In the section called “Generate Keys”, we generated two pairs of keys: a pair of Zone Signing Keys (ZSK) and a pair of Key Signing Keys (KSK). To quickly summarize, ZSKs sign the bulk of the zone, but KSKs only sign the DNSKEYs. This makes ZSKs easier to change (since you can do so without updating the parent). We generated keys by running these commands:
#cd /etc/bind/keys/example.com
#dnssec-keygen -a RSASHA256 -b 1024 example.com
Generating key pair...++++++ .............++++++ Kexample.com.+008+17694 #dnssec-keygen -a RSASHA256 -b 2048 -f KSK example.com
Generating key pair........................+++ ..................................+++ Kexample.com.+008+06817
With these commands, we generated NSEC3-compatible key pairs (see the section called “NSEC3” to learn more about NSEC3). In the
end, four key files were created in
/etc/bind/keys/example.com
:
Kexample.com.+008+06817.key
Kexample.com.+008+06817.private
Kexample.com.+008+17694.key
Kexample.com.+008+17694.private
The two files ending in .private
need to be kept, well,
private. These are your private keys, guard them carefully. You should at the
very least protect them via file permission settings. Please see the section called “Key Storage” for more information about how
to store your keys.
The two files ending in .key
are your public keys. One is
the zone-signing key (ZSK), and one is the key-signing Key (KSK). We can tell
which is which by looking at the actual file contents (actual keys shortened
for display):
#cat Kexample.com.+008+06817.key ; This is a key-signing key, keyid 6817, for example.com.
; Created: 20141120094612 (Thu Nov 20 17:46:12 2014) ; Publish: 20141120094612 (Thu Nov 20 17:46:12 2014) ; Activate: 20141120094612 (Thu Nov 20 17:46:12 2014) example.com. IN DNSKEY 257 3 8 AwEAAcWDps...lM3NRn/G/R #cat Kexample.com.+008+17694.key ; This is a zone-signing key, keyid 17694, for example.com.
; Created: 20141120094536 (Thu Nov 20 17:45:36 2014) ; Publish: 20141120094536 (Thu Nov 20 17:45:36 2014) ; Activate: 20141120094536 (Thu Nov 20 17:45:36 2014) example.com. IN DNSKEY 256 3 8 AwEAAcjGaU...zuu55If5
The first line of each file tell us what type of key it is. Also, by looking at the actual DNSKEY record, we could tell them apart: 256 is ZSK, and 257 is KSK.
So, this is a ZSK:
#cat Kexample.com.+008+17694.key
... example.com. IN DNSKEY256
3 8 AwEAAcjGaU...zuu55If5
And this is a KSK:
#cat Kexample.com.+008+06817.key
... example.com. IN DNSKEY257
3 8 AwEAAcWDps...lM3NRn/G/R
The parameters we showed in the example, algorithm of RSASHA256, key length of 1024 and 2048, and the use of NSEC3 are just suggestions, you need to evaluate what values work best for your environment. To learn more about key generation, different algorithm choices, and key sizes, see the section called “Key Generation”.
The table below summarizes the usage and frequency of use for each of the keys.
Table 4.1. ZSK KSK Comparison
Key | Usage | Frequency of Use |
---|---|---|
ZSK Private | Used by authoritative server to create RRSIG for zone data | Used somewhat frequently depending on the zone, whenever authoritative zone data changes or re-signing is needed |
ZSK Public | Used by recursive server to validate zone data RRset | Used very frequently, whenever recursive server validates a response |
KSK Private | Used by authoritative server to create RRSIG for ZSK and KSK Public (DNSKEY) | Very infrequently, whenever ZSK's or KSK's change (every year or every five years in our examples) |
KSK Public | Used by recursive server to validate DNSKEY RRset | Used very frequently, whenever recursive server validates a DNSKEY RRset |
In the section called “Reconfigure BIND”, we highlighted a few lines, let's explain what each one of them does.
options { directory "/etc/bind"; recursion no; minimal-responses yes;dnssec-enable yes;
}; zone "example.com" IN { type master; file "db/example.com.db";key-directory "keys/example.com"; inline-signing yes; auto-dnssec maintain;
};
DNSSEC support is enabled in named by
default. If the dnssec-enable
option is turned
off, named will be unable to serve signed
zones.
zone "example.com" IN { key-directory "keys/example.com"; };
This specifies where named should look for public
and private DNSSEC key files. The default is named's
working directory.
In our example, we organized keys based on zone names, and placed all keys
for example.com
under one directory
/etc/bind/keys/example.com
.
zone "example.com" IN { inline-signing yes; };
This option is disabled by default. When enabled, BIND converts
traditional (insecure) zone data to signed (secure) data automatically and
transparently, using keys found in key-directory
.
This feature alleviates the burden of re-signing zone data put on DNSSEC zone administrators. As the zone administrator, you can continue to manually maintain the unsigned version of the zone just like before, and named automatically creates an internal copy of the zone, signs it on the fly, and increments the serial number for the signed zone. The unsigned version of the zone is left intact. With this feature enabled, whenever named detects that your zone needs to be signed, either due to a new record being added, removed, or signature expiration, it will automatically re-sign the zone data.
Inline signing can also be used as a strategy to aid DNSSEC deployment in the case where the master zone cannot be easily modified To learn more about inline signing, please see the section called “DNSSEC and Inline Signing”.
zone "example.com" IN { auto-dnssec maintain; };
With keys, comes the burden of key management.
auto-dnssec
provides varying levels of automatic key
management. There are three possible settings:
We have opted for the "maintain" mode in our example, which provides
the most automated key management. With this option enabled, BIND will
periodically check to see if new keys are available, or old keys need to be
retired, and automatically add or remove the appropriate DNSKEY records from
the zone. The frequency of the check can be controlled via
dnssec-loadkeys-interval
, default is 60 minutes (1
hour).
auto-dnssec is a feature to automate many of the key management tasks, which we discuss in more detail in the section called “Manual Key Management and Signing”, to cover topics such as manual signing and key timing metadata.