Explained

In the section called “Reconfigure BIND”, we highlighted a few lines, let's explain what each one of them does.

options {
    directory "/etc/bind";
    recursion no;
    minimal-responses yes;
    dnssec-enable yes;
};

zone "example.com" IN {
    type master;
    file "db/example.com.db";
    key-directory "keys/example.com";
    inline-signing yes;
    auto-dnssec maintain;
};

dnssec-enable

DNSSEC support is enabled in named by default. If the dnssec-enable option is turned off, named will be unable to serve signed zones.

key-directory

zone "example.com" IN {
    key-directory "keys/example.com";
};

This specifies where named should look for public and private DNSSEC key files. The default is named's working directory. In our example, we organized keys based on zone names, and placed all keys for example.com under one directory /etc/bind/keys/example.com.

inline-signing

zone "example.com" IN {
    inline-signing yes;
};

This option is disabled by default. When enabled, BIND converts traditional (insecure) zone data to signed (secure) data automatically and transparently, using keys found in key-directory.

This feature alleviates the burden of re-signing zone data put on DNSSEC zone administrators. As the zone administrator, you can continue to manually maintain the unsigned version of the zone just like before, and named automatically creates an internal copy of the zone, signs it on the fly, and increments the serial number for the signed zone. The unsigned version of the zone is left intact. With this feature enabled, whenever named detects that your zone needs to be signed, either due to a new record being added, removed, or signature expiration, it will automatically re-sign the zone data.

Inline signing can also be used as a strategy to aid DNSSEC deployment in the case where the master zone cannot be easily modified To learn more about inline signing, please see the section called “DNSSEC and Inline Signing”.

auto-dnssec

zone "example.com" IN {
    auto-dnssec maintain;
};

With keys, comes the burden of key management. auto-dnssec provides varying levels of automatic key management. There are three possible settings:

  1. off: this is the default, key management is done manually
  2. allow: permits keys to be updated and the zone fully re-signed whenever the user issues the command rndc sign [zonename].
  3. maintain: includes what "allow" has, but also automatically adjusts the zone's DNSSEC keys on schedule, according to the key's timing metadata.

We have opted for the "maintain" mode in our example, which provides the most automated key management. With this option enabled, BIND will periodically check to see if new keys are available, or old keys need to be retired, and automatically add or remove the appropriate DNSKEY records from the zone. The frequency of the check can be controlled via dnssec-loadkeys-interval, default is 60 minutes (1 hour).

Note

auto-dnssec is a feature to automate many of the key management tasks, which we discuss in more detail in the section called “Manual Key Management and Signing”, to cover topics such as manual signing and key timing metadata.